Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
542CxvZnI5.dll

Overview

General Information

Sample name:542CxvZnI5.dll
renamed because original name is a hash value
Original sample name:be3c1ef872e8e146ff78e66271ca261b.dll
Analysis ID:1591515
MD5:be3c1ef872e8e146ff78e66271ca261b
SHA1:0e3c7374332d4a507fdbd7b30f5f78d7a4fbafcc
SHA256:f63eb4858e66889e8b62e6e72fe5d5620995c3fccaa8cd23043c22ddb3c6aa02
Tags:dllexeuser-mentality
Infos:

Detection

Virut, Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Virut
Yara detected Wannacry ransomware
AI detected suspicious sample
Changes memory attributes in foreign processes to executable or writable
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may execute only at specific dates)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Tries to evade debugger and weak emulator (self modifying code)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Connects to several IPs in different countries
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4524 cmdline: loaddll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2640 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5980 cmdline: rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • mssecsvc.exe (PID: 6392 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 433720564D376A59C4FC3F2F8ACEC030)
          • winlogon.exe (PID: 564 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)
          • lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)
          • svchost.exe (PID: 752 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • fontdrvhost.exe (PID: 780 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • fontdrvhost.exe (PID: 788 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)
          • svchost.exe (PID: 872 cmdline: C:\Windows\system32\svchost.exe -k RPCSS -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 924 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • dwm.exe (PID: 992 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)
          • svchost.exe (PID: 1188 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 1416 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 1460 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 1660 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 1700 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 1820 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 1936 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
          • svchost.exe (PID: 1952 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • rundll32.exe (PID: 2680 cmdline: rundll32.exe C:\Users\user\Desktop\542CxvZnI5.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2504 cmdline: rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvc.exe (PID: 1536 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 433720564D376A59C4FC3F2F8ACEC030)
  • mssecsvc.exe (PID: 6572 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 433720564D376A59C4FC3F2F8ACEC030)
    • svchost.exe (PID: 444 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 732 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 280 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1056 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1068 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1148 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1232 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1324 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1384 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1424 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1612 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1688 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1836 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 1944 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 2024 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VirutNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.virut
NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
542CxvZnI5.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    542CxvZnI5.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x38f735:$x2: taskdl.exe
    • 0x353d0:$x3: tasksche.exe
    • 0x455e0:$x3: tasksche.exe
    • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x45634:$x5: WNcry@2ol7
    • 0x3028:$x7: mssecsvc.exe
    • 0x120ac:$x7: mssecsvc.exe
    • 0x1b3b4:$x7: mssecsvc.exe
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x38fe99:$s2: Windows 10 -->
    • 0x45534:$s3: cmd.exe /c "%s"
    • 0x77a88:$s4: msg/m_portuguese.wnry
    • 0x38f307:$s4: msg/m_portuguese.wnry
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    542CxvZnI5.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
      • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
      • 0x35962d:$x2: taskdl.exe
      • 0xf4d8:$x3: tasksche.exe
      • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
      • 0xf52c:$x5: WNcry@2ol7
      • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
      • 0x359d91:$s2: Windows 10 -->
      • 0xf42c:$s3: cmd.exe /c "%s"
      • 0x41980:$s4: msg/m_portuguese.wnry
      • 0x3591ff:$s4: msg/m_portuguese.wnry
      • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
      • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
      • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
      C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      C:\Windows\tasksche.exeWin32_Ransomware_WannaCryunknownReversingLabs
      • 0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ...
      • 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
      C:\Windows\mssecsvc.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000001C.00000000.2241048704.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
          00000023.00000002.3405944268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
            00000005.00000002.2369222468.0000000000A73000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_VirutYara detected VirutJoe Security
              00000010.00000000.2185024353.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                00000027.00000002.3406467423.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_VirutYara detected VirutJoe Security
                  Click to see the 159 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  17.2.mssecsvc.exe.1f91084.3.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                  • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
                  • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
                  • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
                  17.2.mssecsvc.exe.24b48c8.6.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                  • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
                  • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
                  • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
                  5.2.mssecsvc.exe.7100a4.1.raw.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                    5.2.mssecsvc.exe.7100a4.1.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                    • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
                    • 0x35962d:$x2: taskdl.exe
                    • 0xf4d8:$x3: tasksche.exe
                    • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
                    • 0xf52c:$x5: WNcry@2ol7
                    • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
                    • 0x359d91:$s2: Windows 10 -->
                    • 0xf42c:$s3: cmd.exe /c "%s"
                    • 0x41980:$s4: msg/m_portuguese.wnry
                    • 0x3591ff:$s4: msg/m_portuguese.wnry
                    • 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
                    • 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56
                    • 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
                    5.2.mssecsvc.exe.7100a4.1.raw.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
                    • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
                    • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
                    Click to see the 114 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\WINDOWS\mssecsvc.exe, ParentImage: C:\Windows\mssecsvc.exe, ParentProcessId: 6392, ParentProcessName: mssecsvc.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, ProcessId: 752, ProcessName: svchost.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: winlogon.exe, CommandLine: winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: C:\WINDOWS\mssecsvc.exe, ParentImage: C:\Windows\mssecsvc.exe, ParentProcessId: 6392, ParentProcessName: mssecsvc.exe, ProcessCommandLine: winlogon.exe, ProcessId: 564, ProcessName: winlogon.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-15T02:52:28.619850+010020127301A Network Trojan was detected192.168.2.5492611.1.1.153UDP
                    2025-01-15T02:53:20.056518+010020127301A Network Trojan was detected192.168.2.5632981.1.1.153UDP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-15T02:53:28.828299+010028115771A Network Trojan was detected1.1.1.153192.168.2.549370UDP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 542CxvZnI5.dllAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: W32/Virut.Gen
                    Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/Ransom.Gen
                    Multi AV Scanner detection for dropped file
                    Source: C:\WINDOWS\qeriuwjhrf (copy)ReversingLabs: Detection: 92%
                    Source: C:\Windows\mssecsvc.exeReversingLabs: Detection: 95%
                    Source: C:\Windows\tasksche.exeReversingLabs: Detection: 92%
                    Multi AV Scanner detection for submitted file
                    Source: 542CxvZnI5.dllVirustotal: Detection: 90%Perma Link
                    Source: 542CxvZnI5.dllReversingLabs: Detection: 92%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
                    Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 542CxvZnI5.dllJoe Sandbox ML: detected

                    Exploits

                    barindex
                    Connects to many different private IPs (likely to spread or exploit)
                    Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                    Connects to many different private IPs via SMB (likely to spread or exploit)
                    Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                    Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                    Source: 542CxvZnI5.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49986 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50015 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50300 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50320 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50475 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50673 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50674 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50675 version: TLS 1.2
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223968868.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223968868.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ~1.PDB @ source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: mssecsvc.exeBinary or memory string: [autorun] open=
                    Source: mssecsvc.exe, 00000005.00000002.2369222468.0000000000A73000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: [autorun]
                    Source: mssecsvc.exe, 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mssecsvc.exe, 00000005.00000002.2372011334.000000007FE40000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: winlogon.exe, 00000007.00000002.3402551905.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: winlogon.exe, 00000007.00000002.3403262644.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: winlogon.exe, 00000007.00000000.2157612272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: lsass.exe, 00000008.00000002.3403585451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: lsass.exe, 00000008.00000002.3402846585.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: lsass.exe, 00000008.00000000.2159244338.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000009.00000002.3402992756.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000009.00000002.3403852852.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000009.00000000.2162403933.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: fontdrvhost.exe, 0000000A.00000002.3493795280.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: fontdrvhost.exe, 0000000A.00000002.3402819580.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: fontdrvhost.exe, 0000000A.00000000.2172969564.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: fontdrvhost.exe, 0000000B.00000000.2174451067.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: fontdrvhost.exe, 0000000B.00000002.3402735400.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: fontdrvhost.exe, 0000000B.00000002.3493788665.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000000C.00000002.3403150697.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000000C.00000002.3403935827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000000C.00000000.2175662143.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000000D.00000000.2179195689.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000000D.00000002.3400994676.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000000D.00000002.3400610797.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: dwm.exe, 0000000E.00000002.3403338621.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: dwm.exe, 0000000E.00000000.2181731693.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: dwm.exe, 0000000E.00000002.3493625570.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mssecsvc.exeBinary or memory string: [autorun] open=
                    Source: mssecsvc.exe, 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mssecsvc.exeBinary or memory string: [autorun] open=
                    Source: mssecsvc.exe, 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: mssecsvc.exe, 00000011.00000002.2980597130.0000000000A73000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000012.00000002.3402282133.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000012.00000000.2190133611.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000012.00000002.3402842670.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000013.00000002.3400697506.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000013.00000002.3400562813.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000013.00000000.2193268117.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000014.00000000.2196070682.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000014.00000002.3403105922.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000014.00000002.3402428958.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000015.00000002.3403522882.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000015.00000000.2198977925.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000015.00000002.3404464062.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000016.00000000.2202870396.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000016.00000002.3404523967.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000016.00000002.3403542982.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000017.00000002.3400997195.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000017.00000002.3400698716.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000017.00000000.2205891354.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000018.00000002.3400695649.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000018.00000000.2223034706.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000018.00000002.3401226137.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000019.00000002.3400704837.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000019.00000000.2223988543.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000019.00000002.3401117945.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001A.00000000.2228632401.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001A.00000002.3403667247.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001A.00000002.3404729920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001B.00000000.2236151257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001B.00000002.3401002112.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001B.00000002.3400703981.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001C.00000000.2241048704.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001C.00000002.3403893417.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001C.00000002.3404976335.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001D.00000002.3402243073.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001D.00000000.2247232722.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001D.00000002.3401707801.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001E.00000002.3402432003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001E.00000000.2248711553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001E.00000002.3401875690.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001F.00000002.3401714846.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001F.00000002.3402354767.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 0000001F.00000000.2253051631.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000020.00000002.3405291179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000020.00000000.2254076183.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000020.00000002.3404111410.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000021.00000002.3404348411.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000021.00000002.3405677404.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000021.00000000.2256281044.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000022.00000000.2258234045.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000022.00000002.3404477534.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000022.00000002.3405775251.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000023.00000002.3405944268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000023.00000000.2259095161.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000023.00000002.3404573979.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000024.00000002.3402001391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000024.00000000.2262953528.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000024.00000002.3402662179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000025.00000002.3406217056.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000025.00000000.2264447813.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000025.00000002.3404889708.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000026.00000002.3402824272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000026.00000000.2267954326.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000026.00000002.3402229166.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000027.00000002.3406467423.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000027.00000002.3405187204.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000027.00000000.2271192362.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000028.00000000.2275357508.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000028.00000002.3406751993.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000028.00000002.3405487489.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000029.00000002.3428342703.000001C781E40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Autorun.infAutoRun.Amd64
                    Source: svchost.exe, 00000029.00000000.2276062758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000029.00000002.3402235476.000000007FFD0000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000029.00000000.2277334412.000001C781E40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Autorun.infAutoRun.Amd64
                    Source: svchost.exe, 00000029.00000002.3402829287.000000007FFF0000.00000040.00000001.00040000.00000000.sdmpBinary or memory string: [autorun]
                    Source: svchost.exe, 00000029.00000002.3420547422.000001C781D70000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: Autorun.inf

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.5:49261 -> 1.1.1.1:53
                    Source: Network trafficSuricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.5:63298 -> 1.1.1.1:53
                    Tries to resolve many domain names, but no domain seems valid
                    Source: unknownDNS traffic detected: query: urxxuf.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ngemix.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: rqegva.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: xzgrlj.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ant.trenz.pl replaycode: Server failure (2)
                    Source: unknownDNS traffic detected: query: oacbaq.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: slnmhg.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: pojfeg.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ilo.brenz.pl replaycode: Server failure (2)
                    Source: unknownDNS traffic detected: query: asjuen.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: oqpzuo.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: rxexyq.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ebohzv.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: toexkd.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: eijfjn.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: qiurmh.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: vttzwu.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: yscyez.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: xdzsqn.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: poqxaa.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ezaeqf.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: lepdbj.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ersgvh.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: imdznk.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: remieu.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: fxumem.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: kfguna.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: abyeya.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: bjeako.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: oaqqkf.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: kkuzud.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: dkrbtp.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: akzoeg.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: uteyyp.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: voydqz.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ogoeuu.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: tkkvba.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: kiieiy.com replaycode: Name error (3)
                    Source: unknownNetwork traffic detected: IP country count 10
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: Network trafficSuricata IDS: 2811577 - Severity 1 - ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com) : 1.1.1.1:53 -> 192.168.2.5:49370
                    Source: unknownDNS traffic detected: query: urxxuf.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ngemix.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: rqegva.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: xzgrlj.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ant.trenz.pl replaycode: Server failure (2)
                    Source: unknownDNS traffic detected: query: oacbaq.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: slnmhg.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: pojfeg.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ilo.brenz.pl replaycode: Server failure (2)
                    Source: unknownDNS traffic detected: query: asjuen.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: oqpzuo.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: rxexyq.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ebohzv.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: toexkd.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: eijfjn.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: qiurmh.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: vttzwu.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: yscyez.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: xdzsqn.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: poqxaa.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ezaeqf.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: lepdbj.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ersgvh.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: imdznk.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: remieu.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: fxumem.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: kfguna.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: abyeya.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: bjeako.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: oaqqkf.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: kkuzud.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: dkrbtp.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: akzoeg.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: uteyyp.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: voydqz.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: ogoeuu.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: tkkvba.com replaycode: Name error (3)
                    Source: unknownDNS traffic detected: query: kiieiy.com replaycode: Name error (3)
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 23.1.237.91
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: unknownTCP traffic detected without corresponding DNS query: 40.115.3.253
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD27A1 GetTempFileNameA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,CreateProcessA,InternetCloseHandle,InternetCloseHandle,5_2_00AD27A1
                    Source: lsass.exe, 00000008.00000000.2160835567.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3460531405.00000140AE074000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://3csp.icrosof4m/ocp0
                    Source: Microsoft-Windows-LiveId%4Operational.evtx.25.drString found in binary or memory: http://Passport.NET/tb
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: lsass.exe, 00000008.00000000.2160748939.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161066795.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3456869482.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3465840345.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160070128.00000140AD866000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                    Source: lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161084952.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160070128.00000140AD866000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: lsass.exe, 00000008.00000000.2160748939.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161066795.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3456869482.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3465840345.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161084952.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                    Source: lsass.exe, 00000008.00000000.2161066795.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3465840345.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: lsass.exe, 00000008.00000000.2160748939.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161066795.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3456869482.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3465840345.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161084952.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                    Source: lsass.exe, 00000008.00000000.2160158196.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3439187607.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                    Source: lsass.exe, 00000008.00000000.2160158196.00000140AD88B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3439187607.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                    Source: lsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
                    Source: lsass.exe, 00000008.00000002.3435170210.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160070128.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
                    Source: lsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160070128.00000140AD866000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160748939.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161066795.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3456869482.00000140AE05A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3465840345.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: lsass.exe, 00000008.00000000.2161066795.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3465840345.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
                    Source: lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161084952.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0I
                    Source: lsass.exe, 00000008.00000000.2160835567.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161066795.00000140AE19A000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3465840345.00000140AE19D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: svchost.exe, 0000001A.00000000.2232869398.000001A204EE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                    Source: lsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
                    Source: lsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                    Source: lsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3435170210.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160070128.00000140AD850000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
                    Source: lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: lsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
                    Source: lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
                    Source: lsass.exe, 00000008.00000000.2161179424.00000140AE203000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3471111449.00000140AE21C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161179424.00000140AE21B000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161084952.00000140AE1AB000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160697715.00000140AE000000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2161084952.00000140AE1B3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: svchost.exe, 00000022.00000000.2260193179.000001E709ED9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.msftconnecttest.com
                    Source: svchost.exe, 00000009.00000000.2170070690.000001A78716B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://az804205.vo.msecnd.net/
                    Source: svchost.exe, 00000009.00000000.2170070690.000001A78716B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://az815563.vo.msecnd.net/
                    Source: svchost.exe, 00000009.00000002.3482183875.000001A786A3D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.3487132793.000001A786B00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2166233180.000001A786A3D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2166701119.000001A786B00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=
                    Source: svchost.exe, 00000009.00000002.3458096495.000001A78602A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2163338253.000001A78602A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.cn/shellRESP
                    Source: svchost.exe, 00000009.00000002.3458096495.000001A78602A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2163338253.000001A78602A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com/shell
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50674
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50475
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50673
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50675
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50674 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50402 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50475 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50320 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50402
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50320
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50393 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50300
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50300 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50673 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 50675 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50393
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49719 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49742 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49743 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:49986 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50015 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50300 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50320 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50475 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50673 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50674 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.5:50675 version: TLS 1.2

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Yara detected Wannacry ransomware
                    Source: Yara matchFile source: 542CxvZnI5.dll, type: SAMPLE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.1fc3128.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.24e696c.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.24c3948.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.24b48c8.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.24e696c.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.1fc3128.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.1fa0104.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.24bf8e8.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.1f9c0a4.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.1f91084.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.24c3948.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.1fa0104.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000000.2185024353.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2367251245.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2367554645.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.2185188875.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2367955469.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.2155806207.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2980161347.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2983639240.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.2155929134.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2979906966.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.2188065513.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2368237677.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2982951688.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000000.2188241979.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 1536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6572, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Windows\tasksche.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 542CxvZnI5.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 542CxvZnI5.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.1f91084.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.24b48c8.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.2.mssecsvc.exe.1fc3128.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.1fc3128.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.1fc3128.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.2.mssecsvc.exe.24e696c.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.24e696c.9.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.24e696c.9.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.2.mssecsvc.exe.24c3948.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.24c3948.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 17.2.mssecsvc.exe.24c3948.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.2.mssecsvc.exe.24b48c8.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.24b48c8.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.2.mssecsvc.exe.24e696c.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.24e696c.9.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.24e696c.9.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 17.2.mssecsvc.exe.1fc3128.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.1fc3128.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.1fc3128.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.1fa0104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.1fa0104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 17.2.mssecsvc.exe.1fa0104.4.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.24bf8e8.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.24bf8e8.8.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.1f9c0a4.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.1f9c0a4.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.1f91084.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.1f91084.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: 17.2.mssecsvc.exe.1f91084.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.24c3948.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.24c3948.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 17.2.mssecsvc.exe.1fa0104.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: 17.2.mssecsvc.exe.1fa0104.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000010.00000002.2367554645.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000010.00000000.2185188875.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000011.00000002.2980161347.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000011.00000002.2983639240.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000005.00000000.2155929134.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000005.00000002.2368237677.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000011.00000002.2982951688.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: 00000011.00000000.2188241979.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
                    PE file has a writeable .text section
                    Source: mssecsvc.exe.3.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00A7302F NtSetInformationProcess,5_2_00A7302F
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,5_2_00AD05F2
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,5_2_00AD042D
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD2529 NtOpenSection,5_2_00AD2529
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD256E NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,5_2_00AD256E
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD1169 LoadLibraryA,GetModuleHandleA,CreateFileMappingA,LookupPrivilegeValueA,NtAdjustPrivilegesToken,5_2_00AD1169
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD2471 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,5_2_00AD2471
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD24A8 lstrcpyW,lstrlenW,NtCreateSection,5_2_00AD24A8
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD3397 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,5_2_00AD3397
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD141C LookupPrivilegeValueA,NtAdjustPrivilegesToken,5_2_00AD141C
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD3372 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,5_2_00AD3372
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD1444 LookupPrivilegeValueA,NtAdjustPrivilegesToken,5_2_00AD1444
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE305F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,5_2_7FE305F2
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE324A8 lstrcpyW,lstrlenW,NtCreateSection,5_2_7FE324A8
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE33397 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,5_2_7FE33397
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE3256E NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,5_2_7FE3256E
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE33372 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,5_2_7FE33372
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE32471 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,5_2_7FE32471
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE31444 LookupPrivilegeValueA,NtAdjustPrivilegesToken,5_2_7FE31444
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE32529 NtOpenSection,5_2_7FE32529
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE3042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,5_2_7FE3042D
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE3141C LookupPrivilegeValueA,NtAdjustPrivilegesToken,5_2_7FE3141C
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE405F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,16_2_7FE405F2
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE424A8 lstrcpyW,lstrlenW,NtCreateSection,16_2_7FE424A8
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE43397 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,16_2_7FE43397
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE4256E NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,16_2_7FE4256E
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE42471 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,16_2_7FE42471
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE43372 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,16_2_7FE43372
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE41444 LookupPrivilegeValueA,NtAdjustPrivilegesToken,16_2_7FE41444
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE4042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,16_2_7FE4042D
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE42529 NtOpenSection,16_2_7FE42529
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE4141C LookupPrivilegeValueA,NtAdjustPrivilegesToken,16_2_7FE4141C
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00A7302F NtSetInformationProcess,17_2_00A7302F
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,17_2_00BF05F2
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,17_2_00BF042D
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF2529 NtOpenSection,17_2_00BF2529
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF2471 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,17_2_00BF2471
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF256E NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,17_2_00BF256E
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF1169 LoadLibraryA,GetModuleHandleA,CreateFileMappingA,LookupPrivilegeValueA,NtAdjustPrivilegesToken,17_2_00BF1169
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF24A8 lstrcpyW,lstrlenW,NtCreateSection,17_2_00BF24A8
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF3397 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,17_2_00BF3397
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF141C LookupPrivilegeValueA,NtAdjustPrivilegesToken,17_2_00BF141C
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF3372 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,17_2_00BF3372
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF1444 LookupPrivilegeValueA,NtAdjustPrivilegesToken,17_2_00BF1444
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                    Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD11695_2_00AD1169
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD28C25_2_00AD28C2
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE328C25_2_7FE328C2
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE34BD75_2_7FE34BD7
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE428C216_2_7FE428C2
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE44BD716_2_7FE44BD7
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF116917_2_00BF1169
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF28C217_2_00BF28C2
                    Source: Joe Sandbox ViewDropped File: C:\WINDOWS\qeriuwjhrf (copy) 331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
                    Source: Joe Sandbox ViewDropped File: C:\Windows\tasksche.exe 331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
                    Source: mssecsvc.exe.3.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
                    Source: tasksche.exe.5.drStatic PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
                    Source: 542CxvZnI5.dllBinary or memory string: OriginalFilenamediskpart.exej% vs 542CxvZnI5.dll
                    Source: 542CxvZnI5.dllBinary or memory string: OriginalFilenamelhdfrgui.exej% vs 542CxvZnI5.dll
                    Source: 542CxvZnI5.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                    Source: 542CxvZnI5.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 542CxvZnI5.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.1f91084.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.24b48c8.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.2.mssecsvc.exe.1fc3128.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.1fc3128.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.1fc3128.5.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.2.mssecsvc.exe.24e696c.9.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.24e696c.9.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.24e696c.9.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.2.mssecsvc.exe.24c3948.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.24c3948.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 17.2.mssecsvc.exe.24c3948.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.2.mssecsvc.exe.24b48c8.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.24b48c8.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.2.mssecsvc.exe.24e696c.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.24e696c.9.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.24e696c.9.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 17.2.mssecsvc.exe.1fc3128.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.1fc3128.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.1fc3128.5.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.1fa0104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.1fa0104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 17.2.mssecsvc.exe.1fa0104.4.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.24bf8e8.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.24bf8e8.8.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.1f9c0a4.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.1f9c0a4.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.1f91084.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.1f91084.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: 17.2.mssecsvc.exe.1f91084.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.24c3948.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.24c3948.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 17.2.mssecsvc.exe.1fa0104.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: 17.2.mssecsvc.exe.1fa0104.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000010.00000002.2367554645.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000010.00000000.2185188875.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000011.00000002.2980161347.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000011.00000002.2983639240.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000005.00000000.2155929134.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000005.00000002.2368237677.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000011.00000002.2982951688.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: 00000011.00000000.2188241979.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                    Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
                    Source: tasksche.exe.5.drBinary string: h\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\MOP030B\American McGee's Alice
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\03edc404e68b95b7e0b07a0416c8e4a7\System.Transactions.ni.dll.auxthp
                    Source: tasksche.exe.5.drBinary string: `\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Image ViewerD
                    Source: tasksche.exe.5.drBinary string: I\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\EXCEL.EXEp
                    Source: tasksche.exe.5.drBinary string: {\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.inihip
                    Source: tasksche.exe.5.drBinary string: >\Device\HarddiskVolume1\Program Files\TrueKey\TrueKeyVault.dllty
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\ksuser.dllorp
                    Source: tasksche.exe.5.drBinary string: w\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Harry Potter and the Deathly Hallows - Part 1p
                    Source: tasksche.exe.5.drBinary string: e\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndexp
                    Source: tasksche.exe.5.drBinary string: K\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\WINWORD.EXEd-p
                    Source: tasksche.exe.5.drBinary string: 2\Device\HarddiskVolume1\Windows\System32\wbem\Logsthip
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wsbep
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.widlp
                    Source: tasksche.exe.5.drBinary string: 8\Device\HarddiskVolume1\Program Files\TrueKey\thrift.dllop
                    Source: tasksche.exe.5.drBinary string: y\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\33056cb1c9e7cf51ee0a4168997f0db4p
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\fa881a9dd9820b29ec20e9d90c6a0d99\CustomMarshalers.ni.dll.auxp
                    Source: Security.evtx.25.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
                    Source: tasksche.exe.5.drBinary string: S\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll||p
                    Source: tasksche.exe.5.drBinary string: :\Device\HarddiskVolume1\Windows\System32\config\COMPONENTSxyz
                    Source: tasksche.exe.5.drBinary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edbbrep
                    Source: tasksche.exe.5.drBinary string: _\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yandex
                    Source: tasksche.exe.5.drBinary string: K\Device\HarddiskVolume1\Windows\System32\config\systemprofile\AppData\Localtyp
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\msidle.dllarp
                    Source: tasksche.exe.5.drBinary string: L\Device\HarddiskVolume1\Program Files\TrueKey\providers\deviceIDProvider.dll.p
                    Source: tasksche.exe.5.drBinary string: h\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skachat Torrent
                    Source: tasksche.exe.5.drBinary string: X\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#ep
                    Source: tasksche.exe.5.drBinary string: N\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllt^$p
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\cf330aa5c9f2a48448933edac5333406\System.DirectoryServices.ni.dll.auxp
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\QAGENT.DLLEtp
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\scrrun.dll@
                    Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: \Device\NetbiosSmb
                    Source: tasksche.exe.5.drBinary string: <\Device\HarddiskVolume1\Windows\System32\ru-RU\tzres.dll.muiap
                    Source: tasksche.exe.5.drBinary string: x\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001pF
                    Source: tasksche.exe.5.drBinary string: r\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\/
                    Source: tasksche.exe.5.drBinary string: 8\Device\HarddiskVolume1\Windows\System32\mfreadwrite.dll.p
                    Source: tasksche.exe.5.drBinary string: _\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\/
                    Source: tasksche.exe.5.drBinary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore|.
                    Source: tasksche.exe.5.drBinary string: E\Device\HarddiskVolume1\Program Files\TrueKey\logs\Log.2017-05-12.logp
                    Source: System.evtx.25.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4eb
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dllnksp
                    Source: tasksche.exe.5.drBinary string: S\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\PotPlayer
                    Source: tasksche.exe.5.drBinary string: F\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applicationspar
                    Source: tasksche.exe.5.drBinary string: 2\Device\HarddiskVolume1\Windows\System32\adsnt.dll.cop
                    Source: tasksche.exe.5.drBinary string: G\Device\HarddiskVolume1\ProgramData\Bluestacks\Logs\BlueStacksUsers.log.np
                    Source: tasksche.exe.5.drBinary string: Q\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\MOP030B&
                    Source: tasksche.exe.5.drBinary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoreu.
                    Source: tasksche.exe.5.drBinary string: L\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\POWERPNT.EXEk
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\mfplat.dllmgp
                    Source: tasksche.exe.5.drBinary string: K\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\datay
                    Source: tasksche.exe.5.drBinary string: p\Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtxp
                    Source: tasksche.exe.5.drBinary string: e\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Suicide Squad - Special OpsN
                    Source: tasksche.exe.5.drBinary string: 5\Device\HarddiskVolume1\Windows\System32\rundll32.exep
                    Source: tasksche.exe.5.drBinary string: c\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex^$,
                    Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
                    Source: tasksche.exe.5.drBinary string: P\Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dllap
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\cc649e0f5426f48bb9361c159b8e707f\System.Data.ni.dll.aux
                    Source: tasksche.exe.5.drBinary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkann
                    Source: tasksche.exe.5.drBinary string: W\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactionsro|
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dllhp
                    Source: tasksche.exe.5.drBinary string: ?\Device\HarddiskVolume1\Windows\System32\ru-RU\WUDFHost.exe.mui
                    Source: tasksche.exe.5.drBinary string: ?\Device\HarddiskVolume1\Windows\System32\config\COMPONENTS.LOG1
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\03edc404e68b95b7e0b07a0416c8e4a7\System.Transactions.ni.dlldi
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ciy
                    Source: Security.evtx.25.drBinary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sysame
                    Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                    Source: tasksche.exe.5.drBinary string: O\Device\HarddiskVolume1\Program Files\NVIDIA Corporation\Display\nvsmartmax.dll^$p
                    Source: tasksche.exe.5.drBinary string: _\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
                    Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.drBinary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
                    Source: tasksche.exe.5.drBinary string: T\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalersep
                    Source: tasksche.exe.5.drBinary string: p\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\StarGame\Alice.Madness Returns + 2 DLCp
                    Source: tasksche.exe.5.drBinary string: y\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnkp
                    Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.drBinary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                    Source: tasksche.exe.5.drBinary string: L\Device\HarddiskVolume1\Program Files\TrueKey\providers\LocationProvider.dllph
                    Source: System.evtx.25.drBinary string: C:\Device\HarddiskVolume3
                    Source: tasksche.exe.5.drBinary string: ?\Device\HarddiskVolume1\Windows\System32\drivers\UMDF\WpdFs.dll
                    Source: tasksche.exe.5.drBinary string: z\Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dllU+
                    Source: tasksche.exe.5.drBinary string: S\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDjView
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\wbem\ru-RU
                    Source: tasksche.exe.5.drBinary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoren.
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\v4.0_4.0.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dllcp
                    Source: tasksche.exe.5.drBinary string: O\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\settingsrd
                    Source: tasksche.exe.5.drBinary string: W\Device\HarddiskVolume1\Program Files\Alice.Madness Returns + 2 DLC\GDFBinary.en-us.dll.cp
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir-p
                    Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.25.drBinary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                    Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.drBinary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\netman.dllhip
                    Source: tasksche.exe.5.drBinary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoreeH
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dllp
                    Source: tasksche.exe.5.drBinary string: X\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Tanks
                    Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.drBinary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
                    Source: tasksche.exe.5.drBinary string: _\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIDA64@
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dllap
                    Source: tasksche.exe.5.drBinary string: O\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dllsitp
                    Source: tasksche.exe.5.drBinary string: 5\Device\HarddiskVolume1\Windows\System32\bthprops.cplp
                    Source: tasksche.exe.5.drBinary string: x\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000rp
                    Source: tasksche.exe.5.drBinary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002H
                    Source: tasksche.exe.5.drBinary string: R\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\StarGame
                    Source: tasksche.exe.5.drBinary string: ?\Device\HarddiskVolume1\Windows\System32\config\COMPONENTS.LOG2.cp
                    Source: tasksche.exe.5.drBinary string: E\Device\HarddiskVolume1\Program Files\Bluestacks\HD-Logger-Native.dllp
                    Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.25.drBinary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
                    Source: tasksche.exe.5.drBinary string: Q\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\MOP030Bp
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\37523c98ca4b37b2a6d189294e443202\System.Runtime.Serialization.ni.dllp
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\37523c98ca4b37b2a6d189294e443202\System.Runtime.Serialization.ni.dll.auxp
                    Source: tasksche.exe.5.drBinary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001p
                    Source: tasksche.exe.5.drBinary string: k\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMaptyp
                    Source: tasksche.exe.5.drBinary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoreg.
                    Source: tasksche.exe.5.drBinary string: H\Device\HarddiskVolume1\Program Files\TrueKey\providers\faceProvider.dllsp
                    Source: tasksche.exe.5.drBinary string: ^\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
                    Source: tasksche.exe.5.drBinary string: R\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\Logs\bm.logparp
                    Source: tasksche.exe.5.drBinary string: q\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenup
                    Source: tasksche.exe.5.drBinary string: Q\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero 11p
                    Source: tasksche.exe.5.drBinary string: T\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\data\settingscp
                    Source: tasksche.exe.5.drBinary string: D\Device\HarddiskVolume1\Windows\assembly\GAC_MSIL\mscorlib.resourcesgp
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\tquery.dlllep
                    Source: tasksche.exe.5.drBinary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edbfirp
                    Source: tasksche.exe.5.drBinary string: |\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts8
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.18766_none_0b32a93025b365c1\wcp.dllp
                    Source: tasksche.exe.5.drBinary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001H
                    Source: System.evtx.25.drBinary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exep
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\FXSAPI.dllcop
                    Source: tasksche.exe.5.drBinary string: 7\Device\HarddiskVolume1\Windows\System32\CertEnroll.dllarp
                    Source: tasksche.exe.5.drBinary string: Y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogsp
                    Source: tasksche.exe.5.drBinary string: /\Device\HarddiskVolume1\Windows\System32\mf.dlly
                    Source: tasksche.exe.5.drBinary string: c\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
                    Source: tasksche.exe.5.drBinary string: 2\Device\HarddiskVolume1\Windows\System32\wshom.ocx
                    Source: tasksche.exe.5.drBinary string: 6\Device\HarddiskVolume1\Windows\System32\srchadmin.dll
                    Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.drBinary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                    Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                    Source: tasksche.exe.5.drBinary string: 4\Device\HarddiskVolume1\Windows\System32\WMVCORE.DLLip
                    Source: tasksche.exe.5.drBinary string: G\Device\HarddiskVolume1\Program Files\Windows Media Player\wmpnssci.dll
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\cc649e0f5426f48bb9361c159b8e707f\System.Data.ni.dll0
                    Source: tasksche.exe.5.drBinary string: 4\Device\HarddiskVolume1\Windows\servicing\CbsMsg.dllp
                    Source: tasksche.exe.5.drBinary string: x\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002xp
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dirmp
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\rasdlg.dllinp
                    Source: tasksche.exe.5.drBinary string: S\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\PotPlayer@
                    Source: tasksche.exe.5.drBinary string: 7\Device\HarddiskVolume1\Windows\System32\CertEnroll.dllku
                    Source: tasksche.exe.5.drBinary string: 9\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Datap
                    Source: tasksche.exe.5.drBinary string: G\Device\HarddiskVolume1\ProgramData\NVIDIA Corporation\Drs\nvdrsdb1.binlip
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnkp
                    Source: tasksche.exe.5.drBinary string: m\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.dllp
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\cf330aa5c9f2a48448933edac5333406\System.DirectoryServices.ni.dll
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\fa881a9dd9820b29ec20e9d90c6a0d99\CustomMarshalers.ni.dllx
                    Source: tasksche.exe.5.drBinary string: 7\Device\HarddiskVolume1\Windows\System32\CertEnroll.dllco
                    Source: tasksche.exe.5.drBinary string: H\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Temp\usgthrsvcrp
                    Source: tasksche.exe.5.drBinary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000H
                    Source: tasksche.exe.5.drBinary string: :\Device\HarddiskVolume1\Windows\System32\wbem\cimwin32.dll
                    Source: tasksche.exe.5.drBinary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logparp
                    Source: tasksche.exe.5.drBinary string: X\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#ep
                    Source: tasksche.exe.5.drBinary string: >\Device\HarddiskVolume1\Windows\System32\en-US\azroles.dll.mui
                    Source: tasksche.exe.5.drBinary string: X\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#p
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci||p
                    Source: tasksche.exe.5.drBinary string: V\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\Crypto.Core.dll||cp
                    Source: tasksche.exe.5.drBinary string: 4\Device\HarddiskVolume1\ProgramData\Microsoft\Searchup
                    Source: tasksche.exe.5.drBinary string: 4\Device\HarddiskVolume1\Windows\System32\mspaint.exejp
                    Source: tasksche.exe.5.drBinary string: 3\Device\HarddiskVolume1\Windows\System32\wscapi.dll.pp
                    Source: System.evtx.25.drBinary string: C:\Device\HarddiskVolume3~(
                    Source: tasksche.exe.5.drBinary string: J\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\MSTORE.EXEes.p
                    Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.drBinary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                    Source: tasksche.exe.5.drBinary string: D\Device\HarddiskVolume1\Program Files\TrueKey\system.data.sqlite.dllnp
                    Source: System.evtx.25.drBinary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
                    Source: tasksche.exe.5.drBinary string: e\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Suicide Squad - Special Ops
                    Source: tasksche.exe.5.drBinary string: ;\Device\HarddiskVolume1\Program Files\Skype\Phone\Skype.exeetp
                    Source: tasksche.exe.5.drBinary string: @\Device\HarddiskVolume1\Program Files\TrueKey\sqlite.interop.dllop
                    Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.25.drBinary string: L\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
                    Source: tasksche.exe.5.drBinary string: \\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\PRO"
                    Source: tasksche.exe.5.drBinary string: |\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts$p
                    Source: System.evtx.25.drBinary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
                    Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.25.drBinary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
                    Source: tasksche.exe.5.drBinary string: 4\Device\HarddiskVolume1\Windows\System32\ieframe.dllnF
                    Source: tasksche.exe.5.drBinary string: ,\Device\HarddiskVolume1\Users\User\Favorites-p
                    Source: tasksche.exe.5.drBinary string: v\Device\HarddiskVolume1\Program Files\Alice.Madness Returns + 2 DLC\Game\Alice2\Binaries\Win32\AliceMadnessReturns.exe|mop
                    Source: tasksche.exe.5.drBinary string: 5\Device\HarddiskVolume1\Windows\System32\perfproc.dllp
                    Source: Microsoft-Windows-SMBServer%4Operational.evtx.25.drBinary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
                    Source: tasksche.exe.5.drBinary string: 7\Device\HarddiskVolume1\Windows\System32\framedynos.dll
                    Source: tasksche.exe.5.drBinary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dllp
                    Source: tasksche.exe.5.drBinary string: ~\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnkT+
                    Source: mssecsvc.exe, 00000005.00000000.2155929134.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000010.00000002.2367554645.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000011.00000002.2980161347.0000000000710000.00000080.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000011.00000002.2983639240.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000002.2982951688.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, 542CxvZnI5.dll, mssecsvc.exe.3.dr, tasksche.exe.5.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
                    Source: classification engineClassification label: mal100.rans.troj.expl.evad.winDLL@16/62@0/100
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,5_2_00AD05F2
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
                    Source: 542CxvZnI5.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\542CxvZnI5.dll,PlayGame
                    Source: 542CxvZnI5.dllVirustotal: Detection: 90%
                    Source: 542CxvZnI5.dllReversingLabs: Detection: 92%
                    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll"
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\542CxvZnI5.dll,PlayGame
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",PlayGame
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
                    Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\542CxvZnI5.dll,PlayGameJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",PlayGameJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1Jump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: msvcp60.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                    Source: 542CxvZnI5.dllStatic file information: File size 5267459 > 1048576
                    Source: 542CxvZnI5.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: .@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223968868.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: "@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: +@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct42C5.tmp.pdb source: svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223968868.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.errorb source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb* source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ~1.PDB @ source: svchost.exe, 00000018.00000000.2223968868.0000024B8764A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3424115726.0000024B87641000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000002.3422282579.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.2223907093.0000024B8762B000.00000004.00000001.00020000.00000000.sdmp
                    Source: Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\wct4B1.tmpp.pdb source: svchost.exe, 00000018.00000000.2224075143.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.3425200185.0000024B8765A000.00000004.00000001.00020000.00000000.sdmp
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD3CC8 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,CreateThread,CloseHandle,WSAStartup,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,5_2_00AD3CC8
                    Source: initial sampleStatic PE information: section where entry point is pointing to: vzdbmga
                    Source: mssecsvc.exe.3.drStatic PE information: section name: vzdbmga
                    Source: mssecsvc.exe.3.drStatic PE information: section name: vzdbmga entropy: 7.2160923714047565

                    Persistence and Installation Behavior

                    barindex
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
                    Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
                    Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                    Source: C:\Windows\mssecsvc.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                    Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
                    Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found evasive API chain (may execute only at specific dates)
                    Source: C:\Windows\mssecsvc.exeEvasive API call chain: GetSystemTime,DecisionNodes,Sleepgraph_17-2489
                    Tries to evade debugger and weak emulator (self modifying code)
                    Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: A7986A instructions caused by: Self-modifying code
                    Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: A73350 instructions caused by: Self-modifying code
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00A79868 rdtsc 5_2_00A79868
                    Source: C:\Windows\mssecsvc.exeThread delayed: delay time: 86400000Jump to behavior
                    Source: C:\Windows\mssecsvc.exeDropped PE file which has not been started: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                    Source: C:\Windows\mssecsvc.exeDropped PE file which has not been started: C:\Windows\tasksche.exeJump to dropped file
                    Source: C:\Windows\mssecsvc.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_17-2489
                    Source: C:\Windows\mssecsvc.exeAPI coverage: 6.2 %
                    Source: C:\Windows\mssecsvc.exeAPI coverage: 1.4 %
                    Source: C:\Windows\mssecsvc.exeAPI coverage: 7.3 %
                    Source: C:\Windows\mssecsvc.exe TID: 1784Thread sleep count: 88 > 30Jump to behavior
                    Source: C:\Windows\mssecsvc.exe TID: 1784Thread sleep time: -176000s >= -30000sJump to behavior
                    Source: C:\Windows\mssecsvc.exe TID: 3652Thread sleep count: 126 > 30Jump to behavior
                    Source: C:\Windows\mssecsvc.exe TID: 3652Thread sleep count: 43 > 30Jump to behavior
                    Source: C:\Windows\mssecsvc.exe TID: 1784Thread sleep time: -86400000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                    Source: C:\Windows\mssecsvc.exeThread delayed: delay time: 86400000Jump to behavior
                    Source: Microsoft-Windows-Partition%4Diagnostic.evtx.25.drBinary or memory string: VMwareVirtual disk2.06000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                    Source: svchost.exe, 00000009.00000002.3471384873.000001A786438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat
                    Source: svchost.exe, 00000019.00000000.2226269258.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000019.00000002.3444789529.00000205FAC2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
                    Source: svchost.exe, 00000019.00000002.3447620312.00000205FAC43000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmci
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: VMware SATA CD00
                    Source: svchost.exe, 00000017.00000002.3431988576.00000254A202B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: NECVMWarVMware SATA CD00
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                    Source: svchost.exe, 0000000C.00000002.3446062414.000001D55D042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.2176775642.000001D55D042000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3442840937.000001D55D013000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000C.00000000.2176730998.000001D55D013000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: dwm.exe, 0000000E.00000002.3509386634.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000=
                    Source: svchost.exe, 00000029.00000002.3435246206.000001C781F02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.25.drBinary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                    Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
                    Source: svchost.exe, 00000019.00000003.2296747620.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
                    Source: dwm.exe, 0000000E.00000002.3509386634.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                    Source: System.evtx.25.drBinary or memory string: VMCI: Using capabilities (0x1c).
                    Source: svchost.exe, 00000019.00000003.2296747620.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
                    Source: svchost.exe, 00000019.00000000.2226011203.00000205FABB0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f58
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1e
                    Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.drBinary or memory string: VMwareVirtual disk6000c292b65879ff477a6af604113f588
                    Source: svchost.exe, 00000009.00000000.2166137749.000001A786A25000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: nonicNECVMWarVMware SATA CD00
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>nal
                    Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
                    Source: svchost.exe, 00000019.00000003.2293558433.00000205FB933000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmcir:m
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>-W(
                    Source: mssecsvc.exe, 00000011.00000002.2981002221.0000000000C2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
                    Source: svchost.exe, 00000009.00000000.2166233180.000001A786A3D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000019.00000002.3506457666.00000205FBFA5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: dowvmci
                    Source: Microsoft-Windows-Ntfs%4Operational.evtx.25.drBinary or memory string: VMware
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: nonicVMware Virtual disk 6000c292b65879ff477a6af604113f58
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>oso
                    Source: svchost.exe, 00000019.00000003.2296747620.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
                    Source: svchost.exe, 00000009.00000002.3471384873.000001A786438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicshutdown
                    Source: svchost.exe, 00000009.00000000.2166233180.000001A786A3D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000we
                    Source: svchost.exe, 00000029.00000002.3435246206.000001C781F02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000,@
                    Source: svchost.exe, 00000009.00000000.2166233180.000001A786A3D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                    Source: svchost.exe, 00000019.00000003.2296747620.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.25.drBinary or memory string: VMware Virtual disk 2.0 6000c292b65879ff477a6af604113f58PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>-P(
                    Source: lsass.exe, 00000008.00000002.3439187607.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
                    Source: svchost.exe, 00000009.00000002.3471384873.000001A786438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: cativmicvss
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000029.00000000.2277334412.000001C781E40000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                    Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.25.drBinary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
                    Source: svchost.exe, 00000009.00000002.3471384873.000001A786438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicshutdown
                    Source: dwm.exe, 0000000E.00000002.3509386634.0000011607ED0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: PointVMware&P
                    Source: Microsoft-Windows-Partition%4Diagnostic.evtx.25.drBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: storahciNECVMWarVMware SATA CD00
                    Source: svchost.exe, 00000029.00000002.3430358268.000001C781E5B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: LSI_SASVMware Virtual disk 6000c292b65879ff477a6af604113f58
                    Source: mssecsvc.exe, 00000005.00000002.2370044980.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3432692016.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160000055.00000140AD813000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000000.2179794745.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3421811958.00000195DD613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.2195003090.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3424126128.000001F28C22B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.3424768941.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.2200009754.000001CA9782A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.2207595624.00000254A2043000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.3433120989.00000254A2043000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>xVxp9v
                    Source: lsass.exe, 00000008.00000002.3439187607.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
                    Source: svchost.exe, 00000029.00000002.3430358268.000001C781E5B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: UDFBBSCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000019.00000002.3507078837.00000205FD000000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>LB2oIb
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>ta(
                    Source: svchost.exe, 00000009.00000002.3471384873.000001A786438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 629.vmicvss
                    Source: lsass.exe, 00000008.00000002.3460531405.00000140AE074000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTVMWare
                    Source: svchost.exe, 00000019.00000003.2296747620.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
                    Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.25.drBinary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
                    Source: mssecsvc.exe, 00000010.00000002.2368612169.0000000000B0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlls
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>U
                    Source: svchost.exe, 0000000D.00000002.3427535586.00000195DD66A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000021.00000002.3425298587.000001B278E02000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                    Source: lsass.exe, 00000008.00000002.3439187607.00000140AD88B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
                    Source: Microsoft-Windows-PushNotification-Platform%4Operational.evtx.25.drBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>imm
                    Source: svchost.exe, 00000029.00000002.3427368915.000001C781E2B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: svchost.exe, 00000019.00000003.2296747620.00000205FD235000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
                    Source: svchost.exe, 00000009.00000002.3471384873.000001A786438000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
                    Source: C:\Windows\mssecsvc.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\mssecsvc.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00A79868 rdtsc 5_2_00A79868
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE36573 LdrInitializeThunk,5_2_7FE36573
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD3CC8 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,CreateThread,CloseHandle,WSAStartup,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,5_2_00AD3CC8
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00A7302F mov edx, dword ptr fs:[00000030h]5_2_00A7302F
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD05F2 mov eax, dword ptr fs:[00000030h]5_2_00AD05F2
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD042D mov eax, dword ptr fs:[00000030h]5_2_00AD042D
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD025E mov edx, dword ptr fs:[00000030h]5_2_00AD025E
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE305F2 mov eax, dword ptr fs:[00000030h]5_2_7FE305F2
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE3025E mov edx, dword ptr fs:[00000030h]5_2_7FE3025E
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_7FE3042D mov eax, dword ptr fs:[00000030h]5_2_7FE3042D
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_00A7302F mov edx, dword ptr fs:[00000030h]16_2_00A7302F
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE405F2 mov eax, dword ptr fs:[00000030h]16_2_7FE405F2
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE4025E mov edx, dword ptr fs:[00000030h]16_2_7FE4025E
                    Source: C:\Windows\mssecsvc.exeCode function: 16_2_7FE4042D mov eax, dword ptr fs:[00000030h]16_2_7FE4042D
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00A7302F mov edx, dword ptr fs:[00000030h]17_2_00A7302F
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF05F2 mov eax, dword ptr fs:[00000030h]17_2_00BF05F2
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF042D mov eax, dword ptr fs:[00000030h]17_2_00BF042D
                    Source: C:\Windows\mssecsvc.exeCode function: 17_2_00BF025E mov edx, dword ptr fs:[00000030h]17_2_00BF025E
                    Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Changes memory attributes in foreign processes to executable or writable
                    Source: C:\Windows\mssecsvc.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2FE0 protect: page execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2DC0 protect: page execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF3620 protect: page execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2FE0 protect: page execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2DC0 protect: page execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF3620 protect: page execute and read and writeJump to behavior
                    Creates a thread in another existing process (thread injection)
                    Source: C:\Windows\mssecsvc.exeThread created: unknown EIP: 7EFC3BCAJump to behavior
                    Source: C:\Windows\mssecsvc.exeThread created: unknown EIP: 7EFB3BCAJump to behavior
                    Injects code into the Windows Explorer (explorer.exe)
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2FE0 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2DC0 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF3620 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2F60 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF3710 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2C00 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2FE0 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2DC0 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF3620 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2F60 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF3710 value: E8Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: PID: 1028 base: 76EF2C00 value: E8Jump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\qsttVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: unknown protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\mssecsvc.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\yietVt target: C:\Windows\mssecsvc.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Windows\mssecsvc.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2FE0Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2DC0Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF3620Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1FCC0DE0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 4B80000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\SysWOW64\WerFault.exe base: 53A0000Jump to behavior
                    Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 1D55D2D0000Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2FE0Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF2DC0Jump to behavior
                    Source: C:\Windows\mssecsvc.exeMemory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 76EF3620Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1Jump to behavior
                    Source: winlogon.exe, 00000007.00000002.3456476310.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2158458567.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000000.2182771761.0000011605AB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: winlogon.exe, 00000007.00000002.3456476310.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2158458567.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.3504320407.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: winlogon.exe, 00000007.00000002.3456476310.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2158458567.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.3504320407.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: winlogon.exe, 00000007.00000002.3456476310.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.2158458567.000001E858D81000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 0000000E.00000002.3504320407.0000011605EC1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformationJump to behavior
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD3820 GetSystemTime,Sleep,InternetGetConnectedState,gethostbyname,socket,ioctlsocket,connect,Sleep,closesocket,5_2_00AD3820
                    Source: C:\Windows\mssecsvc.exeCode function: 5_2_00AD042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,5_2_00AD042D
                    Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.25.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Virut
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000000.2241048704.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3405944268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2369222468.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3406467423.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000000.2236151257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.3402432003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.3400704837.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3402551905.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3493795280.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.3402824272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000000.2179195689.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3405187204.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.3404348411.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.2276062758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.2228632401.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3400994676.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.3403893417.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.3400697506.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3402819580.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.3400997195.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.3405291179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.2275357508.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000000.2254076183.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.3402235476.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000000.2248711553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000000.2202870396.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3403338621.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.3400562813.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000000.2174451067.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3402282133.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.3406751993.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.3401875690.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3406217056.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.3403522882.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.3400698716.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000000.2190133611.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3403585451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000000.2264447813.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3403150697.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.2258234045.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3400695649.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.3402829287.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.3006271461.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.3402001391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.3404111410.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000000.2196070682.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000000.2198977925.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3403935827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.3405677404.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.3403105922.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.2181731693.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.2205891354.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.2267954326.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.3404464062.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.2262953528.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.3404477534.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.3405487489.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3404523967.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.2223034706.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.2172969564.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2372011334.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.2223988543.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3403262644.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.3401002112.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3402992756.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.3402243073.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3404889708.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.3400703981.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3402735400.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2980597130.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3403852852.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.2247232722.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3493788665.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3400610797.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.3401707801.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3402842670.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000000.2271192362.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000000.2259095161.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.3402662179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.3401117945.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.3404976335.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.3401714846.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3402846585.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.3402229166.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.3405775251.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.3403667247.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3401226137.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.2193268117.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.2175662143.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3493625570.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.2157612272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.3402428958.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3403542982.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.3404729920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3404573979.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.3402354767.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000000.2253051631.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000000.2256281044.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.2159244338.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.2162403933.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 564, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 924, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 992, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 1536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 444, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 732, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1056, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1188, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1324, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1384, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1424, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1460, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1612, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1688, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1700, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1944, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1952, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2024, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Virut
                    Source: Yara matchFile source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000000.2241048704.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3405944268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2369222468.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3406467423.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000000.2236151257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.3402432003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.3400704837.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3402551905.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3493795280.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.3402824272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000000.2179195689.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000002.3405187204.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.3404348411.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.2276062758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000000.2228632401.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3400994676.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.3403893417.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.3400697506.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3402819580.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.3400997195.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.3405291179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000000.2275357508.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000000.2254076183.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.3402235476.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000000.2248711553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000000.2202870396.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3403338621.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.3400562813.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000000.2174451067.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3402282133.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.3406751993.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.3401875690.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3406217056.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.3403522882.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000002.3400698716.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000000.2190133611.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3403585451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000000.2264447813.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3403150697.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000000.2258234045.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3400695649.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.3402829287.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.3006271461.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.3402001391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000020.00000002.3404111410.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000000.2196070682.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000000.2198977925.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3403935827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000002.3405677404.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.3403105922.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000000.2181731693.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000017.00000000.2205891354.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000000.2267954326.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000015.00000002.3404464062.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000000.2262953528.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.3404477534.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.3405487489.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3404523967.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000000.2223034706.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000000.2172969564.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2372011334.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000000.2223988543.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3403262644.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.3401002112.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3402992756.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.3402243073.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000025.00000002.3404889708.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001B.00000002.3400703981.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3402735400.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.2980597130.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3403852852.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000000.2247232722.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3493788665.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3400610797.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.3401707801.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000012.00000002.3402842670.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000027.00000000.2271192362.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000000.2259095161.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000024.00000002.3402662179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.3401117945.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.3404976335.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.3401714846.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3402846585.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000026.00000002.3402229166.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000022.00000002.3405775251.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.3403667247.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3401226137.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000000.2193268117.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000000.2175662143.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3493625570.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000000.2157612272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000014.00000002.3402428958.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.3403542982.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001A.00000002.3404729920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000023.00000002.3404573979.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000002.3402354767.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001F.00000000.2253051631.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000021.00000000.2256281044.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000000.2159244338.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000000.2162403933.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: winlogon.exe PID: 564, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lsass.exe PID: 640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 780, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: fontdrvhost.exe PID: 788, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 872, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 924, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dwm.exe PID: 992, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 1536, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6572, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 444, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 732, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1032, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1056, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1068, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1188, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1324, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1384, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1424, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1460, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1612, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1660, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1688, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1700, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1820, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1944, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1952, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2024, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Replication Through Removable Media                    		12
                    Native API                    		1
                    DLL Side-Loading                    		512
                    Process Injection                    		12
                    Masquerading                    		OS Credential Dumping1
                    Network Share Discovery                    		Remote Services1
                    Archive Collected Data                    		12
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		41
                    Virtualization/Sandbox Evasion                    		LSASS Memory11
                    System Time Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)512
                    Process Injection                    		Security Account Manager241
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Obfuscated Files or Information                    		NTDS41
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Rundll32                    		LSA Secrets3
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain Credentials1
                    Peripheral Device Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync124
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1591515 Sample: 542CxvZnI5.dll Startdate: 15/01/2025 Architecture: WINDOWS Score: 100 65 Suricata IDS alerts for network traffic 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 10 other signatures 2->71 9 loaddll32.exe 1 2->9         started        11 mssecsvc.exe 2->11         started        process3 dnsIp4 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 rundll32.exe 1 9->20         started        23 conhost.exe 9->23         started        57 192.168.2.102 unknown unknown 11->57 59 192.168.2.103 unknown unknown 11->59 61 98 other IPs or domains 11->61 83 Connects to many different private IPs via SMB (likely to spread or exploit) 11->83 85 Connects to many different private IPs (likely to spread or exploit) 11->85 87 Changes memory attributes in foreign processes to executable or writable 11->87 89 4 other signatures 11->89 25 svchost.exe 11->25 injected 27 svchost.exe 11->27 injected 29 svchost.exe 11->29 injected 31 13 other processes 11->31 signatures5 process6 file7 33 rundll32.exe 15->33         started        63 Drops executables to the windows directory (C:\Windows) and starts them 17->63 35 mssecsvc.exe 1 17->35         started        53 C:\Windows\mssecsvc.exe, PE32 20->53 dropped signatures8 process9 file10 38 mssecsvc.exe 1 33->38         started        51 C:\WINDOWS\qeriuwjhrf (copy), PE32 35->51 dropped process11 file12 55 C:\Windows\tasksche.exe, PE32 38->55 dropped 73 Antivirus detection for dropped file 38->73 75 Multi AV Scanner detection for dropped file 38->75 77 Machine Learning detection for dropped file 38->77 79 7 other signatures 38->79 42 lsass.exe 38->42 injected 45 winlogon.exe 38->45 injected 47 svchost.exe 3 38->47 injected 49 13 other processes 38->49 signatures13 process14 signatures15 81 Writes to foreign memory regions 42->81

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    542CxvZnI5.dll90%VirustotalBrowse
                    542CxvZnI5.dll92%ReversingLabsWin32.Ransomware.WannaCry
                    542CxvZnI5.dll100%AviraW32/Virut.Gen
                    542CxvZnI5.dll100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Windows\mssecsvc.exe100%AviraW32/Virut.Gen
                    C:\Windows\tasksche.exe100%AviraTR/Ransom.Gen
                    C:\Windows\mssecsvc.exe100%Joe Sandbox ML
                    C:\Windows\tasksche.exe100%Joe Sandbox ML
                    C:\WINDOWS\qeriuwjhrf (copy)93%ReversingLabsWin32.Ransomware.WannaCry
                    C:\Windows\mssecsvc.exe95%ReversingLabsWin32.Ransomware.WannaCry
                    C:\Windows\tasksche.exe93%ReversingLabsWin32.Ransomware.WannaCry

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://3csp.icrosof4m/ocp00%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/07/securitypolicylsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3435170210.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160070128.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
                      		high
                      http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702lsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        https://windows.msn.com/shellsvchost.exe, 00000009.00000002.3458096495.000001A78602A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2163338253.000001A78602A000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2004/09/policylsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/wsdl/ertieslsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/soap12/lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://3csp.icrosof4m/ocp0lsass.exe, 00000008.00000000.2160835567.00000140AE074000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3460531405.00000140AE074000.00000004.00000001.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/wsdl/lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://windows.msn.cn/shellRESPsvchost.exe, 00000009.00000002.3458096495.000001A78602A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.2163338253.000001A78602A000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://Passport.NET/tbMicrosoft-Windows-LiveId%4Operational.evtx.25.drfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/02/trustlsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://docs.oasis-open.org/ws-sx/ws-trust/200512lsass.exe, 00000008.00000002.3435170210.00000140AD850000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.2160070128.00000140AD850000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdlsass.exe, 00000008.00000000.2160032797.00000140AD82F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.3433737462.00000140AD82F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.microsvchost.exe, 0000001A.00000000.2232869398.000001A204EE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                              		high

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              51.62.241.1
                                              		unknownUnited Kingdom
                                              		2686ATGS-MMD-ASUSfalse
                                              39.69.187.1
                                              		unknownChina
                                              		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                              39.69.187.2
                                              		unknownChina
                                              		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNfalse
                                              20.15.180.1
                                              		unknownUnited States
                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                              20.15.180.0
                                              		unknownUnited States
                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                              172.2.157.1
                                              		unknownUnited States
                                              		7018ATT-INTERNET4USfalse
                                              137.175.162.138
                                              		unknownCanada
                                              		5769VIDEOTRONCAfalse
                                              26.51.77.1
                                              		unknownUnited States
                                              		7922COMCAST-7922USfalse
                                              211.132.162.2
                                              		unknownJapan9595XEPHIONNTT-MECorporationJPfalse
                                              211.132.162.1
                                              		unknownJapan9595XEPHIONNTT-MECorporationJPfalse
                                              138.40.81.2
                                              		unknownUnited Kingdom
                                              		786JANETJiscServicesLimitedGBfalse
                                              138.40.81.1
                                              		unknownUnited Kingdom
                                              		786JANETJiscServicesLimitedGBfalse
                                              51.62.241.233
                                              		unknownUnited Kingdom
                                              		2686ATGS-MMD-ASUSfalse
                                              72.151.164.132
                                              		unknownUnited States
                                              		7018ATT-INTERNET4USfalse
                                              100.43.221.1
                                              		unknownUnited States
                                              		14265US-TELEPACIFICUSfalse
                                              160.166.64.79
                                              		unknownMorocco
                                              		6713IAM-ASMAfalse
                                              193.175.220.134
                                              		unknownGermany
                                              		680DFNVereinzurFoerderungeinesDeutschenForschungsnetzesefalse
                                              221.170.202.170
                                              		unknownJapan2518BIGLOBEBIGLOBEIncJPfalse
                                              26.51.77.154
                                              		unknownUnited States
                                              		7922COMCAST-7922USfalse
                                              214.224.11.142
                                              		unknownUnited States
                                              		721DNIC-ASBLK-00721-00726USfalse
                                              214.224.11.1
                                              		unknownUnited States
                                              		721DNIC-ASBLK-00721-00726USfalse
                                              198.154.22.143
                                              		unknownUnited States
                                              		668DNIC-AS-00668USfalse
                                              111.48.240.74
                                              		unknownChina
                                              		9808CMNET-GDGuangdongMobileCommunicationCoLtdCNfalse
                                              138.40.81.25
                                              		unknownUnited Kingdom
                                              		786JANETJiscServicesLimitedGBfalse
                                              181.1.73.1
                                              		unknownArgentina
                                              		7303TelecomArgentinaSAARfalse
                                              181.1.73.2
                                              		unknownArgentina
                                              		7303TelecomArgentinaSAARfalse
                                              91.63.153.58
                                              		unknownGermany
                                              		3320DTAGInternetserviceprovideroperationsDEfalse
                                              78.74.197.76
                                              		unknownSweden
                                              		3301TELIANET-SWEDENTeliaCompanySEfalse

                                              Private

                                              IP
                                              192.168.2.148
                                              192.168.2.149
                                              192.168.2.146
                                              192.168.2.147
                                              192.168.2.140
                                              192.168.2.141
                                              192.168.2.144
                                              192.168.2.145
                                              192.168.2.142
                                              192.168.2.143
                                              192.168.2.159
                                              192.168.2.157
                                              192.168.2.158
                                              192.168.2.151
                                              192.168.2.152
                                              192.168.2.150
                                              192.168.2.155
                                              192.168.2.156
                                              192.168.2.153
                                              192.168.2.154
                                              192.168.2.126
                                              192.168.2.247
                                              192.168.2.127
                                              192.168.2.248
                                              192.168.2.124
                                              192.168.2.245
                                              192.168.2.125
                                              192.168.2.246
                                              192.168.2.128
                                              192.168.2.249
                                              192.168.2.129
                                              192.168.2.240
                                              192.168.2.122
                                              192.168.2.243
                                              192.168.2.123
                                              192.168.2.244
                                              192.168.2.120
                                              192.168.2.241
                                              192.168.2.121
                                              192.168.2.242
                                              192.168.2.97
                                              192.168.2.137
                                              192.168.2.96
                                              192.168.2.138
                                              192.168.2.99
                                              192.168.2.135
                                              192.168.2.98
                                              192.168.2.136
                                              192.168.2.139
                                              192.168.2.250
                                              192.168.2.130
                                              192.168.2.251
                                              192.168.2.91
                                              192.168.2.90
                                              192.168.2.93
                                              192.168.2.133
                                              192.168.2.254
                                              192.168.2.92
                                              192.168.2.134
                                              192.168.2.95
                                              192.168.2.131
                                              192.168.2.252
                                              192.168.2.94
                                              192.168.2.132
                                              192.168.2.253
                                              192.168.2.104
                                              192.168.2.225
                                              192.168.2.105
                                              192.168.2.226
                                              192.168.2.102
                                              192.168.2.223
                                              192.168.2.103

                                              General Information

                                              Joe Sandbox version:42.0.0 Malachite
                                              Analysis ID:1591515
                                              Start date and time:2025-01-15 02:51:11 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 9m 0s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:32
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:542CxvZnI5.dll
                                              renamed because original name is a hash value
                                              Original Sample Name:be3c1ef872e8e146ff78e66271ca261b.dll
                                              Detection:MAL
                                              Classification:mal100.rans.troj.expl.evad.winDLL@16/62@0/100
                                              EGA Information:
                                              • Successful, ratio: 100%
                                              HCA Information:Failed
                                              Cookbook Comments:
                                              • Found application associated with file extension: .dll

                                              Warnings

                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                              • Excluded IPs from analysis (whitelisted): 199.232.214.172, 40.126.31.67, 13.107.246.45, 52.149.20.212, 20.190.159.4, 20.189.173.20
                                              • Excluded domains from analysis (whitelisted): vttzwu.com, voydqz.com, ezaeqf.com, slscr.update.microsoft.com, poqxaa.com, xdzsqn.com, kkuzud.com, uteyyp.com, pojfeg.com, fxumem.com, bjeako.com, login.live.com, imdznk.com, yscyez.com, onparo.com, urxxuf.com, kiieiy.com, lepdbj.com, ebohzv.com, xzgrlj.com, qiurmh.com, dkrbtp.com, ersgvh.com, client.wns.windows.com, sizuny.com, kfguna.com, otelrules.azureedge.net, oacbaq.com, ogoeuu.com, ant.trenz.pl, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, rxexyq.com, ngemix.com, remieu.com, tkkvba.com, rqegva.com, oaqqkf.com, slnmhg.com, akzoeg.com, abyeya.com, umwatson.events.data.microsoft.com, oqpzuo.com, asjuen.com, ilo.brenz.pl, toexkd.com, eijfjn.com
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtWriteVirtualMemory calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              20:52:17API Interceptor1x Sleep call for process: loaddll32.exe modified
                                              20:53:06API Interceptor112x Sleep call for process: mssecsvc.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              No context

                                              Domains

                                              No context

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              CHINA169-BACKBONECHINAUNICOMChina169BackboneCNGUtEaDsc9X.dllGet hashmaliciousWannacryBrowse
                                              • 27.13.195.1
                                              330tqxXVzm.dllGet hashmaliciousWannacryBrowse
                                              • 61.53.130.1
                                              9kNjKSEUym.dllGet hashmaliciousWannacryBrowse
                                              • 39.87.158.1
                                              D3W41IdtQA.dllGet hashmaliciousWannacryBrowse
                                              • 124.94.33.112
                                              sLlAsC4I5r.dllGet hashmaliciousWannacryBrowse
                                              • 39.80.197.203
                                              ruXU7wj3X9.dllGet hashmaliciousWannacryBrowse
                                              • 27.219.109.201
                                              eIZi481eP6.dllGet hashmaliciousWannacryBrowse
                                              • 182.119.252.121
                                              Yx3rRuVx3c.dllGet hashmaliciousWannacryBrowse
                                              • 42.63.214.1
                                              9nNO3SHiV1.dllGet hashmaliciousWannacryBrowse
                                              • 27.11.108.236
                                              mlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                              • 39.74.29.1
                                              CHINA169-BACKBONECHINAUNICOMChina169BackboneCNGUtEaDsc9X.dllGet hashmaliciousWannacryBrowse
                                              • 27.13.195.1
                                              330tqxXVzm.dllGet hashmaliciousWannacryBrowse
                                              • 61.53.130.1
                                              9kNjKSEUym.dllGet hashmaliciousWannacryBrowse
                                              • 39.87.158.1
                                              D3W41IdtQA.dllGet hashmaliciousWannacryBrowse
                                              • 124.94.33.112
                                              sLlAsC4I5r.dllGet hashmaliciousWannacryBrowse
                                              • 39.80.197.203
                                              ruXU7wj3X9.dllGet hashmaliciousWannacryBrowse
                                              • 27.219.109.201
                                              eIZi481eP6.dllGet hashmaliciousWannacryBrowse
                                              • 182.119.252.121
                                              Yx3rRuVx3c.dllGet hashmaliciousWannacryBrowse
                                              • 42.63.214.1
                                              9nNO3SHiV1.dllGet hashmaliciousWannacryBrowse
                                              • 27.11.108.236
                                              mlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                              • 39.74.29.1
                                              ATGS-MMD-ASUSGUtEaDsc9X.dllGet hashmaliciousWannacryBrowse
                                              • 56.148.232.23
                                              330tqxXVzm.dllGet hashmaliciousWannacryBrowse
                                              • 48.0.238.151
                                              https://suman006723213.github.io/garena.reward.ff/Get hashmaliciousHTMLPhisherBrowse
                                              • 34.36.216.150
                                              https://checkpoint681.verifications.io.vn/491c51f2b04f4064b623dfcead849625Get hashmaliciousUnknownBrowse
                                              • 34.149.134.77
                                              https://jpmchase.secure.virtru.com/start/?c=experiment&t=emailtemplate2019-09&s=ccs.collections%40jpmchase.com&p=c0d0aede-7bea-4ead-a752-2d73ef1c7343#v=3.0.0&d=https%3A%2F%2Fapi.virtru.com%2Fstorage%2Fapi%2Fpolicies%2Fc0d0aede-7bea-4ead-a752-2d73ef1c7343%2Fdata%2Fmetadata&dk=1k9dx%2B9Tl5K3SfB3B3irzBa9ZHLb5jXqYy1n7NSx1lE%3DGet hashmaliciousUnknownBrowse
                                              • 34.160.98.162
                                              F1G5BkUV74.dllGet hashmaliciousWannacryBrowse
                                              • 33.175.236.126
                                              ruXU7wj3X9.dllGet hashmaliciousWannacryBrowse
                                              • 56.59.202.1
                                              YZJG8NuHEP.dllGet hashmaliciousWannacryBrowse
                                              • 51.209.245.1
                                              http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664Get hashmaliciousPhisherBrowse
                                              • 34.149.158.220
                                              hsmSW6Eifl.dllGet hashmaliciousWannacryBrowse
                                              • 34.1.98.1
                                              MICROSOFT-CORP-MSN-AS-BLOCKUStTbeoLWNhb.dllGet hashmaliciousWannacryBrowse
                                              • 21.90.103.237
                                              330tqxXVzm.dllGet hashmaliciousWannacryBrowse
                                              • 40.90.175.1
                                              EXTERNAL Your company's credit limit has changed!.msgGet hashmaliciousUnknownBrowse
                                              • 13.89.179.14
                                              Eastern Contractors Corporation Contract and submittal document.emlGet hashmaliciousUnknownBrowse
                                              • 40.126.32.138
                                              04Ct9PoJrL.dllGet hashmaliciousWannacryBrowse
                                              • 22.174.74.1
                                              bopY0ot9wf.dllGet hashmaliciousWannacryBrowse
                                              • 20.51.106.1
                                              habHh1BC0L.dllGet hashmaliciousWannacryBrowse
                                              • 52.178.54.35
                                              https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9dGet hashmaliciousUnknownBrowse
                                              • 20.49.104.18
                                              FjSrGs0AE2.dllGet hashmaliciousWannacryBrowse
                                              • 22.184.197.1
                                              mlfk8sYaiy.dllGet hashmaliciousWannacryBrowse
                                              • 13.103.137.252

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0ehttps://cc68b94d-d9d0-4a03-bf37-d58a3335e1ce.p.reviewstudio.com/-/en/b/?_encoding=UTF8&_encoding=UTF8&node=3024314031&bbn=16435051&pd_rd_w=VSdHJ&content-id=amzn1.sym.01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_p=01fcb23a-92a2-4260-b9bf-7c78abf408da&pf_rd_r=E0WD16QK99B55VAWSKBQ&pd_rd_wg=EU3Lj&pd_rd_r=fd3510c2-a6e6-4f59-a468-c59aac80bfa9&ref_=pd_hp_d_btf_unkGet hashmaliciousUnknownBrowse
                                              • 40.115.3.253
                                              https://ziyahid.github.io/netflix-cloneGet hashmaliciousHTMLPhisherBrowse
                                              • 40.115.3.253
                                              http://pub-35a1d927529e4c9684409537cf8ff63f.r2.dev/docu/e_protocol.htmlGet hashmaliciousHTMLPhisherBrowse
                                              • 40.115.3.253
                                              http://emeklilereozeldir.org/Get hashmaliciousUnknownBrowse
                                              • 40.115.3.253
                                              http://industrious-tomato-ngvkcs.mystrikingly.com/Get hashmaliciousUnknownBrowse
                                              • 40.115.3.253
                                              http://telegroom-nzj.icu/Get hashmaliciousTelegram PhisherBrowse
                                              • 40.115.3.253
                                              https://cdn.trytraffics.com/rdr/YWE9MzUyODAwODkxJnNlaT0zMDQ3NDU3NCZ0az1JR0doTXJGNXNpVnJBYzZkWlBUWSZ0PTUmYz05MGFzODc2ZmQ4OWFzNWZnOGEwOXM=Get hashmaliciousUnknownBrowse
                                              • 40.115.3.253
                                              https://sreamconmymnltty.com/scerty/bliun/bolopGet hashmaliciousUnknownBrowse
                                              • 40.115.3.253
                                              https://yolocdh.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                              • 40.115.3.253
                                              https://githoalonebiggsimalls.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                                              • 40.115.3.253

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Windows\tasksche.exeUR9TBr66am.dllGet hashmaliciousWannacryBrowse
                                                eAx3JV2z84.dllGet hashmaliciousWannacryBrowse
                                                  C:\WINDOWS\qeriuwjhrf (copy)UR9TBr66am.dllGet hashmaliciousWannacryBrowse
                                                    eAx3JV2z84.dllGet hashmaliciousWannacryBrowse

                                                      Created / dropped Files

                                                      C:\WINDOWS\qeriuwjhrf (copy)

                                                      Download File
                                                      Process:C:\Windows\mssecsvc.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3514368
                                                      Entropy (8bit):7.777724762407647
                                                      Encrypted:false
                                                      SSDEEP:98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3x:QqPe1Cxcxk3ZAEUadzR8sB
                                                      MD5:79409B6F48460807480E4A574312D85F
                                                      SHA1:5D9F64CCF13081441F2785A535E02312236445D9
                                                      SHA-256:331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
                                                      SHA-512:AC004B3248CBC2CE7B6D566E3F5128195669E5C53C24AE13668E37FDADCB5158CC345D7A33CADFED6328A25A640C5FA612D0F0DB86989C3ACC21771B55508916
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 93%
                                                      Joe Sandbox View:
                                                      • Filename: UR9TBr66am.dll, Detection: malicious, Browse
                                                      • Filename: eAx3JV2z84.dll, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):4680
                                                      Entropy (8bit):3.711003410108568
                                                      Encrypted:false
                                                      SSDEEP:96:pYMguQII4i5lz6h4aGdinipV9ll7UY5HAmzQ+:9A4n/xne7HO+
                                                      MD5:207D7A4BB76433AE17CBE654A4A2965A
                                                      SHA1:A9FDA6709BFFCB47CA96E05913E89B8745FC3654
                                                      SHA-256:EF8FBB8CF2968CD745D5C8D75B866EC965378DFEBBEA7D6B5962806FAEFB8E63
                                                      SHA-512:1963C34A70C4A095DE46947328A9A44B67260938656026E2E7AA24480064E8E2E08D6DCC0BCEAC6B54384348CED9E162F2C661AC2241EF30BBF1A947560524B1
                                                      Malicious:false
                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

                                                      C:\Windows\System32\winevt\Logs\Application.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):6440
                                                      Entropy (8bit):3.9707319168992488
                                                      Encrypted:false
                                                      SSDEEP:96:2oCrup/vOocabeilaFgQjHQd6k0GCFoG3zYbES3zYdtQqg:pH/mNAexRwAk0GA/ajX
                                                      MD5:C5686DB6680EF3F9075D4584F3443D94
                                                      SHA1:9F53BD6A598DC8E10229BE470CF1A731B50474F6
                                                      SHA-256:49B827DCB02D61A551C958F6FA94DB97226CD91DAD47CA804886E251028CE2EA
                                                      SHA-512:EC257B00DA09D996625B95ACAF914673F8E97A7909B59E40A68EF124DEC3E1CF19543B1AB45B278D6D690930EE1AD1550C5C1D0F434AF4FB19122C1BD962D617
                                                      Malicious:false
                                                      Preview:ElfChnk.................f.......j...............(..........................................................................................................................=...........................................................................................................................g...............@...........................n...................M...]...........................j...............................&...............................~.......................................................**..X...f.......\.U".f..........&.........}.]..+..$.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Z............{..P.r.o.v.i.d.e.r...7...F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.S.P.P.F........)...G.u.i.d.....&.{.E.2.3.B.3.3.B.0.-.C.8.C.9.-.4.7.2.C.-.A.5.F.9.-.F.2.B.D.F.E.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):67544
                                                      Entropy (8bit):4.102208680307349
                                                      Encrypted:false
                                                      SSDEEP:768:8kBVUHiapX7xadptrDT9W84bW664k5XyvkYk:87Hi6xadptrX9WPbR7
                                                      MD5:AAE1405C54F5A7350C62189AC8988915
                                                      SHA1:A37D74B2A3F1EC0ACE23C1A5A1C0665B9A9ECFDF
                                                      SHA-256:BF05DACCBFA4259E32726A19123857F8A3811D68753683DAEBFA1CDB8C849EC5
                                                      SHA-512:385268344D8D1B5E793402C37CC43B6263135B74B7CB22E2189D6F869CD24B743D96069BE02A51D6488B4A798D7699B1514FC370BC1E26C7F9E01E5578584E2F
                                                      Malicious:false
                                                      Preview:ElfChnk.........S...............S......................{......................................................................j................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..(...Q........4...f........F..................................................................F.......R.....!.....s.......... .4...f......................@...Q....................M.i.c.r.o.s.o.f.t.-.C.l.i.e.n.t.-.L.i.c.e.n.s.i.n.g.-.P.l.a.t.f.o.r.m.U....I.)+."Bo*M.i.c.r.o.s.o.f.t.-.C.l.i.e.n.t.-.L.i.c.e.n.s.i.n.g.-.P.l.a.t.f.o.r.m./.A.d.m.i.n.....R.qo..................J...J...........6.1.a.f.d.6.a.2.-.d.7.c.3.-.8.d.2.5.-.3.6.c.2.-.0.c.2.c.4.7.e.3.a.c.a.8...6.1.a.f.d.6.a.2.-.d.7

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.4013147639327475
                                                      Encrypted:false
                                                      SSDEEP:384:FhGN+3N6sNSNYNLNjNUSNbN6NHNRNbNYN0NsNZN7NhNLNPNhN8NdNixNAwNioNZs:FGvsbF1QBjr1xCKuL48fpoQ
                                                      MD5:D352D15D6A29EC818FCCB7D131D827B4
                                                      SHA1:E83944244EF8A5B84B6A8DF486A5A5801937ED51
                                                      SHA-256:B57978A9C8C8B8D8DF2EC5AAE442504C7327951A2602CD8322378EB9E6AC0D57
                                                      SHA-512:CF9CDEAE9F69A19E36214B4C29D9C319B231675CD5B4B3A7BAC8F1EE23FFDB06E8E4188E0309A2B710EA1AC8948F72ED4EC7CA8209FA7C0255E1C3BA4614E959
                                                      Malicious:false
                                                      Preview:ElfChnk............................................lK..........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F....................C.......................J...............................................................i...................F......e...........**..............."s...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):69744
                                                      Entropy (8bit):4.288088234291132
                                                      Encrypted:false
                                                      SSDEEP:384:yVxWkVLJV9VtVgVUVrVZhsVPVUVvVoVTVXV8VMVxVIVyV5JVYV6VCiVfV5V/VBVs:qHI1H
                                                      MD5:C370C861B178376C534151DBB1CE95E7
                                                      SHA1:E6CD15BD68DB6762C13F836BD1DDFBD523D7691E
                                                      SHA-256:8BABB9FAC14E290671ADEF51670CF0A83A383CC4F8688F659BE2ED5BA2D9BC78
                                                      SHA-512:298D1CCF2724D2A7A8F5DBD5D45054EDAB9648CA2ECC5B85AE7A9AA677765EE44686FF46A9B517EF57DF6E6C7A2433EB283567AB0B1F50C5763A6447C61E0022
                                                      Malicious:false
                                                      Preview:ElfChnk.i...............i...................H.........N....................................................................g...................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F....................................................3.......................................................8..........................&...Y1......**..............%@.u..........F..&...............................................................@.......X..._.!.....E..........@%@.u............s....................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........L...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.....M.i.c....**...............:.u..........F.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.423265177202914
                                                      Encrypted:false
                                                      SSDEEP:384:67UhsmYDQlm9cKrRtUmNmHumtTmgm5wQXvZ7bmO8mfQE3mq9mqmxqm6nFmCWmnsn:XMrJcWHvqisqnvokZRKeTSPnSKn
                                                      MD5:34B35A683C68A73A1BF569F68E54DB0D
                                                      SHA1:FC5C102CFE726B21653E768ADA9A275FADA90550
                                                      SHA-256:82203A8B2AF5D6CF60E99ADA87DF17CED01A954F995B6649E26E1C08FB97BEC9
                                                      SHA-512:E547B36385DBFBAF0D825AE5475C3CEF0B1949E632402D94385794F1AA1A8A565738FA29C4F895894DB61B86CE7F29DF2D389CFF63D9D246AE5157BAB20DABB1
                                                      Malicious:false
                                                      Preview:ElfChnk..0.......0.......0.......0..........x...X...iS.~........................................................................................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...................................C\..........................................KJ...............H..;d.......X..............#...........%...........**.......0....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
                                                      Category:dropped
                                                      Size (bytes):70680
                                                      Entropy (8bit):0.7970331195244389
                                                      Encrypted:false
                                                      SSDEEP:384:PmhpiMLe8XiCtViCi4hpiMLe8XiCtViCi:ePpnPp
                                                      MD5:1B27247D2208CF557693A326FABB2E2E
                                                      SHA1:DD882B3916882551A802E4FF22E6069793EBE601
                                                      SHA-256:B1BAE55A1B246E649E612FF441298FA7E74461F34AA7FBCC9905DB300925A438
                                                      SHA-512:1B0FA364EC957F352C13FE632FDE271B38B3D359B529BE2D163A88FFBC7C893AAD3218C954292DEB05445D16C0D10034B5A7F0965BBEB0839F03DA4D5920514B
                                                      Malicious:false
                                                      Preview:ElfFile.........................................................................................................................ElfChnk.....................................P........8......................................................................Ux'e............................................=...........................................................................................................................f...............?...................................p...........M...F...................................................................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.416807332891786
                                                      Encrypted:false
                                                      SSDEEP:1536:CbBN2A4VD7VAx8whAGU2woJQghgooKChi581UAkM:
                                                      MD5:8B93FFD74BA69D506BC1A7CA93434764
                                                      SHA1:8275F283E3EB6143F33D1B97C889D167963A9B41
                                                      SHA-256:9D1B6EA5CF8330CB2CE526B709669FCF7BD756EE43E30230B98F3FBE6B80D227
                                                      SHA-512:8EED6493C2C3B9BD2B0DB0ECF80B6FFCC007A1BB618725BC5681469894965CE2606589062BA941C6B29D23F9A5F46EE9613F2FA46AC0B587CB6130EA99E24A15
                                                      Malicious:false
                                                      Preview:ElfChnk.........b...............b...............@...........................................................................Z!H.............................................=...................................................................................%.......................................X...............?...............................................M...F...................................................................................................................................z...............**..............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.519960906808938
                                                      Encrypted:false
                                                      SSDEEP:768:7PB9TXYa1RFxRaayVadMRFyfqd9xZRta7Ea+5BVZUeaBhN1dJhlBlBJ9ZFN9NxKk:vXY5nVYIyyqED5BVZUeJ+EsiA881rXT
                                                      MD5:F2DD657C9A1CB9C4DE1DF89C0F45E5F1
                                                      SHA1:A9B48C4B4F004BE9F9641753D4BAEADD209BC4EF
                                                      SHA-256:7601EB81F47B9DFC18BAD436F6657EBFD07782F6C8BC681A76DEFC69C6104613
                                                      SHA-512:C226D4C11D55C8BA887F2A6314B2C797CA60A12B90C066E7929E0CF182440D3E246C9399D4118FD5E781C7998A85E78AEF363D54D68DA86E39BF6D9F07DA6441
                                                      Malicious:false
                                                      Preview:ElfChnk.........|...............|...................%DkZ........................................................................................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................y...........>...........**................9..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):93880
                                                      Entropy (8bit):2.149676099710646
                                                      Encrypted:false
                                                      SSDEEP:384:KosK6Co3hdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorDorrTo9orFo2:6BDCpWPDCpWj0SB8
                                                      MD5:68DE021BC7D2289BD8404C6900B1E4CD
                                                      SHA1:DC2E3AFA09527A397C6084D25602D9C71334CD6E
                                                      SHA-256:80A62E35444B0FD6C1CAF081C2BB60F04F6BC08F631DB633D3B9A13B3362A9AA
                                                      SHA-512:E15A1C4716F71EBF4FFA1B1EF6C7C875DBDF2DF9B21EF0BA6FB9BD25B974F4691224CCEE174F790F458D1056FB7940E55079F3C6562B8FA00C28619080E3D5F0
                                                      Malicious:false
                                                      Preview:ElfChnk......................................+...-..\..........................................................................g................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................U)..............................**..............njQ..f........F..................................................................>.......V...X.!..e..............njQ..f...............................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8512934663046342
                                                      Encrypted:false
                                                      SSDEEP:384:vhAiPA5PNPxPEPHPhPEPmPSPRP3PoP1P0mPQP1P9xP:v2Nz
                                                      MD5:B58E72BD85CF367466349FADCF9A5818
                                                      SHA1:0F561886DC1FC8FBCA5DC8CA10DB1A7C34CEE419
                                                      SHA-256:D6F533FC5273A6E86F4295EE8935D94CC1A1CCD12A0DCA9C6C9723F852772861
                                                      SHA-512:32893F184EE6EA667D4FA98625F5B0192256F05E072513D2F68C3078FA2002824DB743BF759C5DEF4EBFD92D4257E5EE06FF584D0F4A79D8A964FA2C65CFCA01
                                                      Malicious:false
                                                      Preview:ElfChnk......................................%...&.........................................................................p4..................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................................'.......................**..x.............|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8432260898567245
                                                      Encrypted:false
                                                      SSDEEP:384:hhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lD:hWXSYieD+tvgzmMvG5m2a0
                                                      MD5:9BCAC131A0E1046D07A1126509C0163B
                                                      SHA1:668C02B1F04155FC7C86DA0FD801AB8512D8E647
                                                      SHA-256:A069A8295BD4D219C7E117748EC00A8CE85C3AD2F84991B77311E865DA012C90
                                                      SHA-512:11CECFB1CC6FB52B75BBEADCB99337634B61B1D4B78514905846BC0D6F57704EFDD01E59177C0A843FB8346DF2AEF6FF00315D1597E526F4408368A0834B4E90
                                                      Malicious:false
                                                      Preview:ElfChnk......................................$...&............................................................................W................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................&...........**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):67128
                                                      Entropy (8bit):3.1539129169709863
                                                      Encrypted:false
                                                      SSDEEP:384:ChWh4FhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hR:wbCyhLfISid
                                                      MD5:858D6ABA27FBCB52369BC5C50A08CBF3
                                                      SHA1:DDB494D442A73DF2A841E4C8995CF2FFCFCC6B95
                                                      SHA-256:45B413EDD5C6E9312C10D0D2B4638C982DEFBB22E7CE782FE4FE2EBDF9B9F1C8
                                                      SHA-512:90C749C511364881F01A25D9772A76BA3509E227EC28F4024ADDB934D754D9251035ED6247849758B0A2C92DA8065A7539B7AA951E1B123BC72ECBB169357644
                                                      Malicious:false
                                                      Preview:ElfChnk.........L...............L...........P........n0....................................................................ps..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n............................................................................v..........**......K............f........F...v..............................................................<.......T.....!......................f..........)...............K....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............j...;......H..f(.:j4C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\.U.s.e.r.\....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):66528
                                                      Entropy (8bit):3.297033869047589
                                                      Encrypted:false
                                                      SSDEEP:768:ScMhFBuyKskZljdoKXjtT/r18rQXn8iLqa3:jMhFBuV
                                                      MD5:66654F01BDFF24962CDCDEC7D524FCF7
                                                      SHA1:02A572B8B9534FACF129E380EF9AB9A24574D0E4
                                                      SHA-256:235573D5743FDDD1E7BC5228D10D2A8FD811F72A3230751F0EA5270D8127EDA2
                                                      SHA-512:3C99ACB512991A202B7D7F213D80E704839E1B70EA2C05B42776681090B5016172C45365382AAA231E1FC223037C375BA4F2C7E2BACED7A30DF4A67712A61B04
                                                      Malicious:false
                                                      Preview:ElfChnk.........L...............L.................7..........................................................................................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A..........................................**......L............f........F..................................................................>.......V...y.!......................f..........)...............L....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.N.C.r.y.p.t........E..3...pM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.N.C.r.y.p.t./.O.p.e.r.a.t.i.o.n.a.l....M.........F...........M.i.c.r.o.s.o.f.t. .P.l.a.t.f.o.r.m. .C.r.y.p.t.o. .P.r.o.v.i.d.e.r...0...l.s.a.s.s...e.x.e................ElfChnk.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.896745651566555
                                                      Encrypted:false
                                                      SSDEEP:768:nre2Q+uYvAzBCBao/F6Cf2SEqEhwaK41HZaWRSgELNnLi:WHf
                                                      MD5:396196233DA144BC9B1AC36AEBA3FA42
                                                      SHA1:B5800B9F323B93BCBCFA9D2F727A9975CACD6337
                                                      SHA-256:4A268F50173502D662F85D13944A1249B58912BCD3BC9FA6B419CB1E561D2969
                                                      SHA-512:A0C83A765A92F558C0BBD72D418D6C8A2AB26F90A71DA6B5342C1AC98E3BB3AC0A57E6DBA86AB7334276A0058863364C36D8205EEBEAF1B29B411860DA528F61
                                                      Malicious:false
                                                      Preview:ElfChnk.v.......x.......v.......x...........P...`...d........................................................................X.e........................................V...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..@...v.......<..:..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.924636023538134
                                                      Encrypted:false
                                                      SSDEEP:384:wh1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzDx:wMAP1Qa5AgfQQn
                                                      MD5:8EC9027553BC6E0AA226CBE3AA9AEC1A
                                                      SHA1:3E261D8E27902EB9EEF0333F5716E2298FE8FA55
                                                      SHA-256:A2261A47F8E8D6F1E200968E7080400155424C4DD140F281C48FEACD0017A010
                                                      SHA-512:859C59B36EFF5DCEBD329ABED2952EE5ECE6B4D5A8918C341878E77ABEC82C6B2CA0F7392E5DF79C30A004ECF82664DBA87381739F55FC7D6547AC84DDA1BA65
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................0_..0b.............................................................................o................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&..............;....................R..........**..x...........HD................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.4435307576303655
                                                      Encrypted:false
                                                      SSDEEP:384:3hBE0EGEq0EJE9EdEmE0S4E9/8OaExy4vEeE0TEVzEfEm/8E3VEQEoEwDEfEtEMZ:35SWOQRjEHgl4iYlz
                                                      MD5:A8DA15633D80829F32A3E0CD50CFD995
                                                      SHA1:CD4DD833ED62AD6DEE8A4B109A0356075CCDB8EC
                                                      SHA-256:30BF357C2ADCC24F1A1A48EA85302CB33B8993899685FFFFDC13CD2E4A15C05F
                                                      SHA-512:C7D808E257302F4D08623CE5C5A8D622CE946ADAA2543EE97A1AD3759CF11F93FAAFC8D786CDD4B32A1CBC1E97D5472A30B2A1EBADD5014F7F11BF2B92F1EA8B
                                                      Malicious:false
                                                      Preview:ElfChnk.s...............s...................@.......N...........................................................................................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F....................@...............>... ..E....................$...........(...&.......".......................F...........D...............Q......**......s....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.3316790418382953
                                                      Encrypted:false
                                                      SSDEEP:384:ahYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl/:a1T4hy3V3
                                                      MD5:F7D62B056AB8FE4B83092B05915DD92A
                                                      SHA1:7310B87EC20943EE7854A907C4F807D04D148ABF
                                                      SHA-256:337F9831E9B639FC1523A9EBBDBA186A13D82AF929262CCA31F9FE0677B18E4A
                                                      SHA-512:23FA4D0C18EFC32B8D0A7E5472973DFE557BC793E1BA38468CF5760561700FC1F7965B5A231F76D277B49E5B5E381F8773ED88E6B472CFAC78D5332A495F33ED
                                                      Malicious:false
                                                      Preview:ElfChnk.........m...............m...........@.......r9{.....................................................................g..................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../...........n...........**............... .$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.4485744286205566
                                                      Encrypted:false
                                                      SSDEEP:384:GhFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDfi:GzSKEqsMuy645tZtPN
                                                      MD5:4572B4ADCED1EA2335588876D2A4AF20
                                                      SHA1:0F16E0FF89200599B7DB688563F2E6B656ECFD4B
                                                      SHA-256:68B18DB8939820C2E1E49267F4DA6D5F9EEBECF40A43BE0DEE1643D96CD5FE4C
                                                      SHA-512:6D9E98838FEE3DB11033784CA8A912608F7814D2353C14C839BC372CE4EBF0AC9D05984EA3FE0B153062BAE55CB850277100569B37ED1B798CCDCA1E7746AD57
                                                      Malicious:false
                                                      Preview:ElfChnk.........L...............L....................:.N....................................................................j...................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=....................................................................`..........**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.1559400308203562
                                                      Encrypted:false
                                                      SSDEEP:384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3zZ:Bmw9g3Lf
                                                      MD5:64B9990B5E7F3874310C63A28FF2269B
                                                      SHA1:B1A4325EECAFB72D9AFF23F1759F866757699E9E
                                                      SHA-256:3C9770DF816491A1C40167F1C53A46FB17122962B646A72F604ED3044A981DCC
                                                      SHA-512:BC184A0543AC3022AC17527A5569CA2105E1A9B779B829A7B1FB3A72BD2B429797E1E09A229880E5803F38809A17D2FE019374D87EBC6658AB55DB837DF5C6A3
                                                      Malicious:false
                                                      Preview:ElfChnk.........6...............6...........(o...p...].O....................................................................|.3.................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#....................................................................X..........**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.887574143139413
                                                      Encrypted:false
                                                      SSDEEP:384:BhoIRbiY8sITkAI6RdkbI4IfIixIWMIPIxIJI7IyIUIgIoqIuILI:BOnDB
                                                      MD5:59A9F7EF42800364F6BF938C549BBD94
                                                      SHA1:43FAC818EB3960E73963CFD78F1AE4DE6A3799D6
                                                      SHA-256:E2BD020B97A6FB59EF57126B4DC72C56E7F457A06C7F911243C77BC0C1ACC206
                                                      SHA-512:2A62CCA656E0761FF2C1F585207C03B19E9E827C80293C9A402C01A353D47774BC97A7A48CD136862131F18434DD29245D3A1E20E88A72AF45824ECAB6B26153
                                                      Malicious:false
                                                      Preview:ElfChnk.K.......L.......K.......L...........x...86.....&......................................................................e.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..x...K.....................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):174960
                                                      Entropy (8bit):5.698713278565312
                                                      Encrypted:false
                                                      SSDEEP:1536:+AfWFqEEdF7VlAfWFqEEdF7V5bXTAfWFqEEdF7V+/q:wc
                                                      MD5:7E1E24649D46141E1845C0E577603572
                                                      SHA1:D9823B62595AFC05C531DBF33CD7A2F56CDBB011
                                                      SHA-256:41E2EB24E4C9F65C7E615D1409AD32632F9C3701EF65EEE524EED8E21E05BD2D
                                                      SHA-512:9AFF418B318F44FFEB2C00C56D5DDB6C1EA0D897590883F21FB648E0B526931D46E0C0EA69F747C36B80C12C664781525FA607C55D0ABBE1EDFFD991F258C13A
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................x...`...BF........................................................................V.........................................:...=...........................................................................................................................f...............?...........................m...................M...F........................................................................................2...........~..................................!/..........**..@...........kQ...f........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.9969363418868648
                                                      Encrypted:false
                                                      SSDEEP:384:Oh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMGmMqb+MvhMIp:OeJWU
                                                      MD5:F3F76FCFEA8151604EA805CB80B1FF45
                                                      SHA1:53062346A40583E0ED706493B387818CF85A608A
                                                      SHA-256:46BE32A18F777427FCB76E515EDD8612F22823F8D5F9C75FAF64DFBC9D810BC0
                                                      SHA-512:DF7829C3655FC7F7AF8C6F82DF8F48C3842AB6AC99B32705AC232DDD1D7398A93B3C03BA8217D055702FB8881AC8FC5DECCEAB8E2ED23F8B73C7B2737DFD00C2
                                                      Malicious:false
                                                      Preview:ElfChnk......................................+..0-...i........................................................................z4........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................%..........**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.231994720329579
                                                      Encrypted:false
                                                      SSDEEP:384:ehk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS16:eBjdjP0csCk+
                                                      MD5:2418B580C396BF3D2B2E78EF78F65991
                                                      SHA1:5AA4D8E6E8EC06232294A57762DCF70B6A4AEC46
                                                      SHA-256:4FA9363ED99CF66AA2B887DB72C99F7E21B364AAFE0C169B5CEACEF72E971557
                                                      SHA-512:650C05CE840801E047324A41E74F07718BC4503AD16860C4161B31027B2D480F0DD72B1EB936F08C3985DDAE151D7340D1C7DD09C61F957694A3A800F7923F4C
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................p...$.._......................................................................5.................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................**..............*5.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):77968
                                                      Entropy (8bit):3.337905347761276
                                                      Encrypted:false
                                                      SSDEEP:384:qKIjgZIIIlIBI5I/+IPI3IBCIFsWIKI//IwvIaIEI5ILI+IseIpIBhId/hDIEQAU:qKWYu/ZxGuTcrgWY
                                                      MD5:4B6D61F581101FEB860BB4BD567758F2
                                                      SHA1:9D4B6DD81D01ACF3451D72A4ADA1988B7CC5F4C7
                                                      SHA-256:0D0A49EE81A32246A755B4793A390DB42D01E095DFD1457E21C6376307110F54
                                                      SHA-512:7AB23B44D0FBE29976868982CAC13000486DBA727B60B64A5E5085CA8D828A90FF756BFD2EDBB6062449D17698C4B2DC06C75B623033BCDAEAE6ABB1D6EE9D6D
                                                      Malicious:false
                                                      Preview:ElfChnk.T...............T...................P...h..........................................................................?.."........................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1........................................<...............(..........**......x............f........F...(..............................................................,.......D.....!........... ....@.....f.....................x...x....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l...........&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8010759015442367
                                                      Encrypted:false
                                                      SSDEEP:384:Zmh6iIvcImIvITIQIoIoI3IEIMIoIBIjIIQIYIRIEMIO4I:ZmoxDJ
                                                      MD5:697F5D7E812BBBA5F48BAEEE79161558
                                                      SHA1:2BB9620AEAFE781DAD1250C78AE760F530C04FEF
                                                      SHA-256:1F9630EFD18553522D80986F123499E9172D5D8949BD43F82D0964ED671CE516
                                                      SHA-512:166A91F00C96D4B5DB8C75B843FCD2ED191CAF2D82CEB41138FD22663D481CB50BF38D5C522524C94033EE7CD3C303AFA60261F95900299C73E2E0277834C598
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................X"...#..!.._.....................................................................8.Y............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................^...........**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.9976457275581723
                                                      Encrypted:false
                                                      SSDEEP:768:j4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH13N:p
                                                      MD5:8B81799FB23EDB0DFBBE63CB0A6D0091
                                                      SHA1:08F10769E5AC65A808F3229113875C18E68F02A2
                                                      SHA-256:199F3107FA0F478BECC0D255CA70F74B63F048F6B43015C4BCEFC7DB07358609
                                                      SHA-512:098626BC09ECABD19653ADFE82C5CC8A73C4CD1537C28E781484F6B676E837896C892B3E0691E5D469C1972A76B646456E14907280D1040181C1F973B9302E61
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................(...8...&..........................................................................`................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):194344
                                                      Entropy (8bit):5.268353592440892
                                                      Encrypted:false
                                                      SSDEEP:1536:SXYQLB7/KcCDqIRk0xN8ZX3CDqIRk0xN8ZXXXuEvR:0YQDnN
                                                      MD5:7AD5C383D3A28F6D020F068C538523CE
                                                      SHA1:79AC91AC4622A28459C5A1094D7F9185B46AD77E
                                                      SHA-256:A85E98B6B12589CE7BF6F2FC229B0674C9856EA8D7C1FB8B8B856EF97ABA759C
                                                      SHA-512:D33929BE5315E5B79C65D89DAD3085FBA4C6B524458770645F9DB3F5651748FF7B2B5F438C479B27EC8BFFE43794B7776E530AE0DC3B7F4FD05B9434B6C403F9
                                                      Malicious:false
                                                      Preview:ElfChnk.........:...............:...................?.........................................................................................p...........................=...........................................................................................................................f...............?...........................m...................M...F......................._T..................I........V...X..........w............................R..................?/..od......g&......&........b..**..@..............u..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.7589270703948895
                                                      Encrypted:false
                                                      SSDEEP:384:fhP8o8Z85848V8M8g8D8R8E8y8eE8U8+8G8:fy
                                                      MD5:DB0D7D192D45E88155DA386A4CFAA7BC
                                                      SHA1:0CA51DB6F3145F47A7DEE55DD59804DDC20788FF
                                                      SHA-256:4D675E0BB5F2F8FB820C9A7E60290AA18EB63DB48D85C343D67B7D1036CAF535
                                                      SHA-512:77BF88FE30C9A2E76B610094998F26BB168BAC41DA2A70C4BCB9C7A7A67B2821C6E7F2D57535CBB47EBC07A89F69BA997028F30ED43D507CB0E9C268BDC74789
                                                      Malicious:false
                                                      Preview:ElfChnk.........................................8!....RE.....................................................................J>.........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................v...........**..(.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.7675545352357376
                                                      Encrypted:false
                                                      SSDEEP:1536:OXh5UyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:OXLnS
                                                      MD5:D8B108172BDDABA8F7A0020026A449FE
                                                      SHA1:7BD06E551B48B264310A8F1157B3AD131036EF25
                                                      SHA-256:47BF3C4F9DEB25154539C64A9DCC6AC6151B961711F7BD36B69A43C5AC938CEE
                                                      SHA-512:E3501335EE9303FDCA94C629D5FC5CA0AD3E63D4DA0AC8174EE108700611F2F206390039607DAE6F5DE104EE5A8B53042AD0BAB62FD64A5676E53C8F47F606EA
                                                      Malicious:false
                                                      Preview:ElfChnk.........(...............(............J..pL.....I....................................................................Q.kc................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................................O............9..........**..............g5...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):96696
                                                      Entropy (8bit):3.0738755771414135
                                                      Encrypted:false
                                                      SSDEEP:768:U0VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9O4aui1J6eJOQJMBJXw2:4cEDcEa
                                                      MD5:73F44CA5F5DB9228A0FF274E34424B1E
                                                      SHA1:5EF7414E83EECB099C42C07F0E668D8B8231C69F
                                                      SHA-256:A00777AF78E0A35A3038066B0FB89BD85C521090F3390044C01877619DCAA374
                                                      SHA-512:2371B53406A138B53EA20600F26ACE5FDCD45C02242F4D00363E4401DF68BCEC6C273A46266C2E059C21E94DF03480A4F23AA7F290E900D9BBA913E4008B6388
                                                      Malicious:false
                                                      Preview:ElfChnk.........>...............>...........0v..`x....p.......................................................................+#................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F...........................*...........&....]..................................................................................]...................**.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.090506760697518
                                                      Encrypted:false
                                                      SSDEEP:384:gkhxQiGQ5XpvVRYBQf5kNY6iT5kmFiT5kmqiT5km7iT5kNYkiT5kmNiT5kmtk5yF:ZUbGDA5eVLpBVi7CPDRmf5dX6CFLx
                                                      MD5:42290E3A06232F3164599CEE9F822F97
                                                      SHA1:8D081F75FC9EC36ADF10299FCB8D98822A6DDB39
                                                      SHA-256:C0AEC98CB6185B5CEFDBA70DAED4F3CBCAC40582EF2627DB228D4785B939BAE1
                                                      SHA-512:76B9E873732E071EEEBC6F45783EF521A2016EEAABB9AC5DBF5F2B72D0A815BC3CE7495F55B9967BB76F5801BB56256E87B8DD34B19BD740BAADA986CFA376B3
                                                      Malicious:false
                                                      Preview:ElfChnk.'.......-.......'.......-............1...8...a......................................................................N.Pl................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...........................................................................................&...........**......'........&.E..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.315070457008112
                                                      Encrypted:false
                                                      SSDEEP:384:NYU/hDGCyCkCzCRCFCZC4MCyCcC7CgzCiCoCD24F2a2EO2M2w2s023C8CJCpCFIz:NYU/dEoNTC
                                                      MD5:C7807651248E908ECCF27697EBB71AF0
                                                      SHA1:4FE175151F778EF674F74D25145CCCF62C52F2C8
                                                      SHA-256:A9D4FFC731E3D8287A25FFE350D5142FE1E9CD5D377F0BD7D29BB827C2F12658
                                                      SHA-512:5A8FA490F7BFC98FD39635AA30A0E92AA3C9FFC279424C7D23E9F2893CF7B0FC91BF1F3DAFD14CA006B437AB6E18FAA67FBF7AF96E5347FE27042B262235214D
                                                      Malicious:false
                                                      Preview:ElfChnk.U...............U...........................$....................................................................O...................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................4..............................&................................................................n...........N..........**..0...U.........Df..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.482742417101403
                                                      Encrypted:false
                                                      SSDEEP:1536:bcPLvjwmE+ukWvw75NFyBo/QbG7YX1cchg52p5cfFSYl8ZAgRrfhXWmSY0NGQ6my:bcPLvjwmE+ukWvw75NFyBo/Qq7YX1cct
                                                      MD5:B1F20410E64B0CD42CE4FCBF7AFC9018
                                                      SHA1:4EE19EB81E1C99FDC1C7BA4E87F091AB124FE250
                                                      SHA-256:7AE6BA887BEF8232508D1660717AA893FE68C75D3E4B2D48668AC1E4CD3C0461
                                                      SHA-512:31EDD8B6257AE2C232572765C7ED08A4BA016499A3B0340D55AF1796AD633D17533C0288E07F9B5E74D19A5CF842A63468AE54F61A49F680722E95A48983DE01
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................8i...j.............................................................................5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&............................................................................I..........**..............XH^...............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):69680
                                                      Entropy (8bit):4.461657062929046
                                                      Encrypted:false
                                                      SSDEEP:1536:sCzZEJdhpbxp4HTQMhzEB1PBM+4MFGhLF/EBRyqXiUHeISNpmCzZEJdhpRSYtaSo:sCzZEdhpbxp4HTQMhzEB1PBM+4MFGh5b
                                                      MD5:FFFBF546575C30A151F69FF99418A78E
                                                      SHA1:4E88B02607616CF50AA4C4BA3CD53096B46F3A55
                                                      SHA-256:0240F1EE1E4F59C9B018D8E4A2158FF26EE1B4CC56493994A0488B3FD11EF047
                                                      SHA-512:6AE90615FFA7F62C017056035B822B76DBD4132D54FDF45B1462A69B82A5B123122211614015A3A2CBDD3F104D77A2A85C1A2D5C533C242D90363E3ED1C36F51
                                                      Malicious:false
                                                      Preview:ElfChnk.+.......W.......+.......W...........PW...X..t..........................................................................R................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................yM......Q7...........P..!5...0..........&...Y9......**..x...Q.......M.+..f........F..&...............................................................8.......P.....!....nqm......... M.+..f..W.-x..NG..-B........x...Q........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L.0........S.e.cx...**..(...R........1..f........F..&...............................................................8.......P.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.512081865341501
                                                      Encrypted:false
                                                      SSDEEP:384:Arhl787V7s7y7s7M787/7m7C7p74797kc7h7s7b7Y717c7v7b7v7vV7p73a7k7Z+:Ut/8Hh
                                                      MD5:50465D28597F69AA4BA1836894D19750
                                                      SHA1:CC55004E17EAAF1672D0BDAE3A746C40F6AF7593
                                                      SHA-256:376CBE44BE97D96C93CAB0B83E5480DF2D3EA3CE0169E199BBAC9D7650F4AB93
                                                      SHA-512:725A9F34A7A98390A365F75B2701E31331C2F3CDD1CF62BABB20C3F5655DC0798469B353E7839E8159DBBE733B58A76DA3ABDAC6E7EE4A4D672CB934AC296F49
                                                      Malicious:false
                                                      Preview:ElfChnk......................................n...o..-o......................................................................../V............................................=...........................................................................................................................f...............?...........................m...................M...F...........................-(..............E!..s...........&...............................................................-&..........f@..........**..@.............................&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):2.2719028651564623
                                                      Encrypted:false
                                                      SSDEEP:384:/hc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauing:/6Ovc0S5UyEeDgLLyfrlB8Q54GJY
                                                      MD5:104AF6C87B1FA1C965BB2D3CF70EDC8F
                                                      SHA1:91B208CE7ACC6EDAD1ADC8C5ECBB90000E00CEA2
                                                      SHA-256:6DB30804B563EE808F78EEC69D3A85FF7F3F0FE551306B5924530C2C0EC2738C
                                                      SHA-512:90A83431708CD8FBDC9FAD6AF191EDF3E264D8DEB457ABBCCA8941E15DE0DD4E4C2FB2D89B281C2FA11CA5D627010C96EBE3C43B6338DCA27E7701A883F8C295
                                                      Malicious:false
                                                      Preview:ElfChnk.........@...............@........... s...t..?h......................................................................._R;................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................w...................._..........**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.8167930057519079
                                                      Encrypted:false
                                                      SSDEEP:384:bhGuZumutu4uEu5uOuDuyb2uPu1uyuKtuLujuVgqu:bb+
                                                      MD5:EBB9255F7BBA5C52CE625D69FE52F60A
                                                      SHA1:20F226B11EF3A69F56A13A5BF7530E199BFDE310
                                                      SHA-256:5AB28568919B051FA95E534049B8BA9E606EEF6EAB53EB0ADB71545C0ED2A380
                                                      SHA-512:D8788F58A8DE7C9BD6F7075DC65606508D14C8AD8AC75E8992174A4D35328E70635AEC36531DA5E81A8DABD931092576C60C5B831C73670D856A40BD2427CB8E
                                                      Malicious:false
                                                      Preview:ElfChnk......................................"..x$...k.3....................................................................$.#.................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................................>...........**..............Wy.8..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.235001208884112
                                                      Encrypted:false
                                                      SSDEEP:384:iGhRAEA/sA/8A/gA/lA/KA/EA/DA/ZA/oA/nA//A/PAzyEAuA8AjCbALuAMAKAtZ:J0hVi+KLN61G
                                                      MD5:50EF6DB57587CF27291B2DED1AD3C542
                                                      SHA1:ECF5C56F998FCA95BE4BA119DC5E241C693DB891
                                                      SHA-256:14AD1DF267604F097745CC1A5C2DC6EDFEABF7E89A69A194B5433363A847F530
                                                      SHA-512:E774A896DA5119D270D59E02DF113CF3E2FC774A24A0A7BDDB39E5D5D614B1F905BAA81FF59790811CAF51B4B92854A06C042D869EA2C52AB19E955E9BB00E4F
                                                      Malicious:false
                                                      Preview:ElfChnk.........!...............!...........x.......<......................................................................t..................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F....................................................{...........................................f......................................&....j......**...............>............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.1601920702980912
                                                      Encrypted:false
                                                      SSDEEP:384:NhwpsWp90Np9b5p9ihp95lp949p9/pp9Wpp9tlp98Jp9jdp9qBp9BJp9A1Z1p9nP:NRZfQI5
                                                      MD5:1A84D5BFFC6A51A8E813CA9870D46851
                                                      SHA1:62201D49F347A7BEEA7D58DCB45D173ADBD53887
                                                      SHA-256:CBF067DCF2548398B87EB882B7A1F26EC7989DBB4D105C4495020D63E9B5E0D8
                                                      SHA-512:8B3198C3534387FEF8B8120ED0111F6EA02BD21FC3E8C4E74C4936BE18581C80BEF58EB512E111FF0143361E488F1F7C7D3151664E0F4FD996169C894162B24C
                                                      Malicious:false
                                                      Preview:ElfChnk.........'...............'..................._.z.......................................................................j.........................................<...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**............................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.0114620219781365
                                                      Encrypted:false
                                                      SSDEEP:384:jhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWBo:jwDoh1VvpE0Y5RA8sQ
                                                      MD5:70F943A767EE17A83B03D620404602D6
                                                      SHA1:26A2A2C8690D3F47D6192DDC29079CA4DE7507A6
                                                      SHA-256:AAE4D860D5B31157D69935C9A68A8958EF96D9EBB7AB346B8F750E7FD339FBE5
                                                      SHA-512:88CAB5E94A82F49036C5DC4A3C3DE94BADB9A2244C4A32DAE6A23DFD751553B0FF9953C21B02CA0396D5DBF529C75B57D1A65D9EA86CE86D8D081E63E464D521
                                                      Malicious:false
                                                      Preview:ElfChnk.\...............\.............................G......................................................................\O................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i...................................mS..^...........**..8...\........=..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.165801171629505
                                                      Encrypted:false
                                                      SSDEEP:384:thwCCRzCaCkClCzCYC/CyCVCGCMCvCtlCaf2Ca9CaECaAzCaFECa:tKFD
                                                      MD5:9236B0363C2E488481D99C2A3B97F664
                                                      SHA1:7DF4CAC91226C2E2E36DB78D931D4D8386177406
                                                      SHA-256:968CA40848BDBDDB24126CF3BA1EFE51973835B62A841A13ABBC3F3F76E2AAEC
                                                      SHA-512:7ADE9B5AE3499BB97FBBCAD1F38F530E9592F4CB4AC3472553A340E0D172704CDD3EA2DE39914F5A2ACB87934037EFDE369AF960256269AC221B5AD9724BE31C
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................04..h6...j........................................................................o................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&...........................................................................................................v)....../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):86024
                                                      Entropy (8bit):4.638800414544038
                                                      Encrypted:false
                                                      SSDEEP:1536:wgDC0MXKNvQgfhgDC0MXKNvQgfUNDFEzJ03kHuy:wgDC0MXKNvQgfhgDC0MXKNvQgfUNDFE/
                                                      MD5:882DF385C14B6DB8CA49B9B6BF465D59
                                                      SHA1:19489A993433818116882A68E7ECA1942B8E9DFD
                                                      SHA-256:0FDDAAA519F8FAF237FEDAA80091930F655C651378FFC95FE02D80817DFBE6A8
                                                      SHA-512:4A66D227867D3A1F3BAECBD8BB073E794EEE5BAA67CF14143066CC83DA4B99E3953B4A1E6A22CC3549509705150E9C0097EC8464D08F18A7EC9366590E764004
                                                      Malicious:false
                                                      Preview:ElfChnk..&.......&.......&.......&...........M...P..$..5.....................................................................h..........................................6...=...........................................................................................................................f...............?...........................m...................M...F...............................U.......................................................................................................&...........**.......&..........f........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.1810965962810462
                                                      Encrypted:false
                                                      SSDEEP:384:vhL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm7UmLcUmWUmnUm:vY7LU
                                                      MD5:9D9C182984FF3C8DAFD9D7D27F9461F0
                                                      SHA1:72E2D06B61F085737906AD835D09009CFD047203
                                                      SHA-256:C3D5C4AD8C13B39C1EC967B6A9DFCA4ACC94E48C00D1BFAA3BCC5D7B6B134EC2
                                                      SHA-512:2906BF522ABB70A1E2F3F3DE63C732CCAC103B7F8D54CECF22730ED08A64BA1F6243CBC95EE1F1568ED45B7E608B60303B31B7A67EFDF52778CD239FF41F58E9
                                                      Malicious:false
                                                      Preview:ElfChnk......................................1..(4.............................................................................................. .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&............................................................................................................*..........**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):67776
                                                      Entropy (8bit):0.3675955178776093
                                                      Encrypted:false
                                                      SSDEEP:48:MGVWd88crP+8QNRBEZWTENO4brBT3oq4Z/6ykVWd88crP+8QNRBEZWTENO4brBTI:RUNVaO8Jov/6y4UNVaO8Jov/6y
                                                      MD5:FB6A77BFC0F2CC2543E6E7E36760EF28
                                                      SHA1:C12513E3D29C1CEE05735C5D4E5A2AAE45406434
                                                      SHA-256:FFB1CC07E30800A2F863320FB1C70607BB0784A6750DC734AE5D1129248E9A62
                                                      SHA-512:D4F44073C1C749509792AAB3868D1E007320A40E3C72562971328A485518BFEE1D98DAC6770C60105563D182027AC60B2764323218B82DF0B6176A7D3F8C8924
                                                      Malicious:false
                                                      Preview:ElfChnk...............................................N.......................................................................%+................".......................J...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**.................u..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.07967961973305
                                                      Encrypted:false
                                                      SSDEEP:384:VhIivhiuiMidiyiMi3iEiziXviiqYiMciEiri9iuiLsRi11iWiRmiNiHibifiGiS:VjZvaQKtM9QSp
                                                      MD5:C0228093C6D68E6BF2A2919C4757E19E
                                                      SHA1:4C30BEAA7AB56231126956EC83C6B9159B7C7809
                                                      SHA-256:214406B4B4C04186B2955537F29AC633824792BABF9EE5051B0857CCF9AE2763
                                                      SHA-512:B0E558BEF4B6A43636B87FDAA598BF8329E15920503ED2460B4D0B251BBB29B9CFAC37D35AC5DB0890A65F80A1F6F6AD85A0613CA36E550E70FE1A4354B2CE9F
                                                      Malicious:false
                                                      Preview:ElfChnk.y...............y....................g...i..4........................................................................L..................#..a.......................=.......................#...................................................................................................f...............?................'......P.......................M...F............................................#..............................................................................w#.......'...0..........**......y.......>}.T............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):3.399283020631885
                                                      Encrypted:false
                                                      SSDEEP:768:0yaQLza9aFadadadaZadatahaJa9aNa9aFaOSaFata1ataNa9aRahada9aJatapy:9L
                                                      MD5:54208FDC0681EEB19DD55D526E591FB4
                                                      SHA1:7707617FC32F341A60280B97351CD4AF79D5B7D6
                                                      SHA-256:152F29295625822C1AAC740F1A45D28B5D74E2FC2EA6980FA8DB5212E2F8BDC1
                                                      SHA-512:BBE089058888C966E62E7F6902B0CA877EA472E40651B173A06CE9AC479364D494FACCE1A1E338C0622CA8944ABD2CAA5B4FE05F1B7EE3569368482E2964223F
                                                      Malicious:false
                                                      Preview:ElfChnk.........@...............@...............`....i./.......................................................................................b...........................=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................................;.......................&...........**..H..............b..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.3642612685419924
                                                      Encrypted:false
                                                      SSDEEP:384:dhaXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJ1qXJNXJLJXJxXJBXJfXJKH5:dQ0yUkNYwD8imLEUzL/HXxS
                                                      MD5:727E32931085339B0D59890FD3759197
                                                      SHA1:1281993447169E4AF0F4EEDE4F70524D766189F6
                                                      SHA-256:66D8CFCF522ABCC5813640D9315FB0FC1497236FEBAE41E1095547E137759BFD
                                                      SHA-512:24BF05FA33772320686E4BD6BF32512DD7BE460393304178292B93E7440B7D198A603C9EB45CCED0479A651C5D752B8E688A207B05E180793D41581E3AACE2FC
                                                      Malicious:false
                                                      Preview:ElfChnk......................................A...D....n........................................................................h................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...........................................................C................3..........**..............@V.$..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.339319118040676
                                                      Encrypted:false
                                                      SSDEEP:384:mh/mcmtmrmsm1mkmQm6m4mnmdmgmsmnmChmxmomMmqmwmHmLmlm9mGmdmpm3mfmP:mNDcxPuxE9KA
                                                      MD5:F2254833A2ECFC2BE8343C689060E95C
                                                      SHA1:4E4CE2B2AE58A6A2EFB7D563F17DCBA59A83D2A7
                                                      SHA-256:A8B52451086D3042E2353D49E565422A083018D22C89F8447889BA77312DEA65
                                                      SHA-512:38DB34911D61CA2EFE5767C0344BEFF5D81ECEB09B6F7C1F8BC34F0E6F8DEBBB010471A78AA181D4F43941C91AB5C6DFD1D26970AE766E1E208DA776D4FC5FA5
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................@)...*.........................................................................[=.t................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................s...........................................%...........................................&...........**..p.............k...........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):0.7077930323266531
                                                      Encrypted:false
                                                      SSDEEP:384:ohK2nl2U52N2h2Ii2wAx2wI2ff2iW2R12Qc2nT2:op
                                                      MD5:EFAB9CB2241340892CAF25215B175900
                                                      SHA1:379AAFFC0E9465FBC553A8CD7587F45D07274D24
                                                      SHA-256:852B282863F4AD8B40A1CB715C9F3EA8B243472EF1D9E95035408AB586EB49BC
                                                      SHA-512:2702DFE388394AE71F7D2F012E3003F2D3586A5CC2300605D2FF2B14A3F99E4F7443D37203E9EB37101510406C34B6258063807359C31DEDDFE2177ADCB8CBA7
                                                      Malicious:false
                                                      Preview:ElfChnk...............................................k.....................................................................O..w................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'.......................................................................................................&...........**...............a............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 10, DIRTY
                                                      Category:dropped
                                                      Size (bytes):69632
                                                      Entropy (8bit):1.2817961984652106
                                                      Encrypted:false
                                                      SSDEEP:768:3kxEpP9JcY6+g4+Ga6oDXxIb13xIb13xIt13xI:3kCpP9JcY6+g4+Ga6
                                                      MD5:DBB33B8E4D2B78C61647ACFD99C89240
                                                      SHA1:9373F12B7039F1B52C2EA7203BC895C35788AD5C
                                                      SHA-256:99E865093BB6F181A0CF0D1E8056DA859DFAED1EDEE104909BBA52998644E9BC
                                                      SHA-512:0B43532A88103E9EDF9BF180716100A1B6A7596C5C50D9F7D6DEAE1BE00E4F6A7387942656EC3C4873B8200EE970FC446A955996EA8862CA6246F20154B56B90
                                                      Malicious:false
                                                      Preview:ElfFile.......................................................................................................................zp........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):107840
                                                      Entropy (8bit):3.560130587611318
                                                      Encrypted:false
                                                      SSDEEP:384:LJhpRuVRNRFBwRkRZR5FRT3RWQGRhRW0RWCRiCuRGRNRJRWCJRkt+RW0RFR6SRUe:LJKvaFTLAJKvaFTL8
                                                      MD5:85F1C4A1BC8C21EE1DA86249A3CDD811
                                                      SHA1:AE575058B36E350EBE430A3656F738BD50D4A1C7
                                                      SHA-256:EC4EA870D1354B2AB9B51F316DC3D9EAC40B4D12A3B0A43B06814F2FDAD4C5C4
                                                      SHA-512:7DD06074E187C34779DE578D1FCF895A94BE0B6BF100BC8D30685C8DF2C98A31F3543A0064D6926FEBDE697FFCD53954B27E22A3BB0ECF0B6EBCCE008A45B64D
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................@...@....R..........................................................................................................N ....... ..=.......................................h#......................}...3............................ ........... ..............f...h...........?.......................h.......Y.......M.......M...F...........................................f?......................................................A.......A#......................&...............**.............................g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.269282050125859
                                                      Encrypted:false
                                                      SSDEEP:384:Vhghshy2h0hEhDh9vhghp6hXghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLha8:VbsFpkBSqL8wD
                                                      MD5:A58CC6DEC3C876BEEC16907FC49E19BA
                                                      SHA1:C2617D099C46BD902D85BD8FE90FC6F34995BA5A
                                                      SHA-256:BE9A153D8CFAB9F25D94444C14641599D6F8C868DB9675D3FA330E0C7C0110A6
                                                      SHA-512:4311D7F2C987CCE1F5EE8F78B867A87BFDE8D5E28C996B2BF1347B41063F38B6CB98BE968A962064C5920B9F355AA537FE5370FB78D52C69F5B81B279C394D5D
                                                      Malicious:false
                                                      Preview:ElfChnk.............................................b.......................................................................<...........................................l...=...........................................................................................................................f...............?...........................m...................M...F...........................................a.......................................................................................9...&...........**..@.........................F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):1.2593916356001515
                                                      Encrypted:false
                                                      SSDEEP:384:ahOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOV5VqVFlVmV8VVG:ayjbS
                                                      MD5:14652E4148A13AE019B3CF2CC20B5812
                                                      SHA1:0D6C33AC1CF9CF3EDB3B4632A0943BC7ED7521FC
                                                      SHA-256:3946831B472B0248BBBB225A2253A26A693E9155C3FFF0D8CE29897E07573134
                                                      SHA-512:0306DB2CBFEB878570FF4B4342CD6E89B056D9FE7E41029CE17FD08953749351EB65C8B942D36EB7842F6167219997D876270DC0B5528F4FFC13EB310B8F0324
                                                      Malicious:false
                                                      Preview:ElfChnk........."..............."...........`8...9....H4......................................................................4.................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v...........................................................................&*..........**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 5, DIRTY
                                                      Category:dropped
                                                      Size (bytes):4792
                                                      Entropy (8bit):4.026965098863943
                                                      Encrypted:false
                                                      SSDEEP:96:EZ1RNVaO8sow/sTYS5oz/sTf/sTpi/sTpbRrjjsV/sTz:EZ9V7Xk8kozkDkNikN1vakf
                                                      MD5:821F649921B8C7179B6C69E9390EFA83
                                                      SHA1:6110976C31E072D4830210E59B3D94FB4ECA586C
                                                      SHA-256:F270F04284E0DEB3EBAFB7FDA3D95D44F41E6FEEFACF922A18CCE1464CFFDB29
                                                      SHA-512:73336DD68AF78346338F398547834D5231492CF7A97C1F7B317423ABF5D332EF7C0F101685F61AAAC8178ABE48CB910545F200BA6C8E38FA3332B1FA93996D9C
                                                      Malicious:false
                                                      Preview:ElfFile......................................................................................................................RyNElfChnk.........................................8..........................................................................fL..................\...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................5...............&.......................................................................................**..............r..!..............&...........|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.321350579003702
                                                      Encrypted:false
                                                      SSDEEP:384:3h4BwBxNqObx1rBwBwQtBwBnp+/0JBwBc/wBwBwtBwBwTBwBAs0BwBABwB2oBwBI:3/NqObx/Ms/QfcjDsM
                                                      MD5:5753C5DA2999E5EB24CC2BE76D2F0ECE
                                                      SHA1:0DD2CE3FD1CCE96824AEDAE76C58343E7B75DF5A
                                                      SHA-256:23D70D433A33814EE004B0D2F8BA64D1C39482293CBBAC98C09540D3FD869283
                                                      SHA-512:ECE8D33341F2455E3F3A8D44E194F3B4E274CFAB521C1D7483A71497F372D7EF528340325DF9320A215700C5058FF04A0017E06603DF24186C068E677D0C5DE9
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................X....1...`S~....................................................................C..w............................................=...........................................................................................................................f...............?...........................m...................M...F....................#......i...........................................................................................................&...........**..H..............A..........F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):65536
                                                      Entropy (8bit):4.396202402379334
                                                      Encrypted:false
                                                      SSDEEP:384:IMh4UEiUEfUE5UE0UEfUEtUEpUEAUELUEvUEcUEJUEBUE3UEHUERUExUEeUEaUEW:voHgSNX8+BoUYUkIO
                                                      MD5:838CCFDA7EEB847C3F96507592B3480B
                                                      SHA1:1D1C0CA6AFCCC861AFB6B7D2BD500657CC139AC7
                                                      SHA-256:2E474ECD1D96758EA0BD52D3C594998DFC30DCB83270638B107B41B81FB51339
                                                      SHA-512:59156BC3267CABA12BB8F542EF10E409F0E685731E8C916681457C9376B36A84DB13B29F006C049528E1E78D63168B9C4B521088FB08445F208432BBDC0EC749
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................0)...*..N..,.....................................................................i..................*.......................R...=...........................................................................................................................f...............?...........................m...................M...F.......................................................................................................................................&...........**..............4.............F..&.......F...0.V%.d..wr........A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

                                                      C:\Windows\System32\winevt\Logs\Security.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):105712
                                                      Entropy (8bit):4.449901489636788
                                                      Encrypted:false
                                                      SSDEEP:384:FFRUBGovbV5ohhoPXoLG9WS6CoOCoLG2oLGEoPkoPjboLG+eSoeSoLGdoLGEoPv0:Hspsay5yt0WW398Q4D2WBsmxE
                                                      MD5:E6FFBFAE55B8849A25816086920912F0
                                                      SHA1:9461ADA1927FE4C0F4EE4CB27C15DE3B20AB9D74
                                                      SHA-256:FE2C8BE91C25F240390A5E3A64C52842AF13E7714C8553CFF29502B2274A3AE8
                                                      SHA-512:4CCE5558A9F2A7D3F41BBD650760F9F9C9EB3CF9B07037FA8654EFE716F5FE545DF8E581BCDB61C03C7F2CBB658DC7E6C1C78D9ACBFAD2FB9EBA53B8DE81458A
                                                      Malicious:false
                                                      Preview:ElfChnk.....................................h6..x8..A)......................................................................3rP.................d...s...h...................=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:.......................................................................................&...........................................F...=.......**.. ................f........0.;M&.......0.;M.j.Y)..G2.zA.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                      C:\Windows\System32\winevt\Logs\System.evtx

                                                      Download File
                                                      Process:C:\Windows\System32\svchost.exe
                                                      File Type:data
                                                      Category:modified
                                                      Size (bytes):79904
                                                      Entropy (8bit):4.885534819572413
                                                      Encrypted:false
                                                      SSDEEP:768:DWcWMzwDl3VGg5OwELSTFxCydU5ESmqiWqiZqiKqi9tWcTveb:4DX/1MZTiDiEiPiPb8
                                                      MD5:78035F7933877CACCB2A2F6238A59C83
                                                      SHA1:184A70BF419838E815CB069CE6735B7550BB8978
                                                      SHA-256:94DE6972A729DE51C5D145C6F29441844D390945887A0BB4CB92F4C4C357E726
                                                      SHA-512:045BD66FB93B9EF5AC01F73851645336316303FBBE21AC6D31D8BCA8C9868EE2EE8E97E4C41F5427F7EC62604A27BCC3C11315CFE0729D2901E10820F0D40DC1
                                                      Malicious:false
                                                      Preview:ElfChnk..............................................P.&......................................................................k.....................s...h...................=...................................................N...............................q...............w.......2.......................G...................................Y...........).......M...5...:...........................&.......&....................................................................... ...................................**...................f...........l&..........l...R...`....=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

                                                      C:\Windows\mssecsvc.exe

                                                      Download File
                                                      Process:C:\Windows\SysWOW64\rundll32.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3784704
                                                      Entropy (8bit):7.693085604801658
                                                      Encrypted:false
                                                      SSDEEP:98304:48qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3:48qPe1Cxcxk3ZAEUadzR8s
                                                      MD5:433720564D376A59C4FC3F2F8ACEC030
                                                      SHA1:1B67A91E2CFF865A48044C68450FF3E049C6FE03
                                                      SHA-256:8A011965CE221498AEA2C6AC4D3EE14BAA25084754114A6B6B6D72DA416DF8E3
                                                      SHA-512:40F87B8E000BDE626EEABFB434548FD2E21C2D37EF169DC331854EFD35E5B089132CC6F5865AFDFA2D260EF82F1FFBE94A1E2EE5C5C41E34AC489B23E48ACE0C
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                      • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                      • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 95%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L...%U*H.....................08.......g...........@...........................g......................................................1.. 6..........................................................................................................text.............................. ....rdata..............................@..@.data....H0......p..................@....rsrc.... 6...1.. 6.. ..............`...vzdbmga...... g......@9............. ...................................................................................................................................................................................................................................................................................................................

                                                      C:\Windows\tasksche.exe

                                                      Download File
                                                      Process:C:\Windows\mssecsvc.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):3514368
                                                      Entropy (8bit):7.777724762407647
                                                      Encrypted:false
                                                      SSDEEP:98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3x:QqPe1Cxcxk3ZAEUadzR8sB
                                                      MD5:79409B6F48460807480E4A574312D85F
                                                      SHA1:5D9F64CCF13081441F2785A535E02312236445D9
                                                      SHA-256:331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
                                                      SHA-512:AC004B3248CBC2CE7B6D566E3F5128195669E5C53C24AE13668E37FDADCB5158CC345D7A33CADFED6328A25A640C5FA612D0F0DB86989C3ACC21771B55508916
                                                      Malicious:true
                                                      Yara Hits:
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security
                                                      • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                      • Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
                                                      Antivirus:
                                                      • Antivirus: Avira, Detection: 100%
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 93%
                                                      Joe Sandbox View:
                                                      • Filename: UR9TBr66am.dll, Detection: malicious, Browse
                                                      • Filename: eAx3JV2z84.dll, Detection: malicious, Browse
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.142203098578501
                                                      TrID:
                                                      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                      • Generic Win/DOS Executable (2004/3) 0.20%
                                                      • DOS Executable Generic (2002/1) 0.20%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:542CxvZnI5.dll
                                                      File size:5'267'459 bytes
                                                      MD5:be3c1ef872e8e146ff78e66271ca261b
                                                      SHA1:0e3c7374332d4a507fdbd7b30f5f78d7a4fbafcc
                                                      SHA256:f63eb4858e66889e8b62e6e72fe5d5620995c3fccaa8cd23043c22ddb3c6aa02
                                                      SHA512:38cb75392e90e52a874f1e0bf128f3156d0e330fd67ca68f0b109219f232235eaf39e7e207c21c31aba01b15594c65bfabea8a40856000dfc4cd41699d4f0486
                                                      SSDEEP:98304:18qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3:18qPe1Cxcxk3ZAEUadzR8s
                                                      TLSH:0D36E052D2850EA4D5E10AF61269DB50A77F2F5582AFB23E2621402F1CB7F1C9DE4F2C
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                                      File Icon

                                                      Icon Hash:7ae282899bbab082

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x100011e9
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x10000000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                      DLL Characteristics:
                                                      Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                                                      Entrypoint Preview

                                                      Instruction
                                                      push ebp
                                                      mov ebp, esp
                                                      push ebx
                                                      mov ebx, dword ptr [ebp+08h]
                                                      push esi
                                                      mov esi, dword ptr [ebp+0Ch]
                                                      push edi
                                                      mov edi, dword ptr [ebp+10h]
                                                      test esi, esi
                                                      jne 00007F2F288825FBh
                                                      cmp dword ptr [10003140h], 00000000h
                                                      jmp 00007F2F28882618h
                                                      cmp esi, 01h
                                                      je 00007F2F288825F7h
                                                      cmp esi, 02h
                                                      jne 00007F2F28882614h
                                                      mov eax, dword ptr [10003150h]
                                                      test eax, eax
                                                      je 00007F2F288825FBh
                                                      push edi
                                                      push esi
                                                      push ebx
                                                      call eax
                                                      test eax, eax
                                                      je 00007F2F288825FEh
                                                      push edi
                                                      push esi
                                                      push ebx
                                                      call 00007F2F2888250Ah
                                                      test eax, eax
                                                      jne 00007F2F288825F6h
                                                      xor eax, eax
                                                      jmp 00007F2F28882640h
                                                      push edi
                                                      push esi
                                                      push ebx
                                                      call 00007F2F288823BCh
                                                      cmp esi, 01h
                                                      mov dword ptr [ebp+0Ch], eax
                                                      jne 00007F2F288825FEh
                                                      test eax, eax
                                                      jne 00007F2F28882629h
                                                      push edi
                                                      push eax
                                                      push ebx
                                                      call 00007F2F288824E6h
                                                      test esi, esi
                                                      je 00007F2F288825F7h
                                                      cmp esi, 03h
                                                      jne 00007F2F28882618h
                                                      push edi
                                                      push esi
                                                      push ebx
                                                      call 00007F2F288824D5h
                                                      test eax, eax
                                                      jne 00007F2F288825F5h
                                                      and dword ptr [ebp+0Ch], eax
                                                      cmp dword ptr [ebp+0Ch], 00000000h
                                                      je 00007F2F28882603h
                                                      mov eax, dword ptr [10003150h]
                                                      test eax, eax
                                                      je 00007F2F288825FAh
                                                      push edi
                                                      push esi
                                                      push ebx
                                                      call eax
                                                      mov dword ptr [ebp+0Ch], eax
                                                      mov eax, dword ptr [ebp+0Ch]
                                                      pop edi
                                                      pop esi
                                                      pop ebx
                                                      pop ebp
                                                      retn 000Ch
                                                      jmp dword ptr [10002028h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ C ] VS98 (6.0) build 8168
                                                      • [C++] VS98 (6.0) build 8168
                                                      • [RES] VS98 (6.0) cvtres build 1720
                                                      • [LNK] VS98 (6.0) imp/exp build 8168

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x28c0x10008de9a2cb31e4c74bd008b871d14bfafcFalse0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x20000x1d80x10003dd394f95ab218593f2bc8eb65184db4False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x30000x1540x1000fe5022c5b5d015ad38b2b77fc437a5cbFalse0.016845703125Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 00.085238686413312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x40000x5000600x5010000a77449cf0d1b94754f2c4139a743468unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0x5050000x2ac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      W0x40600x500000dataEnglishUnited States0.877049446105957

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                                      MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                                                      Exports

                                                      NameOrdinalAddress
                                                      PlayGame10x10001114

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2025-01-15T02:52:28.619850+01002012730ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup1192.168.2.5492611.1.1.153UDP
                                                      2025-01-15T02:53:20.056518+01002012730ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup1192.168.2.5632981.1.1.153UDP
                                                      2025-01-15T02:53:28.828299+01002811577ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com)11.1.1.153192.168.2.549370UDP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 15, 2025 02:52:09.810143948 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.810240984 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.810297012 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.810329914 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.810364008 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.810386896 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.810386896 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.810396910 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.810431957 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.810450077 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.810969114 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811002970 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811034918 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811059952 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.811068058 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811089993 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.811623096 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811656952 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811678886 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.811691999 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811718941 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.811741114 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.864240885 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.902426958 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.902442932 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.902501106 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.990799904 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.990911007 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:09.995798111 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.995814085 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.995899916 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:09.995912075 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932393074 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932440996 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932475090 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932508945 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932513952 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:10.932544947 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932569981 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:10.932672977 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932730913 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932744026 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:10.932749033 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932764053 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932779074 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.932794094 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:10.932830095 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:10.933408976 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.954765081 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:10.954821110 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:10.959728003 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.959757090 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.959969044 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.959995031 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:10.973617077 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.117876053 CET49675443192.168.2.523.1.237.91
                                                      Jan 15, 2025 02:52:11.129908085 CET49674443192.168.2.523.1.237.91
                                                      Jan 15, 2025 02:52:11.240446091 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240506887 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240541935 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240576029 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240591049 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.240611076 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240637064 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.240886927 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240920067 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240945101 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.240953922 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.240987062 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.241003990 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.241022110 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.241071939 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.256382942 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.256465912 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.261596918 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.261635065 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.261687040 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.261713982 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.261744976 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.317397118 CET49673443192.168.2.523.1.237.91
                                                      Jan 15, 2025 02:52:11.730438948 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.730469942 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.730578899 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.730595112 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.730609894 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.730624914 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.730640888 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.730694056 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.730694056 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.730694056 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.731462955 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.731506109 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.731520891 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.731538057 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:52:11.731558084 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.731590986 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:52:11.966383934 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:11.966423988 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:11.966514111 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:11.967173100 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:11.967189074 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.755712032 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.756025076 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:12.760185003 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:12.760194063 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.760545969 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.761679888 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:12.761679888 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:12.761696100 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.762059927 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:12.803333044 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.932847977 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.933016062 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:12.933079004 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:12.933209896 CET49716443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:12.933224916 CET4434971640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:16.440470934 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:16.440507889 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:16.440572023 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:16.441740036 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:16.441757917 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.243046045 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.243192911 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.248660088 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.248672962 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.249006033 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.250281096 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.250281096 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.250312090 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.250485897 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.291335106 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.422555923 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.422672033 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.423055887 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.423652887 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.423671007 CET4434971940.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.423702955 CET49719443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.473115921 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.473166943 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:17.473273993 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.474247932 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:17.474276066 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.257375002 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.257621050 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:18.259862900 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:18.259901047 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.260237932 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.261888027 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:18.261955023 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:18.261967897 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.262123108 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:18.307332993 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.432503939 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.432678938 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:18.432763100 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:18.432948112 CET49720443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:18.432976961 CET4434972040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:20.723815918 CET49675443192.168.2.523.1.237.91
                                                      Jan 15, 2025 02:52:20.739264965 CET49674443192.168.2.523.1.237.91
                                                      Jan 15, 2025 02:52:20.917535067 CET49673443192.168.2.523.1.237.91
                                                      Jan 15, 2025 02:52:22.702295065 CET4434971123.1.237.91192.168.2.5
                                                      Jan 15, 2025 02:52:22.703349113 CET49711443192.168.2.523.1.237.91
                                                      Jan 15, 2025 02:52:26.934753895 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:26.934843063 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:26.935086012 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:26.935887098 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:26.935921907 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:26.942864895 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:26.942903042 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:26.943133116 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:26.944188118 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:26.944216013 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.722179890 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.722263098 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.724967003 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.724977970 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.725771904 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.727305889 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.727353096 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.727361917 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.727437019 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.755760908 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.755877018 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.758522987 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.758542061 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.759393930 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.764447927 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.764447927 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.764448881 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.764472961 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.771333933 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.811345100 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.897452116 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.897579908 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.897639036 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.897736073 CET49742443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.897754908 CET4434974240.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.944645882 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.944855928 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:27.945178032 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.945178032 CET49743443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:27.945213079 CET4434974340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:28.638199091 CET4975480192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.638273001 CET4975580192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.643032074 CET804975483.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:28.643090963 CET4975480192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.643117905 CET4975480192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.643119097 CET804975583.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:28.643296957 CET4975580192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.643333912 CET4975580192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.647918940 CET804975483.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:28.647983074 CET4975480192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.648061991 CET804975583.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:28.648106098 CET4975580192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:28.654258013 CET804975483.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:28.654438019 CET804975583.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:33.689945936 CET49789445192.168.2.595.214.158.125
                                                      Jan 15, 2025 02:52:33.694780111 CET4454978995.214.158.125192.168.2.5
                                                      Jan 15, 2025 02:52:33.695135117 CET49789445192.168.2.595.214.158.125
                                                      Jan 15, 2025 02:52:33.695135117 CET49789445192.168.2.595.214.158.125
                                                      Jan 15, 2025 02:52:33.695354939 CET49790445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:33.700073957 CET4454978995.214.158.125192.168.2.5
                                                      Jan 15, 2025 02:52:33.700182915 CET4454979095.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:33.700213909 CET49789445192.168.2.595.214.158.125
                                                      Jan 15, 2025 02:52:33.700329065 CET49790445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:33.700329065 CET49790445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:33.705254078 CET4454979095.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:33.705393076 CET49790445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:33.731924057 CET49791445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:33.736722946 CET4454979195.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:33.737901926 CET49791445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:33.737962961 CET49791445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:33.742742062 CET4454979195.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:35.662362099 CET49824445192.168.2.5138.40.81.25
                                                      Jan 15, 2025 02:52:35.667191982 CET44549824138.40.81.25192.168.2.5
                                                      Jan 15, 2025 02:52:35.667269945 CET49824445192.168.2.5138.40.81.25
                                                      Jan 15, 2025 02:52:35.667361975 CET49824445192.168.2.5138.40.81.25
                                                      Jan 15, 2025 02:52:35.667551041 CET49825445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:35.672508955 CET44549824138.40.81.25192.168.2.5
                                                      Jan 15, 2025 02:52:35.672568083 CET49824445192.168.2.5138.40.81.25
                                                      Jan 15, 2025 02:52:35.672601938 CET44549825138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:52:35.672672987 CET49825445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:35.672743082 CET49825445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:35.673798084 CET49826445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:35.677567005 CET44549825138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:52:35.677752018 CET49825445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:35.678541899 CET44549826138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:52:35.678654909 CET49826445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:35.678829908 CET49826445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:35.683545113 CET44549826138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:52:37.678694010 CET49861445192.168.2.5149.11.181.160
                                                      Jan 15, 2025 02:52:37.683746099 CET44549861149.11.181.160192.168.2.5
                                                      Jan 15, 2025 02:52:37.683818102 CET49861445192.168.2.5149.11.181.160
                                                      Jan 15, 2025 02:52:37.683986902 CET49861445192.168.2.5149.11.181.160
                                                      Jan 15, 2025 02:52:37.684063911 CET49862445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:37.689173937 CET44549861149.11.181.160192.168.2.5
                                                      Jan 15, 2025 02:52:37.689191103 CET44549862149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:52:37.689275026 CET49862445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:37.689358950 CET49862445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:37.689600945 CET49861445192.168.2.5149.11.181.160
                                                      Jan 15, 2025 02:52:37.691167116 CET49863445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:37.694207907 CET44549862149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:52:37.694273949 CET49862445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:37.696052074 CET44549863149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:52:37.696346045 CET49863445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:37.696388006 CET49863445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:37.701464891 CET44549863149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:52:39.694133997 CET49900445192.168.2.5181.1.73.231
                                                      Jan 15, 2025 02:52:39.698961973 CET44549900181.1.73.231192.168.2.5
                                                      Jan 15, 2025 02:52:39.700259924 CET49900445192.168.2.5181.1.73.231
                                                      Jan 15, 2025 02:52:39.700299978 CET49900445192.168.2.5181.1.73.231
                                                      Jan 15, 2025 02:52:39.700464010 CET49902445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:52:39.705235958 CET44549902181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:52:39.705279112 CET44549900181.1.73.231192.168.2.5
                                                      Jan 15, 2025 02:52:39.705301046 CET49902445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:52:39.705323935 CET49900445192.168.2.5181.1.73.231
                                                      Jan 15, 2025 02:52:39.705363035 CET49902445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:52:39.706428051 CET49903445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:52:39.710199118 CET44549902181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:52:39.711239100 CET44549903181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:52:39.711318970 CET49902445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:52:39.711330891 CET49903445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:52:39.711401939 CET49903445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:52:39.716139078 CET44549903181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:52:41.766540051 CET49939445192.168.2.594.120.0.35
                                                      Jan 15, 2025 02:52:41.772550106 CET4454993994.120.0.35192.168.2.5
                                                      Jan 15, 2025 02:52:41.772630930 CET49939445192.168.2.594.120.0.35
                                                      Jan 15, 2025 02:52:41.774513960 CET49939445192.168.2.594.120.0.35
                                                      Jan 15, 2025 02:52:41.780411959 CET4454993994.120.0.35192.168.2.5
                                                      Jan 15, 2025 02:52:41.780493975 CET49939445192.168.2.594.120.0.35
                                                      Jan 15, 2025 02:52:41.797735929 CET49940445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:52:41.802592993 CET4454994094.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:52:41.802680016 CET49940445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:52:41.805160046 CET49940445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:52:41.810051918 CET4454994094.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:52:41.810117006 CET49940445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:52:41.872359991 CET49942445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:52:41.878160000 CET4454994294.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:52:41.878263950 CET49942445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:52:41.883297920 CET49942445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:52:41.891169071 CET4454994294.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:52:43.725167990 CET49974445192.168.2.5193.175.220.134
                                                      Jan 15, 2025 02:52:43.730156898 CET44549974193.175.220.134192.168.2.5
                                                      Jan 15, 2025 02:52:43.730411053 CET49975445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:52:43.730511904 CET49974445192.168.2.5193.175.220.134
                                                      Jan 15, 2025 02:52:43.730511904 CET49974445192.168.2.5193.175.220.134
                                                      Jan 15, 2025 02:52:43.735301971 CET44549975193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:52:43.735395908 CET49975445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:52:43.735395908 CET49975445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:52:43.735481977 CET44549974193.175.220.134192.168.2.5
                                                      Jan 15, 2025 02:52:43.735569954 CET49974445192.168.2.5193.175.220.134
                                                      Jan 15, 2025 02:52:43.736105919 CET49976445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:52:43.740289927 CET44549975193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:52:43.740353107 CET44549975193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:52:43.740396976 CET49975445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:52:43.740988970 CET44549976193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:52:43.741045952 CET49976445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:52:43.741101027 CET49976445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:52:43.745933056 CET44549976193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:52:44.294665098 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:44.294693947 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:44.294761896 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:44.305634975 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:44.305648088 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.126605988 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.126679897 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.128566980 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.128573895 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.128828049 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.131129980 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.131268978 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.131275892 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.131407022 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.175358057 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.306093931 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.308665037 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.308706045 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.308706045 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.308732986 CET4434998640.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.308746099 CET49986443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.739557028 CET50008445192.168.2.5198.154.22.143
                                                      Jan 15, 2025 02:52:45.744349003 CET44550008198.154.22.143192.168.2.5
                                                      Jan 15, 2025 02:52:45.745891094 CET50008445192.168.2.5198.154.22.143
                                                      Jan 15, 2025 02:52:45.745939970 CET50008445192.168.2.5198.154.22.143
                                                      Jan 15, 2025 02:52:45.746038914 CET50009445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:52:45.750796080 CET44550009198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:52:45.750817060 CET44550008198.154.22.143192.168.2.5
                                                      Jan 15, 2025 02:52:45.750874043 CET50008445192.168.2.5198.154.22.143
                                                      Jan 15, 2025 02:52:45.750931978 CET50009445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:52:45.750931978 CET50009445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:52:45.751332998 CET50010445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:52:45.755960941 CET44550009198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:52:45.756072044 CET50009445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:52:45.756164074 CET44550010198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:52:45.756377935 CET50010445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:52:45.756846905 CET50010445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:52:45.761625051 CET44550010198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:52:45.851723909 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.851736069 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:45.852102995 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.852791071 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:45.852798939 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.638672113 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.638748884 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:46.641239882 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:46.641247034 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.641474962 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.657469988 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:46.699337959 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.709098101 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:46.709109068 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.709182978 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:46.709187031 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.883956909 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.884126902 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:46.884218931 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:46.925956011 CET50015443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:52:46.925978899 CET4435001540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:52:47.755976915 CET50048445192.168.2.539.69.187.89
                                                      Jan 15, 2025 02:52:47.760868073 CET4455004839.69.187.89192.168.2.5
                                                      Jan 15, 2025 02:52:47.760925055 CET50048445192.168.2.539.69.187.89
                                                      Jan 15, 2025 02:52:47.761010885 CET50048445192.168.2.539.69.187.89
                                                      Jan 15, 2025 02:52:47.761141062 CET50049445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:52:47.765872002 CET4455004839.69.187.89192.168.2.5
                                                      Jan 15, 2025 02:52:47.765921116 CET4455004939.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:52:47.765927076 CET50048445192.168.2.539.69.187.89
                                                      Jan 15, 2025 02:52:47.765983105 CET50049445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:52:47.766042948 CET50049445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:52:47.766264915 CET50050445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:52:47.771009922 CET4455004939.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:52:47.771059036 CET50049445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:52:47.771091938 CET4455005039.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:52:47.771157026 CET50050445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:52:47.771219015 CET50050445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:52:47.776020050 CET4455005039.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:52:49.770939112 CET50083445192.168.2.5160.166.64.79
                                                      Jan 15, 2025 02:52:49.775707960 CET44550083160.166.64.79192.168.2.5
                                                      Jan 15, 2025 02:52:49.777910948 CET50083445192.168.2.5160.166.64.79
                                                      Jan 15, 2025 02:52:49.777951956 CET50083445192.168.2.5160.166.64.79
                                                      Jan 15, 2025 02:52:49.778053045 CET50084445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:52:49.783003092 CET44550084160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:52:49.783171892 CET44550083160.166.64.79192.168.2.5
                                                      Jan 15, 2025 02:52:49.783242941 CET50083445192.168.2.5160.166.64.79
                                                      Jan 15, 2025 02:52:49.783294916 CET50084445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:52:49.783294916 CET50084445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:52:49.783473015 CET50085445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:52:49.788434029 CET44550084160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:52:49.788486004 CET50084445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:52:49.788609982 CET44550085160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:52:49.788685083 CET50085445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:52:49.788729906 CET50085445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:52:49.793840885 CET44550085160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:52:50.045290947 CET804975583.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:50.045383930 CET4975580192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:50.045420885 CET4975580192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:50.047235012 CET804975483.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:50.047292948 CET4975480192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:50.047310114 CET4975480192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:52:50.052572966 CET804975583.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:50.053925037 CET804975483.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:52:51.786928892 CET50119445192.168.2.5211.132.162.104
                                                      Jan 15, 2025 02:52:51.791785955 CET44550119211.132.162.104192.168.2.5
                                                      Jan 15, 2025 02:52:51.791858912 CET50119445192.168.2.5211.132.162.104
                                                      Jan 15, 2025 02:52:51.791918039 CET50119445192.168.2.5211.132.162.104
                                                      Jan 15, 2025 02:52:51.792026043 CET50120445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:52:51.796792030 CET44550120211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:51.796870947 CET50120445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:52:51.796894073 CET44550119211.132.162.104192.168.2.5
                                                      Jan 15, 2025 02:52:51.796941042 CET50119445192.168.2.5211.132.162.104
                                                      Jan 15, 2025 02:52:51.797003031 CET50120445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:52:51.797252893 CET50121445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:52:51.801814079 CET44550120211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:51.801898003 CET50120445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:52:51.802051067 CET44550121211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:51.802109957 CET50121445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:52:51.802143097 CET50121445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:52:51.806912899 CET44550121211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:53.970273972 CET50158445192.168.2.5137.175.162.138
                                                      Jan 15, 2025 02:52:53.975547075 CET44550158137.175.162.138192.168.2.5
                                                      Jan 15, 2025 02:52:53.975617886 CET50158445192.168.2.5137.175.162.138
                                                      Jan 15, 2025 02:52:53.975744963 CET50158445192.168.2.5137.175.162.138
                                                      Jan 15, 2025 02:52:53.975861073 CET50160445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:52:53.980663061 CET44550160137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:53.980725050 CET50160445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:52:53.980775118 CET50160445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:52:53.980851889 CET44550158137.175.162.138192.168.2.5
                                                      Jan 15, 2025 02:52:53.980904102 CET50158445192.168.2.5137.175.162.138
                                                      Jan 15, 2025 02:52:53.982489109 CET50161445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:52:53.986089945 CET44550160137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:53.986171007 CET50160445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:52:53.987373114 CET44550161137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:53.987435102 CET50161445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:52:53.994481087 CET50161445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:52:53.999255896 CET44550161137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:52:55.110129118 CET4454979195.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:55.112133026 CET49791445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:55.112193108 CET49791445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:55.112232924 CET49791445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:55.117058992 CET4454979195.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:55.117079020 CET4454979195.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:55.976564884 CET50192445192.168.2.5148.47.58.161
                                                      Jan 15, 2025 02:52:55.981441021 CET44550192148.47.58.161192.168.2.5
                                                      Jan 15, 2025 02:52:55.981523037 CET50192445192.168.2.5148.47.58.161
                                                      Jan 15, 2025 02:52:55.981575012 CET50192445192.168.2.5148.47.58.161
                                                      Jan 15, 2025 02:52:55.981658936 CET50193445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:52:55.986531019 CET44550193148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:52:55.986582994 CET44550192148.47.58.161192.168.2.5
                                                      Jan 15, 2025 02:52:55.986599922 CET50193445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:52:55.986639023 CET50192445192.168.2.5148.47.58.161
                                                      Jan 15, 2025 02:52:55.986660004 CET50193445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:52:55.986820936 CET50194445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:52:55.991626978 CET44550193148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:52:55.991657972 CET44550194148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:52:55.991692066 CET50193445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:52:55.991724968 CET50194445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:52:56.007287979 CET50194445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:52:56.012187958 CET44550194148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:52:57.043732882 CET44549826138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:52:57.046029091 CET49826445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:57.046164036 CET49826445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:57.046274900 CET49826445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:52:57.051006079 CET44549826138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:52:57.051095009 CET44549826138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:52:57.991512060 CET50228445192.168.2.5140.70.135.4
                                                      Jan 15, 2025 02:52:57.996402979 CET44550228140.70.135.4192.168.2.5
                                                      Jan 15, 2025 02:52:57.996519089 CET50228445192.168.2.5140.70.135.4
                                                      Jan 15, 2025 02:52:57.996633053 CET50228445192.168.2.5140.70.135.4
                                                      Jan 15, 2025 02:52:57.996820927 CET50229445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:52:58.001876116 CET44550228140.70.135.4192.168.2.5
                                                      Jan 15, 2025 02:52:58.001897097 CET44550229140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:52:58.001952887 CET50228445192.168.2.5140.70.135.4
                                                      Jan 15, 2025 02:52:58.002000093 CET50229445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:52:58.002089977 CET50229445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:52:58.002584934 CET50230445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:52:58.006984949 CET44550229140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:52:58.007072926 CET50229445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:52:58.007409096 CET44550230140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:52:58.007472038 CET50230445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:52:58.007520914 CET50230445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:52:58.012289047 CET44550230140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:52:58.114564896 CET50232445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:58.119405031 CET4455023295.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:58.119508982 CET50232445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:58.119618893 CET50232445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:52:58.124420881 CET4455023295.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:52:59.207958937 CET44549863149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:52:59.208129883 CET49863445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:59.208220959 CET49863445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:59.208336115 CET49863445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:52:59.213133097 CET44549863149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:52:59.213145018 CET44549863149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:53:00.023058891 CET50244445192.168.2.572.151.164.132
                                                      Jan 15, 2025 02:53:00.027998924 CET4455024472.151.164.132192.168.2.5
                                                      Jan 15, 2025 02:53:00.028106928 CET50244445192.168.2.572.151.164.132
                                                      Jan 15, 2025 02:53:00.028224945 CET50244445192.168.2.572.151.164.132
                                                      Jan 15, 2025 02:53:00.028376102 CET50245445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:00.033078909 CET4455024472.151.164.132192.168.2.5
                                                      Jan 15, 2025 02:53:00.033165932 CET50244445192.168.2.572.151.164.132
                                                      Jan 15, 2025 02:53:00.033209085 CET4455024572.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:00.033302069 CET50245445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:00.033380032 CET50245445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:00.033701897 CET50246445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:00.038311005 CET4455024572.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:00.038429022 CET50245445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:00.038511992 CET4455024672.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:00.038618088 CET50246445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:00.038655996 CET50246445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:00.043442011 CET4455024672.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:00.052165985 CET50247445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:53:00.057061911 CET44550247138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:53:00.057152987 CET50247445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:53:00.057224989 CET50247445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:53:00.062025070 CET44550247138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:53:01.112339973 CET44549903181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:01.112481117 CET49903445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:01.112705946 CET49903445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:01.112801075 CET49903445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:01.117552042 CET44549903181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:01.117609024 CET44549903181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:02.021202087 CET50261445192.168.2.526.51.77.154
                                                      Jan 15, 2025 02:53:02.026083946 CET4455026126.51.77.154192.168.2.5
                                                      Jan 15, 2025 02:53:02.026177883 CET50261445192.168.2.526.51.77.154
                                                      Jan 15, 2025 02:53:02.026263952 CET50261445192.168.2.526.51.77.154
                                                      Jan 15, 2025 02:53:02.026376009 CET50262445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:02.032730103 CET4455026226.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:02.032800913 CET50262445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:02.032871962 CET4455026126.51.77.154192.168.2.5
                                                      Jan 15, 2025 02:53:02.032892942 CET50262445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:02.032931089 CET50261445192.168.2.526.51.77.154
                                                      Jan 15, 2025 02:53:02.033145905 CET50263445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:02.038492918 CET4455026326.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:02.038585901 CET50263445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:02.038609982 CET4455026226.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:02.038659096 CET50262445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:02.039206982 CET50263445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:02.044043064 CET4455026326.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:02.223984003 CET50266445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:53:02.228842020 CET44550266149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:53:02.229016066 CET50266445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:53:02.229016066 CET50266445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:53:02.233800888 CET44550266149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:53:04.036808014 CET50278445192.168.2.5113.235.186.154
                                                      Jan 15, 2025 02:53:04.041739941 CET44550278113.235.186.154192.168.2.5
                                                      Jan 15, 2025 02:53:04.041814089 CET50278445192.168.2.5113.235.186.154
                                                      Jan 15, 2025 02:53:04.041906118 CET50278445192.168.2.5113.235.186.154
                                                      Jan 15, 2025 02:53:04.042118073 CET50279445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:04.046861887 CET44550278113.235.186.154192.168.2.5
                                                      Jan 15, 2025 02:53:04.046920061 CET50278445192.168.2.5113.235.186.154
                                                      Jan 15, 2025 02:53:04.046996117 CET44550279113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:04.047095060 CET50279445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:04.047096014 CET50279445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:04.047301054 CET50280445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:04.052181005 CET44550279113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:04.052220106 CET44550280113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:04.052267075 CET50279445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:04.052280903 CET50280445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:04.052375078 CET50280445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:04.057113886 CET44550280113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:04.114536047 CET50282445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:04.119404078 CET44550282181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:04.119568110 CET50282445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:04.119568110 CET50282445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:04.124418974 CET44550282181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:05.106426954 CET44549976193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:05.109925985 CET49976445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:05.109976053 CET49976445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:05.110030890 CET49976445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:05.114944935 CET44549976193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:05.114990950 CET44549976193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:06.052187920 CET50297445192.168.2.591.63.153.58
                                                      Jan 15, 2025 02:53:06.057044029 CET4455029791.63.153.58192.168.2.5
                                                      Jan 15, 2025 02:53:06.057117939 CET50297445192.168.2.591.63.153.58
                                                      Jan 15, 2025 02:53:06.057163954 CET50297445192.168.2.591.63.153.58
                                                      Jan 15, 2025 02:53:06.057380915 CET50298445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:06.062200069 CET4455029891.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:06.062289000 CET50298445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:06.062289000 CET50298445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:06.062428951 CET50299445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:06.064284086 CET4455029791.63.153.58192.168.2.5
                                                      Jan 15, 2025 02:53:06.067198038 CET4455029991.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:06.067251921 CET50299445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:06.067270041 CET50299445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:06.067646980 CET4455029791.63.153.58192.168.2.5
                                                      Jan 15, 2025 02:53:06.067701101 CET50297445192.168.2.591.63.153.58
                                                      Jan 15, 2025 02:53:06.067771912 CET4455029891.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:06.067899942 CET50298445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:06.072015047 CET4455029991.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:06.210370064 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:06.210393906 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:06.210467100 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:06.211373091 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:06.211383104 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.016448021 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.016601086 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:07.026791096 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:07.026808977 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.027734041 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.030390024 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:07.030515909 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:07.030520916 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.030694008 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:07.071332932 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.106090069 CET44550010198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:07.106232882 CET50010445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:07.106257915 CET50010445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:07.106291056 CET50010445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:07.111061096 CET44550010198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:07.111076117 CET44550010198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:07.205177069 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.205394983 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:07.205460072 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:07.205586910 CET50300443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:07.205601931 CET4435030040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:08.068057060 CET50312445192.168.2.5221.170.202.170
                                                      Jan 15, 2025 02:53:08.073044062 CET44550312221.170.202.170192.168.2.5
                                                      Jan 15, 2025 02:53:08.073241949 CET50312445192.168.2.5221.170.202.170
                                                      Jan 15, 2025 02:53:08.073241949 CET50312445192.168.2.5221.170.202.170
                                                      Jan 15, 2025 02:53:08.073358059 CET50313445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:08.078124046 CET44550313221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:08.078217030 CET44550312221.170.202.170192.168.2.5
                                                      Jan 15, 2025 02:53:08.078241110 CET50313445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:08.078301907 CET50312445192.168.2.5221.170.202.170
                                                      Jan 15, 2025 02:53:08.078304052 CET50313445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:08.078563929 CET50314445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:08.083106041 CET44550313221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:08.083277941 CET50313445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:08.083324909 CET44550314221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:08.083380938 CET50314445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:08.083425045 CET50314445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:08.088212013 CET44550314221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:08.114516020 CET50315445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:08.119271040 CET44550315193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:08.119339943 CET50315445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:08.119386911 CET50315445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:08.124140978 CET44550315193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.159061909 CET4455005039.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.159192085 CET50050445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:09.159332991 CET50050445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:09.159429073 CET50050445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:09.164053917 CET4455005039.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.164167881 CET4455005039.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.796125889 CET4454994294.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.796233892 CET49942445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:09.796320915 CET49942445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:09.796400070 CET49942445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:09.801115036 CET4454994294.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.801256895 CET4454994294.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.963219881 CET50316445192.168.2.5172.2.157.167
                                                      Jan 15, 2025 02:53:09.968090057 CET44550316172.2.157.167192.168.2.5
                                                      Jan 15, 2025 02:53:09.968203068 CET50316445192.168.2.5172.2.157.167
                                                      Jan 15, 2025 02:53:09.970602989 CET50316445192.168.2.5172.2.157.167
                                                      Jan 15, 2025 02:53:09.975528002 CET44550316172.2.157.167192.168.2.5
                                                      Jan 15, 2025 02:53:09.975600958 CET50316445192.168.2.5172.2.157.167
                                                      Jan 15, 2025 02:53:09.977983952 CET50317445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:09.982795000 CET44550317172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.982887983 CET50317445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:09.985435009 CET50317445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:09.990247011 CET44550317172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.990355015 CET50317445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:09.994036913 CET50318445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:09.998951912 CET44550318172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:09.999022007 CET50318445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:10.002051115 CET50318445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:10.006891012 CET44550318172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:10.124213934 CET50319445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:10.129210949 CET44550319198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:10.129312038 CET50319445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:10.137989998 CET50319445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:10.142766953 CET44550319198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:11.154299021 CET44550085160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:11.154367924 CET50085445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:11.154556990 CET50085445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:11.154556990 CET50085445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:11.159374952 CET44550085160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:11.159389973 CET44550085160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:11.352607965 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:11.352658987 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:11.352782011 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:11.353432894 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:11.353447914 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:11.692992926 CET50321445192.168.2.580.134.5.25
                                                      Jan 15, 2025 02:53:11.697922945 CET4455032180.134.5.25192.168.2.5
                                                      Jan 15, 2025 02:53:11.698106050 CET50321445192.168.2.580.134.5.25
                                                      Jan 15, 2025 02:53:11.698106050 CET50321445192.168.2.580.134.5.25
                                                      Jan 15, 2025 02:53:11.698173046 CET50322445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:11.703067064 CET4455032280.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:11.703125954 CET50322445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:11.703140020 CET4455032180.134.5.25192.168.2.5
                                                      Jan 15, 2025 02:53:11.703166008 CET50322445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:11.703187943 CET50321445192.168.2.580.134.5.25
                                                      Jan 15, 2025 02:53:11.703377008 CET50323445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:11.708050013 CET4455032280.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:11.708103895 CET50322445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:11.708138943 CET4455032380.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:11.708195925 CET50323445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:11.708219051 CET50323445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:11.712997913 CET4455032380.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:12.131320953 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.131390095 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:12.140533924 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:12.140552998 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.140777111 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.142208099 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:12.142349005 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:12.142354965 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.142471075 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:12.161334991 CET50324445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:12.166209936 CET4455032439.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:12.166280985 CET50324445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:12.166306973 CET50324445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:12.171075106 CET4455032439.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:12.183336973 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.317111015 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.317339897 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.317392111 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:12.317529917 CET50320443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:12.317547083 CET4435032040.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:12.818080902 CET50325445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:12.822978020 CET4455032594.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:12.823048115 CET50325445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:12.827941895 CET50325445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:12.832726955 CET4455032594.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:13.188628912 CET44550121211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:13.188703060 CET50121445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:13.188750982 CET50121445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:13.188798904 CET50121445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:13.193612099 CET44550121211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:13.193623066 CET44550121211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:13.333453894 CET50326445192.168.2.551.62.241.233
                                                      Jan 15, 2025 02:53:13.338366985 CET4455032651.62.241.233192.168.2.5
                                                      Jan 15, 2025 02:53:13.338447094 CET50326445192.168.2.551.62.241.233
                                                      Jan 15, 2025 02:53:13.338500023 CET50326445192.168.2.551.62.241.233
                                                      Jan 15, 2025 02:53:13.338613987 CET50327445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:13.344002008 CET4455032751.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:13.344064951 CET50327445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:13.344108105 CET50327445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:13.344136953 CET4455032651.62.241.233192.168.2.5
                                                      Jan 15, 2025 02:53:13.344183922 CET50326445192.168.2.551.62.241.233
                                                      Jan 15, 2025 02:53:13.344301939 CET50328445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:13.351491928 CET4455032851.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:13.351561069 CET50328445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:13.351593018 CET50328445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:13.351803064 CET4455032751.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:13.351857901 CET50327445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:13.373023033 CET4455032851.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:14.161367893 CET50329445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:14.166188002 CET44550329160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:14.166274071 CET50329445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:14.166295052 CET50329445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:14.171019077 CET44550329160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:14.871778011 CET50330445192.168.2.557.0.54.102
                                                      Jan 15, 2025 02:53:14.876586914 CET4455033057.0.54.102192.168.2.5
                                                      Jan 15, 2025 02:53:14.876796007 CET50330445192.168.2.557.0.54.102
                                                      Jan 15, 2025 02:53:14.876902103 CET50330445192.168.2.557.0.54.102
                                                      Jan 15, 2025 02:53:14.877084017 CET50331445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:14.881920099 CET4455033057.0.54.102192.168.2.5
                                                      Jan 15, 2025 02:53:14.881931067 CET4455033157.0.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:14.882008076 CET50330445192.168.2.557.0.54.102
                                                      Jan 15, 2025 02:53:14.882021904 CET50331445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:14.885247946 CET50331445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:14.890041113 CET4455033157.0.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:14.890115976 CET50331445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:14.895329952 CET50332445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:14.900244951 CET4455033257.0.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:14.900331974 CET50332445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:14.900371075 CET50332445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:14.905128002 CET4455033257.0.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:15.360476017 CET44550161137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:15.360541105 CET50161445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:15.363646030 CET50161445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:15.363646030 CET50161445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:15.368510962 CET44550161137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:15.368520975 CET44550161137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:16.192655087 CET50333445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:16.197468996 CET44550333211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:16.197648048 CET50333445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:16.197648048 CET50333445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:16.202425957 CET44550333211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:16.302442074 CET50334445192.168.2.5174.70.176.190
                                                      Jan 15, 2025 02:53:16.307224035 CET44550334174.70.176.190192.168.2.5
                                                      Jan 15, 2025 02:53:16.307331085 CET50334445192.168.2.5174.70.176.190
                                                      Jan 15, 2025 02:53:16.307395935 CET50334445192.168.2.5174.70.176.190
                                                      Jan 15, 2025 02:53:16.307533026 CET50335445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:16.312263966 CET44550334174.70.176.190192.168.2.5
                                                      Jan 15, 2025 02:53:16.312361002 CET44550335174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:16.312369108 CET44550334174.70.176.190192.168.2.5
                                                      Jan 15, 2025 02:53:16.312410116 CET50335445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:16.312446117 CET50334445192.168.2.5174.70.176.190
                                                      Jan 15, 2025 02:53:16.312494993 CET50335445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:16.312737942 CET50336445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:16.317333937 CET44550335174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:16.317411900 CET50335445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:16.317492962 CET44550336174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:16.317590952 CET50336445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:16.317611933 CET50336445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:16.322453976 CET44550336174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.374237061 CET44550194148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.374325991 CET50194445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:53:17.394575119 CET50194445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:53:17.394718885 CET50194445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:53:17.399490118 CET44550194148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.399566889 CET44550194148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.630461931 CET50337445192.168.2.5109.99.7.155
                                                      Jan 15, 2025 02:53:17.635236025 CET44550337109.99.7.155192.168.2.5
                                                      Jan 15, 2025 02:53:17.635303974 CET50337445192.168.2.5109.99.7.155
                                                      Jan 15, 2025 02:53:17.635365963 CET50337445192.168.2.5109.99.7.155
                                                      Jan 15, 2025 02:53:17.635468960 CET50338445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:17.640314102 CET44550338109.99.7.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.640345097 CET44550337109.99.7.155192.168.2.5
                                                      Jan 15, 2025 02:53:17.640382051 CET50338445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:17.640400887 CET50337445192.168.2.5109.99.7.155
                                                      Jan 15, 2025 02:53:17.640485048 CET50338445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:17.640737057 CET50339445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:17.645452023 CET44550338109.99.7.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.645526886 CET50338445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:17.645581007 CET44550339109.99.7.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.645634890 CET50339445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:17.645663977 CET50339445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:17.650460005 CET44550339109.99.7.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.818835974 CET44550336174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.818962097 CET50336445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:17.819019079 CET50336445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:17.819019079 CET50336445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:17.823858023 CET44550336174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:17.823868990 CET44550336174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:18.364526033 CET50340445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:18.369520903 CET44550340137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:18.369610071 CET50340445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:18.369688988 CET50340445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:18.374557972 CET44550340137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:18.865128994 CET50341445192.168.2.562.182.54.185
                                                      Jan 15, 2025 02:53:18.870071888 CET4455034162.182.54.185192.168.2.5
                                                      Jan 15, 2025 02:53:18.870277882 CET50341445192.168.2.562.182.54.185
                                                      Jan 15, 2025 02:53:18.870277882 CET50341445192.168.2.562.182.54.185
                                                      Jan 15, 2025 02:53:18.870414019 CET50342445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:18.875322104 CET4455034262.182.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:18.875332117 CET4455034162.182.54.185192.168.2.5
                                                      Jan 15, 2025 02:53:18.875401974 CET50341445192.168.2.562.182.54.185
                                                      Jan 15, 2025 02:53:18.875438929 CET50342445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:18.875708103 CET50343445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:18.875751972 CET50342445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:18.880536079 CET4455034362.182.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:18.880554914 CET4455034262.182.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:18.880611897 CET50343445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:18.880681038 CET50343445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:18.880728960 CET50342445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:18.885495901 CET4455034362.182.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:19.356791019 CET44550230140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:53:19.356901884 CET50230445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:53:19.356946945 CET50230445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:53:19.357002974 CET50230445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:53:19.361784935 CET44550230140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:53:19.361794949 CET44550230140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:53:19.499252081 CET4455023295.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:53:19.499475002 CET50232445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:53:19.499475002 CET50232445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:53:19.499584913 CET50232445192.168.2.595.214.158.1
                                                      Jan 15, 2025 02:53:19.504328966 CET4455023295.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:53:19.504354000 CET4455023295.214.158.1192.168.2.5
                                                      Jan 15, 2025 02:53:19.552243948 CET50344445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:19.559099913 CET4455034495.214.158.2192.168.2.5
                                                      Jan 15, 2025 02:53:19.559247971 CET50344445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:19.559366941 CET50344445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:19.560652971 CET50345445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:19.564304113 CET4455034495.214.158.2192.168.2.5
                                                      Jan 15, 2025 02:53:19.565464973 CET4455034595.214.158.2192.168.2.5
                                                      Jan 15, 2025 02:53:19.565536022 CET50345445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:19.565735102 CET4455034495.214.158.2192.168.2.5
                                                      Jan 15, 2025 02:53:19.565800905 CET50344445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:19.566175938 CET50345445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:19.571026087 CET4455034595.214.158.2192.168.2.5
                                                      Jan 15, 2025 02:53:20.058927059 CET50346445192.168.2.5111.48.240.74
                                                      Jan 15, 2025 02:53:20.063808918 CET44550346111.48.240.74192.168.2.5
                                                      Jan 15, 2025 02:53:20.063880920 CET50346445192.168.2.5111.48.240.74
                                                      Jan 15, 2025 02:53:20.063968897 CET50346445192.168.2.5111.48.240.74
                                                      Jan 15, 2025 02:53:20.064075947 CET50347445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:20.068896055 CET44550347111.48.240.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.068998098 CET50347445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:20.069048882 CET44550346111.48.240.74192.168.2.5
                                                      Jan 15, 2025 02:53:20.069106102 CET50346445192.168.2.5111.48.240.74
                                                      Jan 15, 2025 02:53:20.072278023 CET5034980192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.072671890 CET5034880192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.077280998 CET805034983.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:20.077368975 CET5034980192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.077416897 CET5034980192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.077543020 CET805034883.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:20.077675104 CET5034880192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.077696085 CET5034880192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.080379009 CET50347445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:20.082226992 CET805034983.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:20.082292080 CET5034980192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.082510948 CET805034883.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:20.082562923 CET5034880192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:20.082709074 CET50350445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:20.085258007 CET44550347111.48.240.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.085370064 CET50347445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:20.087126970 CET805034983.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:20.087544918 CET805034883.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:20.087579012 CET44550350111.48.240.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.087645054 CET50350445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:20.087680101 CET50350445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:20.092540026 CET44550350111.48.240.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.395855904 CET50351445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:53:20.400768042 CET44550351148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.400935888 CET50351445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:53:20.400935888 CET50351445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:53:20.405838966 CET44550351148.47.58.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.833336115 CET50352445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:20.838291883 CET44550352174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.838433027 CET50352445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:20.838619947 CET50352445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:20.844336033 CET44550352174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.156111956 CET50353445192.168.2.5136.85.90.113
                                                      Jan 15, 2025 02:53:21.161096096 CET44550353136.85.90.113192.168.2.5
                                                      Jan 15, 2025 02:53:21.164622068 CET50353445192.168.2.5136.85.90.113
                                                      Jan 15, 2025 02:53:21.164736032 CET50353445192.168.2.5136.85.90.113
                                                      Jan 15, 2025 02:53:21.164891958 CET50354445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:21.169693947 CET44550353136.85.90.113192.168.2.5
                                                      Jan 15, 2025 02:53:21.169725895 CET44550354136.85.90.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.169830084 CET50353445192.168.2.5136.85.90.113
                                                      Jan 15, 2025 02:53:21.169836044 CET50354445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:21.169898033 CET50354445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:21.170156956 CET50355445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:21.174892902 CET44550354136.85.90.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.175040960 CET44550355136.85.90.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.175211906 CET50354445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:21.175316095 CET50355445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:21.175338984 CET50355445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:21.180202961 CET44550355136.85.90.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.405309916 CET4455024672.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.405641079 CET50246445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:21.405724049 CET50246445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:21.405770063 CET50246445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:21.410531998 CET4455024672.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.410542965 CET4455024672.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.419850111 CET44550247138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.419969082 CET50247445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:53:21.420058966 CET50247445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:53:21.420094013 CET50247445192.168.2.5138.40.81.1
                                                      Jan 15, 2025 02:53:21.425026894 CET44550247138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.425036907 CET44550247138.40.81.1192.168.2.5
                                                      Jan 15, 2025 02:53:21.477376938 CET50356445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:21.482208967 CET44550356138.40.81.2192.168.2.5
                                                      Jan 15, 2025 02:53:21.484765053 CET50356445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:21.489902020 CET50356445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:21.490407944 CET50357445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:21.494740009 CET44550356138.40.81.2192.168.2.5
                                                      Jan 15, 2025 02:53:21.495223999 CET44550357138.40.81.2192.168.2.5
                                                      Jan 15, 2025 02:53:21.495299101 CET50356445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:21.495342016 CET50357445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:21.503665924 CET50357445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:21.508527994 CET44550357138.40.81.2192.168.2.5
                                                      Jan 15, 2025 02:53:22.175446033 CET50358445192.168.2.520.15.180.0
                                                      Jan 15, 2025 02:53:22.180335045 CET4455035820.15.180.0192.168.2.5
                                                      Jan 15, 2025 02:53:22.180480957 CET50358445192.168.2.520.15.180.0
                                                      Jan 15, 2025 02:53:22.180530071 CET50358445192.168.2.520.15.180.0
                                                      Jan 15, 2025 02:53:22.180671930 CET50359445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:22.185442924 CET4455035820.15.180.0192.168.2.5
                                                      Jan 15, 2025 02:53:22.185544014 CET50358445192.168.2.520.15.180.0
                                                      Jan 15, 2025 02:53:22.185564041 CET4455035920.15.180.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.185625076 CET50359445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:22.185777903 CET50359445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:22.186093092 CET50360445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:22.190582037 CET4455035920.15.180.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.190653086 CET50359445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:22.190905094 CET4455036020.15.180.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.190954924 CET50360445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:22.190995932 CET50360445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:22.196078062 CET4455036020.15.180.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.348632097 CET44550352174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.348784924 CET50352445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:22.348989964 CET50352445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:22.349030018 CET50352445192.168.2.5174.70.176.1
                                                      Jan 15, 2025 02:53:22.354890108 CET44550352174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.354921103 CET44550352174.70.176.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.359184027 CET80497102.23.77.188192.168.2.5
                                                      Jan 15, 2025 02:53:22.359476089 CET4971080192.168.2.52.23.77.188
                                                      Jan 15, 2025 02:53:22.360616922 CET4971080192.168.2.52.23.77.188
                                                      Jan 15, 2025 02:53:22.364687920 CET50361445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:53:22.365461111 CET80497102.23.77.188192.168.2.5
                                                      Jan 15, 2025 02:53:22.369616032 CET44550361140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.369708061 CET50361445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:53:22.369772911 CET50361445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:53:22.374627113 CET44550361140.70.135.1192.168.2.5
                                                      Jan 15, 2025 02:53:22.411724091 CET50362445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:22.416634083 CET44550362174.70.176.2192.168.2.5
                                                      Jan 15, 2025 02:53:22.416764021 CET50362445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:22.416884899 CET50362445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:22.417217970 CET50363445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:22.421751976 CET44550362174.70.176.2192.168.2.5
                                                      Jan 15, 2025 02:53:22.421818972 CET50362445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:22.422056913 CET44550363174.70.176.2192.168.2.5
                                                      Jan 15, 2025 02:53:22.422115088 CET50363445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:22.422162056 CET50363445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:22.426939011 CET44550363174.70.176.2192.168.2.5
                                                      Jan 15, 2025 02:53:23.115010023 CET50365445192.168.2.5214.224.11.142
                                                      Jan 15, 2025 02:53:23.119867086 CET44550365214.224.11.142192.168.2.5
                                                      Jan 15, 2025 02:53:23.119944096 CET50365445192.168.2.5214.224.11.142
                                                      Jan 15, 2025 02:53:23.120080948 CET50365445192.168.2.5214.224.11.142
                                                      Jan 15, 2025 02:53:23.120117903 CET50366445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:23.124957085 CET44550366214.224.11.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.124970913 CET44550365214.224.11.142192.168.2.5
                                                      Jan 15, 2025 02:53:23.125108957 CET50366445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:23.125108957 CET50366445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:23.125132084 CET50365445192.168.2.5214.224.11.142
                                                      Jan 15, 2025 02:53:23.125272989 CET50367445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:23.130085945 CET44550367214.224.11.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.130100012 CET44550366214.224.11.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.130142927 CET50367445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:23.130156994 CET50366445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:23.130197048 CET50367445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:23.136209011 CET44550367214.224.11.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.438982010 CET4455026326.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.439172983 CET50263445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:23.439173937 CET50263445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:23.439419031 CET50263445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:23.444041014 CET4455026326.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.444297075 CET4455026326.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.575627089 CET44550266149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.575773954 CET50266445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:53:23.575773954 CET50266445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:53:23.575865030 CET50266445192.168.2.5149.11.181.1
                                                      Jan 15, 2025 02:53:23.580668926 CET44550266149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.580682039 CET44550266149.11.181.1192.168.2.5
                                                      Jan 15, 2025 02:53:23.630470991 CET50368445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:23.635328054 CET44550368149.11.181.2192.168.2.5
                                                      Jan 15, 2025 02:53:23.635387897 CET50368445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:23.635510921 CET50368445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:23.635790110 CET50369445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:23.640290022 CET44550368149.11.181.2192.168.2.5
                                                      Jan 15, 2025 02:53:23.640419006 CET44550368149.11.181.2192.168.2.5
                                                      Jan 15, 2025 02:53:23.640456915 CET50368445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:23.640640974 CET44550369149.11.181.2192.168.2.5
                                                      Jan 15, 2025 02:53:23.640712976 CET50369445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:23.640750885 CET50369445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:23.645591974 CET44550369149.11.181.2192.168.2.5
                                                      Jan 15, 2025 02:53:23.990114927 CET50370445192.168.2.5117.140.42.50
                                                      Jan 15, 2025 02:53:23.995037079 CET44550370117.140.42.50192.168.2.5
                                                      Jan 15, 2025 02:53:23.995126963 CET50370445192.168.2.5117.140.42.50
                                                      Jan 15, 2025 02:53:23.995189905 CET50370445192.168.2.5117.140.42.50
                                                      Jan 15, 2025 02:53:23.995347023 CET50371445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:24.000279903 CET44550371117.140.42.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.000293016 CET44550370117.140.42.50192.168.2.5
                                                      Jan 15, 2025 02:53:24.000354052 CET50370445192.168.2.5117.140.42.50
                                                      Jan 15, 2025 02:53:24.000370979 CET50371445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:24.000405073 CET50371445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:24.000576019 CET50372445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:24.005494118 CET44550372117.140.42.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.005558968 CET50372445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:24.005606890 CET44550371117.140.42.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.005615950 CET50372445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:24.005673885 CET50371445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:24.011085033 CET44550372117.140.42.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.411403894 CET50373445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:24.417916059 CET4455037372.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.418051958 CET50373445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:24.418051958 CET50373445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:24.423856020 CET4455037372.151.164.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.818154097 CET50374445192.168.2.578.74.197.76
                                                      Jan 15, 2025 02:53:24.823383093 CET4455037478.74.197.76192.168.2.5
                                                      Jan 15, 2025 02:53:24.823450089 CET50374445192.168.2.578.74.197.76
                                                      Jan 15, 2025 02:53:24.823580980 CET50374445192.168.2.578.74.197.76
                                                      Jan 15, 2025 02:53:24.823667049 CET50375445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:24.828471899 CET4455037578.74.197.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.828542948 CET50375445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:24.828588009 CET50375445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:24.828764915 CET4455037478.74.197.76192.168.2.5
                                                      Jan 15, 2025 02:53:24.828794956 CET50376445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:24.828821898 CET50374445192.168.2.578.74.197.76
                                                      Jan 15, 2025 02:53:24.833631039 CET4455037578.74.197.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.833645105 CET4455037678.74.197.1192.168.2.5
                                                      Jan 15, 2025 02:53:24.833688021 CET50375445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:24.833750010 CET50376445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:24.833795071 CET50376445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:24.838553905 CET4455037678.74.197.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.420125008 CET44550280113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.420205116 CET50280445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:25.420336962 CET50280445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:25.420371056 CET50280445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:25.425192118 CET44550280113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.425208092 CET44550280113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.499414921 CET44550282181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.499541998 CET50282445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:25.499583960 CET50282445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:25.499619961 CET50282445192.168.2.5181.1.73.1
                                                      Jan 15, 2025 02:53:25.504364967 CET44550282181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.504389048 CET44550282181.1.73.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.553194046 CET50377445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:25.558368921 CET44550377181.1.73.2192.168.2.5
                                                      Jan 15, 2025 02:53:25.558448076 CET50377445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:25.558593035 CET50377445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:25.558696032 CET50378445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:25.563529015 CET44550378181.1.73.2192.168.2.5
                                                      Jan 15, 2025 02:53:25.563585997 CET50378445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:25.563599110 CET50378445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:25.563704014 CET44550377181.1.73.2192.168.2.5
                                                      Jan 15, 2025 02:53:25.563788891 CET50377445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:25.568417072 CET44550378181.1.73.2192.168.2.5
                                                      Jan 15, 2025 02:53:25.583440065 CET50379445192.168.2.5100.43.221.186
                                                      Jan 15, 2025 02:53:25.588221073 CET44550379100.43.221.186192.168.2.5
                                                      Jan 15, 2025 02:53:25.588350058 CET50379445192.168.2.5100.43.221.186
                                                      Jan 15, 2025 02:53:25.588365078 CET50379445192.168.2.5100.43.221.186
                                                      Jan 15, 2025 02:53:25.588459969 CET50380445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:25.593287945 CET44550380100.43.221.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.593303919 CET44550379100.43.221.186192.168.2.5
                                                      Jan 15, 2025 02:53:25.593367100 CET50379445192.168.2.5100.43.221.186
                                                      Jan 15, 2025 02:53:25.593365908 CET50380445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:25.593455076 CET50380445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:25.593605995 CET50381445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:25.598403931 CET44550381100.43.221.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.598417044 CET44550380100.43.221.1192.168.2.5
                                                      Jan 15, 2025 02:53:25.598483086 CET50380445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:25.598531961 CET50381445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:25.598531961 CET50381445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:25.603336096 CET44550381100.43.221.1192.168.2.5
                                                      Jan 15, 2025 02:53:26.442650080 CET50383445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:26.447606087 CET4455038326.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:26.447684050 CET50383445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:26.447701931 CET50383445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:26.452585936 CET4455038326.51.77.1192.168.2.5
                                                      Jan 15, 2025 02:53:27.454430103 CET4455029991.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:27.454708099 CET50299445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:27.454709053 CET50299445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:27.454709053 CET50299445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:27.459662914 CET4455029991.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:27.459692955 CET4455029991.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.427206993 CET50389445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:28.432077885 CET44550389113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.436166048 CET50389445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:28.436239958 CET50389445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:28.441108942 CET44550389113.235.186.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.865295887 CET50393443192.168.2.5165.160.15.20
                                                      Jan 15, 2025 02:53:28.865333080 CET44350393165.160.15.20192.168.2.5
                                                      Jan 15, 2025 02:53:28.865397930 CET50393443192.168.2.5165.160.15.20
                                                      Jan 15, 2025 02:53:29.450062990 CET44550314221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.451452971 CET50314445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:29.488343954 CET50314445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:29.488399029 CET50314445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:29.493371010 CET44550314221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.493412971 CET44550314221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.513782024 CET44550315193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.513870001 CET50315445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:29.519244909 CET50315445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:29.519409895 CET50315445192.168.2.5193.175.220.1
                                                      Jan 15, 2025 02:53:29.524343014 CET44550315193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.524379969 CET44550315193.175.220.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.671921015 CET50397445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:29.676824093 CET44550397193.175.220.2192.168.2.5
                                                      Jan 15, 2025 02:53:29.676920891 CET50397445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:29.677002907 CET50397445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:29.677432060 CET50399445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:29.682077885 CET44550397193.175.220.2192.168.2.5
                                                      Jan 15, 2025 02:53:29.682185888 CET50397445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:29.682269096 CET44550399193.175.220.2192.168.2.5
                                                      Jan 15, 2025 02:53:29.682341099 CET50399445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:29.682540894 CET50399445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:29.687354088 CET44550399193.175.220.2192.168.2.5
                                                      Jan 15, 2025 02:53:30.128844976 CET50402443192.168.2.5162.159.140.166
                                                      Jan 15, 2025 02:53:30.128879070 CET44350402162.159.140.166192.168.2.5
                                                      Jan 15, 2025 02:53:30.128942966 CET50402443192.168.2.5162.159.140.166
                                                      Jan 15, 2025 02:53:30.458682060 CET50405445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:30.463555098 CET4455040591.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:30.463632107 CET50405445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:30.463655949 CET50405445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:30.468489885 CET4455040591.63.153.1192.168.2.5
                                                      Jan 15, 2025 02:53:31.393714905 CET44550318172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:31.393990040 CET50318445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:31.394028902 CET50318445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:31.394068956 CET50318445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:31.401319981 CET44550318172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:31.401334047 CET44550318172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:31.499144077 CET44550319198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:31.501964092 CET50319445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:31.502007961 CET50319445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:31.502041101 CET50319445192.168.2.5198.154.22.1
                                                      Jan 15, 2025 02:53:31.508368015 CET44550319198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:31.508701086 CET44550319198.154.22.1192.168.2.5
                                                      Jan 15, 2025 02:53:31.567600012 CET50416445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:31.574031115 CET44550416198.154.22.2192.168.2.5
                                                      Jan 15, 2025 02:53:31.574112892 CET50416445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:31.574186087 CET50416445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:31.574433088 CET50417445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:31.580739975 CET44550417198.154.22.2192.168.2.5
                                                      Jan 15, 2025 02:53:31.581274033 CET44550416198.154.22.2192.168.2.5
                                                      Jan 15, 2025 02:53:31.581357956 CET50416445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:31.581583023 CET50417445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:31.581619024 CET50417445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:31.588376999 CET44550417198.154.22.2192.168.2.5
                                                      Jan 15, 2025 02:53:32.520725012 CET50429445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:32.525566101 CET44550429221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:32.525727034 CET50429445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:32.525809050 CET50429445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:32.530574083 CET44550429221.170.202.1192.168.2.5
                                                      Jan 15, 2025 02:53:33.076354027 CET4455032380.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:33.076435089 CET50323445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:33.076484919 CET50323445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:33.076495886 CET50323445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:33.081373930 CET4455032380.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:33.081387043 CET4455032380.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:33.544461966 CET4455032439.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:33.544548988 CET50324445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:33.544641018 CET50324445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:33.544686079 CET50324445192.168.2.539.69.187.1
                                                      Jan 15, 2025 02:53:33.549495935 CET4455032439.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:33.549506903 CET4455032439.69.187.1192.168.2.5
                                                      Jan 15, 2025 02:53:33.599335909 CET50447445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:33.604258060 CET4455044739.69.187.2192.168.2.5
                                                      Jan 15, 2025 02:53:33.604343891 CET50447445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:33.604480028 CET50447445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:33.604814053 CET50448445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:33.609299898 CET4455044739.69.187.2192.168.2.5
                                                      Jan 15, 2025 02:53:33.609363079 CET50447445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:33.609626055 CET4455044839.69.187.2192.168.2.5
                                                      Jan 15, 2025 02:53:33.609684944 CET50448445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:33.609713078 CET50448445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:33.614495039 CET4455044839.69.187.2192.168.2.5
                                                      Jan 15, 2025 02:53:34.396042109 CET50466445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:34.400950909 CET44550466172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:34.401031971 CET50466445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:34.401062012 CET50466445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:34.405821085 CET44550466172.2.157.1192.168.2.5
                                                      Jan 15, 2025 02:53:34.753463984 CET4455032851.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:34.753983974 CET50328445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:34.757040024 CET50328445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:34.757101059 CET50328445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:34.761991024 CET4455032851.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:34.762022972 CET4455032851.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:34.867676020 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:34.867755890 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:34.867846966 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:34.868779898 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:34.868818045 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.528950930 CET44550329160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:35.529247046 CET50329445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:35.529247046 CET50329445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:35.529247046 CET50329445192.168.2.5160.166.64.1
                                                      Jan 15, 2025 02:53:35.534236908 CET44550329160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:35.534276009 CET44550329160.166.64.1192.168.2.5
                                                      Jan 15, 2025 02:53:35.586702108 CET50498445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:35.591754913 CET44550498160.166.64.2192.168.2.5
                                                      Jan 15, 2025 02:53:35.591855049 CET50498445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:35.591948986 CET50498445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:35.592286110 CET50499445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:35.596929073 CET44550498160.166.64.2192.168.2.5
                                                      Jan 15, 2025 02:53:35.597002983 CET50498445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:35.597182035 CET44550499160.166.64.2192.168.2.5
                                                      Jan 15, 2025 02:53:35.597265005 CET50499445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:35.597299099 CET50499445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:35.602153063 CET44550499160.166.64.2192.168.2.5
                                                      Jan 15, 2025 02:53:35.659358978 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.659435987 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:35.661595106 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:35.661602020 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.661813021 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.664314032 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:35.664375067 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:35.664381027 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.664515972 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:35.711352110 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.837127924 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.837202072 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:35.837385893 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:35.837500095 CET50475443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:35.837518930 CET4435047540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:36.083638906 CET50514445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:36.088515043 CET4455051480.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:36.088705063 CET50514445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:36.088892937 CET50514445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:36.093775034 CET4455051480.134.5.1192.168.2.5
                                                      Jan 15, 2025 02:53:36.267486095 CET4455033257.0.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:36.268997908 CET50332445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:36.269040108 CET50332445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:36.269088030 CET50332445192.168.2.557.0.54.1
                                                      Jan 15, 2025 02:53:36.274044037 CET4455033257.0.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:36.274076939 CET4455033257.0.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.565840006 CET44550333211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.565956116 CET50333445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:37.588645935 CET50333445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:37.588700056 CET50333445192.168.2.5211.132.162.1
                                                      Jan 15, 2025 02:53:37.593489885 CET44550333211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.593502045 CET44550333211.132.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.670566082 CET50608445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:37.675512075 CET44550608211.132.162.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.675594091 CET50608445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:37.678419113 CET50608445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:37.683307886 CET44550608211.132.162.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.683367014 CET50608445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:37.685887098 CET4455032594.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.685973883 CET50325445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:37.686244011 CET50325445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:37.687969923 CET50325445192.168.2.594.120.0.1
                                                      Jan 15, 2025 02:53:37.691045046 CET4455032594.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.692703009 CET4455032594.120.0.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.701277018 CET50614445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:37.706151962 CET44550614211.132.162.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.706248045 CET50614445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:37.706290007 CET50614445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:37.711019039 CET44550614211.132.162.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.756604910 CET50623445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:37.764123917 CET4455062394.120.0.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.764198065 CET50623445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:37.765141964 CET50623445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:37.765783072 CET50625445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:37.770059109 CET4455062394.120.0.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.770136118 CET50623445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:37.770673990 CET4455062594.120.0.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.770765066 CET50625445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:37.771167994 CET50625445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:37.771445990 CET50626445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:37.775950909 CET4455062594.120.0.2192.168.2.5
                                                      Jan 15, 2025 02:53:37.776276112 CET4455062651.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:37.776340961 CET50626445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:37.776405096 CET50626445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:37.781155109 CET4455062651.62.241.1192.168.2.5
                                                      Jan 15, 2025 02:53:38.651071072 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:38.651103020 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:38.651191950 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:38.652040958 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:38.652055979 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.030719042 CET44550339109.99.7.1192.168.2.5
                                                      Jan 15, 2025 02:53:39.033979893 CET50339445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:39.466344118 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.466449976 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.469096899 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.469118118 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.469342947 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.470988989 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.471067905 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.471081972 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.471200943 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.515321970 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.648668051 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.648854017 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.649202108 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.649287939 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.649328947 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.649328947 CET50673443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:53:39.649353981 CET4435067340.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:53:39.675362110 CET44550614211.132.162.2192.168.2.5
                                                      Jan 15, 2025 02:53:39.675445080 CET50614445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:39.784677029 CET44550340137.175.162.1192.168.2.5
                                                      Jan 15, 2025 02:53:39.785974979 CET50340445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:40.231450081 CET4455034362.182.54.1192.168.2.5
                                                      Jan 15, 2025 02:53:40.231570005 CET50343445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:40.896150112 CET50369445192.168.2.5149.11.181.2
                                                      Jan 15, 2025 02:53:40.896317959 CET50357445192.168.2.5138.40.81.2
                                                      Jan 15, 2025 02:53:40.896399975 CET50378445192.168.2.5181.1.73.2
                                                      Jan 15, 2025 02:53:40.896461010 CET50345445192.168.2.595.214.158.2
                                                      Jan 15, 2025 02:53:40.896473885 CET50417445192.168.2.5198.154.22.2
                                                      Jan 15, 2025 02:53:40.896537066 CET50361445192.168.2.5140.70.135.1
                                                      Jan 15, 2025 02:53:40.896585941 CET50340445192.168.2.5137.175.162.1
                                                      Jan 15, 2025 02:53:40.896589994 CET50339445192.168.2.5109.99.7.1
                                                      Jan 15, 2025 02:53:40.896595955 CET50343445192.168.2.562.182.54.1
                                                      Jan 15, 2025 02:53:40.896642923 CET50351445192.168.2.5148.47.58.1
                                                      Jan 15, 2025 02:53:40.896651030 CET50350445192.168.2.5111.48.240.1
                                                      Jan 15, 2025 02:53:40.896684885 CET50355445192.168.2.5136.85.90.1
                                                      Jan 15, 2025 02:53:40.896684885 CET50360445192.168.2.520.15.180.1
                                                      Jan 15, 2025 02:53:40.896701097 CET50363445192.168.2.5174.70.176.2
                                                      Jan 15, 2025 02:53:40.896722078 CET50367445192.168.2.5214.224.11.1
                                                      Jan 15, 2025 02:53:40.896747112 CET50372445192.168.2.5117.140.42.1
                                                      Jan 15, 2025 02:53:40.896770954 CET50373445192.168.2.572.151.164.1
                                                      Jan 15, 2025 02:53:40.896811008 CET50381445192.168.2.5100.43.221.1
                                                      Jan 15, 2025 02:53:40.896828890 CET50389445192.168.2.5113.235.186.1
                                                      Jan 15, 2025 02:53:40.896847010 CET50383445192.168.2.526.51.77.1
                                                      Jan 15, 2025 02:53:40.896881104 CET50405445192.168.2.591.63.153.1
                                                      Jan 15, 2025 02:53:40.896898985 CET50376445192.168.2.578.74.197.1
                                                      Jan 15, 2025 02:53:40.896898985 CET50399445192.168.2.5193.175.220.2
                                                      Jan 15, 2025 02:53:40.896934986 CET50429445192.168.2.5221.170.202.1
                                                      Jan 15, 2025 02:53:40.896948099 CET50448445192.168.2.539.69.187.2
                                                      Jan 15, 2025 02:53:40.897006035 CET50466445192.168.2.5172.2.157.1
                                                      Jan 15, 2025 02:53:40.897027016 CET50514445192.168.2.580.134.5.1
                                                      Jan 15, 2025 02:53:40.897085905 CET50499445192.168.2.5160.166.64.2
                                                      Jan 15, 2025 02:53:40.897268057 CET50626445192.168.2.551.62.241.1
                                                      Jan 15, 2025 02:53:40.897494078 CET50614445192.168.2.5211.132.162.2
                                                      Jan 15, 2025 02:53:40.897599936 CET50625445192.168.2.594.120.0.2
                                                      Jan 15, 2025 02:53:41.435311079 CET805034983.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:41.435446978 CET5034980192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:41.435477972 CET5034980192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:41.440335035 CET805034983.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:41.441080093 CET805034883.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:41.441169024 CET5034880192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:41.441314936 CET5034880192.168.2.583.133.119.197
                                                      Jan 15, 2025 02:53:41.446158886 CET805034883.133.119.197192.168.2.5
                                                      Jan 15, 2025 02:53:48.072501898 CET50393443192.168.2.5165.160.15.20
                                                      Jan 15, 2025 02:53:48.072587013 CET50402443192.168.2.5162.159.140.166
                                                      Jan 15, 2025 02:53:50.755043030 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:53:50.755197048 CET4970980192.168.2.5199.232.210.172
                                                      Jan 15, 2025 02:53:50.755259037 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:53:50.778693914 CET4434971340.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:53:50.778708935 CET8049709199.232.210.172192.168.2.5
                                                      Jan 15, 2025 02:53:50.778721094 CET4434970840.126.32.74192.168.2.5
                                                      Jan 15, 2025 02:53:50.778770924 CET49713443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:53:50.778800964 CET4970980192.168.2.5199.232.210.172
                                                      Jan 15, 2025 02:53:50.778825045 CET49708443192.168.2.540.126.32.74
                                                      Jan 15, 2025 02:53:52.520773888 CET4971280192.168.2.52.23.77.188
                                                      Jan 15, 2025 02:53:52.520865917 CET4971480192.168.2.5199.232.210.172
                                                      Jan 15, 2025 02:53:52.525845051 CET80497122.23.77.188192.168.2.5
                                                      Jan 15, 2025 02:53:52.525912046 CET4971280192.168.2.52.23.77.188
                                                      Jan 15, 2025 02:53:52.526072025 CET8049714199.232.210.172192.168.2.5
                                                      Jan 15, 2025 02:53:52.526129007 CET4971480192.168.2.5199.232.210.172
                                                      Jan 15, 2025 02:54:08.905970097 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:08.906008959 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:08.906132936 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:08.906879902 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:08.906893015 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.685252905 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.686130047 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.687483072 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.687489986 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.687702894 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.689848900 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.689914942 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.689918995 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.690109015 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.731329918 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.860188007 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.860534906 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:09.860598087 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.860810041 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.860810041 CET50674443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:09.860826969 CET4435067440.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:15.197304964 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:15.197417021 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:15.197638035 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:15.198807001 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:15.198848963 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.022548914 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.022784948 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:16.024878025 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:16.024920940 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.025755882 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.027256012 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:16.027312040 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:16.027324915 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.027443886 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:16.075336933 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.204216957 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.204427004 CET4435067540.115.3.253192.168.2.5
                                                      Jan 15, 2025 02:54:16.204499006 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:16.204596996 CET50675443192.168.2.540.115.3.253
                                                      Jan 15, 2025 02:54:16.204617023 CET4435067540.115.3.253192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 15, 2025 02:52:28.628537893 CET53492611.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:52:28.637531996 CET53505451.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.063275099 CET53632981.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:20.071408033 CET53497011.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.625679970 CET53610741.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.637932062 CET53588531.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.649024963 CET53591101.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.657320976 CET53514541.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.659904957 CET53636061.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.667602062 CET53597901.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.677233934 CET53521061.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.692116022 CET53645931.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.816900015 CET53578901.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.828299046 CET53493701.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.844815969 CET53565821.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.850725889 CET53585131.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.860759974 CET53592591.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.873577118 CET53582351.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.883143902 CET53644201.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.892829895 CET53601661.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:28.902348995 CET53562281.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.056904078 CET53622461.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.067460060 CET53586321.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.077272892 CET53581621.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.089653015 CET53568331.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.105268002 CET53543261.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.118685961 CET53500691.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.277283907 CET53620841.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.636749983 CET53547621.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.681135893 CET53622841.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.690737009 CET53521011.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.708195925 CET53572741.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.874986887 CET53505821.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.884753942 CET53607951.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:29.894979000 CET53606591.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:30.051013947 CET53513371.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:30.061243057 CET53583821.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:30.071105003 CET53592061.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:30.081501007 CET53649491.1.1.1192.168.2.5
                                                      Jan 15, 2025 02:53:30.092191935 CET53513211.1.1.1192.168.2.5

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Jan 15, 2025 02:52:28.628537893 CET1.1.1.1192.168.2.50x787cServer failure (2)ilo.brenz.plnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:52:28.637531996 CET1.1.1.1192.168.2.50xef3dServer failure (2)ant.trenz.plnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:20.063275099 CET1.1.1.1192.168.2.50xbd90Server failure (2)ilo.brenz.plnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:20.071408033 CET1.1.1.1192.168.2.50xecc5Server failure (2)ant.trenz.plnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.625679970 CET1.1.1.1192.168.2.50x413fName error (3)akzoeg.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.637932062 CET1.1.1.1192.168.2.50xacabName error (3)pojfeg.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.649024963 CET1.1.1.1192.168.2.50xd26fName error (3)ersgvh.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.657320976 CET1.1.1.1192.168.2.50x4715Name error (3)kiieiy.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.659904957 CET1.1.1.1192.168.2.50xb15bName error (3)qiurmh.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.667602062 CET1.1.1.1192.168.2.50x6826Name error (3)oaqqkf.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.677233934 CET1.1.1.1192.168.2.50x7b83Name error (3)abyeya.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.692116022 CET1.1.1.1192.168.2.50x7a16Name error (3)oqpzuo.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.816900015 CET1.1.1.1192.168.2.50xcdc6Name error (3)rxexyq.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.828299046 CET1.1.1.1192.168.2.50xd82bName error (3)lepdbj.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.844815969 CET1.1.1.1192.168.2.50xf5ccName error (3)poqxaa.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.850725889 CET1.1.1.1192.168.2.50x872aName error (3)voydqz.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.860759974 CET1.1.1.1192.168.2.50x5025Name error (3)rqegva.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.873577118 CET1.1.1.1192.168.2.50xe810Name error (3)ebohzv.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.883143902 CET1.1.1.1192.168.2.50x361dName error (3)fxumem.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.892829895 CET1.1.1.1192.168.2.50xa9fbName error (3)ezaeqf.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:28.902348995 CET1.1.1.1192.168.2.50x3d22Name error (3)kkuzud.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.056904078 CET1.1.1.1192.168.2.50x2e71Name error (3)imdznk.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.067460060 CET1.1.1.1192.168.2.50x7838Name error (3)slnmhg.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.077272892 CET1.1.1.1192.168.2.50x36d5Name error (3)tkkvba.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.089653015 CET1.1.1.1192.168.2.50x9174Name error (3)urxxuf.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.105268002 CET1.1.1.1192.168.2.50x9b79Name error (3)toexkd.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.118685961 CET1.1.1.1192.168.2.50xc2b1Name error (3)oacbaq.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.277283907 CET1.1.1.1192.168.2.50x175aName error (3)ogoeuu.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.636749983 CET1.1.1.1192.168.2.50xdbfcName error (3)ngemix.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.681135893 CET1.1.1.1192.168.2.50xbf84Name error (3)bjeako.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.690737009 CET1.1.1.1192.168.2.50x2106Name error (3)xzgrlj.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.708195925 CET1.1.1.1192.168.2.50x868cName error (3)uteyyp.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.874986887 CET1.1.1.1192.168.2.50x6d74Name error (3)vttzwu.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.884753942 CET1.1.1.1192.168.2.50xfedeName error (3)xdzsqn.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:29.894979000 CET1.1.1.1192.168.2.50xde4cName error (3)dkrbtp.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:30.051013947 CET1.1.1.1192.168.2.50xb785Name error (3)asjuen.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:30.061243057 CET1.1.1.1192.168.2.50x548cName error (3)remieu.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:30.071105003 CET1.1.1.1192.168.2.50x19acName error (3)kfguna.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:30.081501007 CET1.1.1.1192.168.2.50xfef8Name error (3)eijfjn.comnonenoneA (IP address)IN (0x0001)false
                                                      Jan 15, 2025 02:53:30.092191935 CET1.1.1.1192.168.2.50xdd26Name error (3)yscyez.comnonenoneA (IP address)IN (0x0001)false

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      0192.168.2.54975483.133.119.19780
                                                      TimestampBytes transferredDirectionData
                                                      Jan 15, 2025 02:52:28.643117905 CET20OUTData Raw: c2 92 ab 3f f4 8d 52 4f e2 37 63 b1 5c 20 03 f4 ae 8c f3 1c
                                                      Data Ascii: ?RO7c\
                                                      Jan 15, 2025 02:52:28.647983074 CET26OUTData Raw: 41 1b 4f 7b 96 6b c4 53 ea ae cc 21 b8 3c 1e 58 a6 87 d4 58 2f bc c3 dc 21 22
                                                      Data Ascii: AO{kS!<XX/!"


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      1192.168.2.54975583.133.119.19780
                                                      TimestampBytes transferredDirectionData
                                                      Jan 15, 2025 02:52:28.643333912 CET20OUTData Raw: 1a ae 5f 87 ef d8 86 d2 b1 c1 2f 62 69 65 9a ec f5 1e 2f c6
                                                      Data Ascii: _/bie/
                                                      Jan 15, 2025 02:52:28.648106098 CET26OUTData Raw: 95 92 46 cb ca 3c 20 a6 52 bf 48 f2 f2 3d d0 7b 21 1a ca fd 29 5a cc 9b 00 be
                                                      Data Ascii: F< RH={!)Z


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      2192.168.2.55034983.133.119.19780
                                                      TimestampBytes transferredDirectionData
                                                      Jan 15, 2025 02:53:20.077416897 CET20OUTData Raw: b3 52 89 4e 25 0b f6 a6 0c ec 04 60 7a 68 5a c3 77 ea a3 6e
                                                      Data Ascii: RN%`zhZwn
                                                      Jan 15, 2025 02:53:20.082292080 CET26OUTData Raw: 06 ab 9f e1 ea 14 29 da 18 7a a0 20 1a a0 9e 49 e7 12 f3 a4 ed 93 25 57 00 8f
                                                      Data Ascii: )z I%W


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      3192.168.2.55034883.133.119.19780
                                                      TimestampBytes transferredDirectionData
                                                      Jan 15, 2025 02:53:20.077696085 CET20OUTData Raw: a4 be f5 08 f5 c6 f8 c5 bc 79 fd ea fa bd 52 b3 e4 67 f3 8d
                                                      Data Ascii: yRg
                                                      Jan 15, 2025 02:53:20.082562923 CET26OUTData Raw: 4d 55 f0 6e dd 61 c7 4b d7 3b b9 7f 0a b9 37 c5 6d af be f3 ed a0 db 74 e8 41
                                                      Data Ascii: MUnaK;7mtA


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      0192.168.2.54971640.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:52:12 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 58 69 37 42 76 47 65 74 6c 55 36 66 67 6a 61 56 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 37 31 37 61 39 63 63 33 36 37 35 62 32 36 39 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: Xi7BvGetlU6fgjaV.1Context: c717a9cc3675b269
                                                      2025-01-15 01:52:12 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:52:12 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 58 69 37 42 76 47 65 74 6c 55 36 66 67 6a 61 56 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 37 31 37 61 39 63 63 33 36 37 35 62 32 36 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Xi7BvGetlU6fgjaV.2Context: c717a9cc3675b269<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:52:12 UTC74OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 58 69 37 42 76 47 65 74 6c 55 36 66 67 6a 61 56 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 37 31 37 61 39 63 63 33 36 37 35 62 32 36 39 0d 0a 0d 0a
                                                      Data Ascii: BND 3 CON\QOS 56MS-CV: Xi7BvGetlU6fgjaV.3Context: c717a9cc3675b269
                                                      2025-01-15 01:52:12 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:52:12 UTC58INData Raw: 4d 53 2d 43 56 3a 20 78 41 63 4a 55 43 42 44 70 6b 4b 54 45 61 5a 75 59 74 4d 58 50 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: xAcJUCBDpkKTEaZuYtMXPQ.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      1192.168.2.54971940.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:52:17 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 58 5a 46 67 56 6c 74 49 6d 30 57 53 59 71 47 39 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 34 61 65 38 34 31 35 32 62 36 61 30 31 36 36 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: XZFgVltIm0WSYqG9.1Context: 24ae84152b6a0166
                                                      2025-01-15 01:52:17 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:52:17 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 58 5a 46 67 56 6c 74 49 6d 30 57 53 59 71 47 39 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 34 61 65 38 34 31 35 32 62 36 61 30 31 36 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: XZFgVltIm0WSYqG9.2Context: 24ae84152b6a0166<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:52:17 UTC74OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 58 5a 46 67 56 6c 74 49 6d 30 57 53 59 71 47 39 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 34 61 65 38 34 31 35 32 62 36 61 30 31 36 36 0d 0a 0d 0a
                                                      Data Ascii: BND 3 CON\QOS 56MS-CV: XZFgVltIm0WSYqG9.3Context: 24ae84152b6a0166
                                                      2025-01-15 01:52:17 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:52:17 UTC58INData Raw: 4d 53 2d 43 56 3a 20 46 4e 35 2b 6b 32 49 35 78 45 79 46 68 53 36 32 39 6c 4a 74 75 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: FN5+k2I5xEyFhS629lJtug.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      2192.168.2.54972040.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:52:18 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 52 43 2b 30 41 74 4c 46 56 30 4b 45 73 4c 72 7a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 39 37 38 31 36 37 63 37 33 30 39 35 35 65 61 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: RC+0AtLFV0KEsLrz.1Context: 8978167c730955ea
                                                      2025-01-15 01:52:18 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:52:18 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 52 43 2b 30 41 74 4c 46 56 30 4b 45 73 4c 72 7a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 39 37 38 31 36 37 63 37 33 30 39 35 35 65 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: RC+0AtLFV0KEsLrz.2Context: 8978167c730955ea<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:52:18 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 52 43 2b 30 41 74 4c 46 56 30 4b 45 73 4c 72 7a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 39 37 38 31 36 37 63 37 33 30 39 35 35 65 61 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: RC+0AtLFV0KEsLrz.3Context: 8978167c730955ea<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2025-01-15 01:52:18 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:52:18 UTC58INData Raw: 4d 53 2d 43 56 3a 20 38 52 74 35 6c 4d 51 4d 35 45 47 6a 4d 38 49 6d 6b 6e 47 43 4d 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: 8Rt5lMQM5EGjM8ImknGCMg.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      3192.168.2.54974240.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:52:27 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4c 7a 47 2f 7a 34 77 58 68 30 65 33 72 6b 6c 77 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 62 32 30 64 64 31 31 66 36 61 37 34 33 64 64 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: LzG/z4wXh0e3rklw.1Context: 1b20dd11f6a743dd
                                                      2025-01-15 01:52:27 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:52:27 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4c 7a 47 2f 7a 34 77 58 68 30 65 33 72 6b 6c 77 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 62 32 30 64 64 31 31 66 36 61 37 34 33 64 64 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: LzG/z4wXh0e3rklw.2Context: 1b20dd11f6a743dd<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:52:27 UTC74OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 4c 7a 47 2f 7a 34 77 58 68 30 65 33 72 6b 6c 77 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 62 32 30 64 64 31 31 66 36 61 37 34 33 64 64 0d 0a 0d 0a
                                                      Data Ascii: BND 3 CON\QOS 56MS-CV: LzG/z4wXh0e3rklw.3Context: 1b20dd11f6a743dd
                                                      2025-01-15 01:52:27 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:52:27 UTC58INData Raw: 4d 53 2d 43 56 3a 20 51 65 6e 36 4a 69 43 63 71 30 53 69 75 7a 49 66 70 78 36 54 39 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: Qen6JiCcq0SiuzIfpx6T9w.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      4192.168.2.54974340.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:52:27 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6e 37 57 76 4a 79 32 71 42 55 53 36 53 54 5a 7a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 32 61 34 33 65 61 62 38 35 32 31 33 63 36 62 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: n7WvJy2qBUS6STZz.1Context: d2a43eab85213c6b
                                                      2025-01-15 01:52:27 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:52:27 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6e 37 57 76 4a 79 32 71 42 55 53 36 53 54 5a 7a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 32 61 34 33 65 61 62 38 35 32 31 33 63 36 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: n7WvJy2qBUS6STZz.2Context: d2a43eab85213c6b<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:52:27 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6e 37 57 76 4a 79 32 71 42 55 53 36 53 54 5a 7a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 32 61 34 33 65 61 62 38 35 32 31 33 63 36 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: n7WvJy2qBUS6STZz.3Context: d2a43eab85213c6b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2025-01-15 01:52:27 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:52:27 UTC58INData Raw: 4d 53 2d 43 56 3a 20 59 52 36 47 78 58 7a 50 44 55 71 63 41 4f 49 37 4f 61 61 57 44 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: YR6GxXzPDUqcAOI7OaaWDg.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      5192.168.2.54998640.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:52:45 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 66 47 2f 35 48 4c 59 4a 69 45 32 71 66 51 51 67 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 39 65 31 62 30 30 61 63 65 34 66 39 63 30 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: fG/5HLYJiE2qfQQg.1Context: a19e1b00ace4f9c0
                                                      2025-01-15 01:52:45 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:52:45 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 66 47 2f 35 48 4c 59 4a 69 45 32 71 66 51 51 67 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 39 65 31 62 30 30 61 63 65 34 66 39 63 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: fG/5HLYJiE2qfQQg.2Context: a19e1b00ace4f9c0<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:52:45 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 66 47 2f 35 48 4c 59 4a 69 45 32 71 66 51 51 67 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 39 65 31 62 30 30 61 63 65 34 66 39 63 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: fG/5HLYJiE2qfQQg.3Context: a19e1b00ace4f9c0<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2025-01-15 01:52:45 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:52:45 UTC58INData Raw: 4d 53 2d 43 56 3a 20 34 62 50 38 47 42 30 4c 31 55 2b 76 33 57 54 6b 54 48 43 55 45 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: 4bP8GB0L1U+v3WTkTHCUEg.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      6192.168.2.55001540.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:52:46 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6d 50 4d 57 67 66 61 4e 33 6b 65 56 50 70 59 64 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 31 35 35 35 31 38 37 39 34 33 36 35 37 66 30 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: mPMWgfaN3keVPpYd.1Context: 71555187943657f0
                                                      2025-01-15 01:52:46 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:52:46 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6d 50 4d 57 67 66 61 4e 33 6b 65 56 50 70 59 64 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 31 35 35 35 31 38 37 39 34 33 36 35 37 66 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: mPMWgfaN3keVPpYd.2Context: 71555187943657f0<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:52:46 UTC74OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 6d 50 4d 57 67 66 61 4e 33 6b 65 56 50 70 59 64 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 31 35 35 35 31 38 37 39 34 33 36 35 37 66 30 0d 0a 0d 0a
                                                      Data Ascii: BND 3 CON\QOS 56MS-CV: mPMWgfaN3keVPpYd.3Context: 71555187943657f0
                                                      2025-01-15 01:52:46 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:52:46 UTC58INData Raw: 4d 53 2d 43 56 3a 20 34 4a 6e 77 49 6d 73 57 44 45 6d 63 64 46 41 69 37 67 61 62 61 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: 4JnwImsWDEmcdFAi7gabaw.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      7192.168.2.55030040.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:53:07 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 56 70 53 32 58 70 4b 78 51 6b 61 33 49 34 6a 4d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 61 63 35 32 31 32 35 32 31 64 63 33 61 66 31 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: VpS2XpKxQka3I4jM.1Context: dac5212521dc3af1
                                                      2025-01-15 01:53:07 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:53:07 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 56 70 53 32 58 70 4b 78 51 6b 61 33 49 34 6a 4d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 61 63 35 32 31 32 35 32 31 64 63 33 61 66 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: VpS2XpKxQka3I4jM.2Context: dac5212521dc3af1<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:53:07 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 56 70 53 32 58 70 4b 78 51 6b 61 33 49 34 6a 4d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 61 63 35 32 31 32 35 32 31 64 63 33 61 66 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: VpS2XpKxQka3I4jM.3Context: dac5212521dc3af1<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2025-01-15 01:53:07 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:53:07 UTC58INData Raw: 4d 53 2d 43 56 3a 20 45 70 33 76 51 7a 37 6e 31 6b 61 6a 4b 49 74 57 49 4e 4e 67 64 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: Ep3vQz7n1kajKItWINNgdg.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      8192.168.2.55032040.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:53:12 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 48 4c 4d 35 50 75 72 44 48 6b 65 34 6b 64 69 61 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 64 38 35 63 30 65 31 64 62 36 39 31 30 36 37 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: HLM5PurDHke4kdia.1Context: 3d85c0e1db691067
                                                      2025-01-15 01:53:12 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:53:12 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 48 4c 4d 35 50 75 72 44 48 6b 65 34 6b 64 69 61 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 64 38 35 63 30 65 31 64 62 36 39 31 30 36 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: HLM5PurDHke4kdia.2Context: 3d85c0e1db691067<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:53:12 UTC74OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 48 4c 4d 35 50 75 72 44 48 6b 65 34 6b 64 69 61 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 64 38 35 63 30 65 31 64 62 36 39 31 30 36 37 0d 0a 0d 0a
                                                      Data Ascii: BND 3 CON\QOS 56MS-CV: HLM5PurDHke4kdia.3Context: 3d85c0e1db691067
                                                      2025-01-15 01:53:12 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:53:12 UTC58INData Raw: 4d 53 2d 43 56 3a 20 55 67 65 4a 38 6c 64 71 6d 55 71 6e 38 32 49 75 46 6a 69 6e 47 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: UgeJ8ldqmUqn82IuFjinGA.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      9192.168.2.55047540.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:53:35 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6f 38 61 4e 66 73 33 7a 50 30 69 55 50 38 41 49 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 62 35 62 33 34 66 61 38 39 33 64 63 30 65 34 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: o8aNfs3zP0iUP8AI.1Context: 7b5b34fa893dc0e4
                                                      2025-01-15 01:53:35 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:53:35 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6f 38 61 4e 66 73 33 7a 50 30 69 55 50 38 41 49 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 62 35 62 33 34 66 61 38 39 33 64 63 30 65 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: o8aNfs3zP0iUP8AI.2Context: 7b5b34fa893dc0e4<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:53:35 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6f 38 61 4e 66 73 33 7a 50 30 69 55 50 38 41 49 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 62 35 62 33 34 66 61 38 39 33 64 63 30 65 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: o8aNfs3zP0iUP8AI.3Context: 7b5b34fa893dc0e4<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2025-01-15 01:53:35 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:53:35 UTC58INData Raw: 4d 53 2d 43 56 3a 20 75 64 31 45 4a 61 74 6a 67 55 4f 51 57 6c 4f 57 79 4b 41 57 55 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: ud1EJatjgUOQWlOWyKAWUg.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      10192.168.2.55067340.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:53:39 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 68 50 41 5a 55 47 30 67 63 45 65 61 49 74 77 4b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 33 62 36 34 32 39 37 65 38 30 39 64 62 37 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: hPAZUG0gcEeaItwK.1Context: b13b64297e809db7
                                                      2025-01-15 01:53:39 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:53:39 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 68 50 41 5a 55 47 30 67 63 45 65 61 49 74 77 4b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 33 62 36 34 32 39 37 65 38 30 39 64 62 37 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: hPAZUG0gcEeaItwK.2Context: b13b64297e809db7<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:53:39 UTC74OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 68 50 41 5a 55 47 30 67 63 45 65 61 49 74 77 4b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 31 33 62 36 34 32 39 37 65 38 30 39 64 62 37 0d 0a 0d 0a
                                                      Data Ascii: BND 3 CON\QOS 56MS-CV: hPAZUG0gcEeaItwK.3Context: b13b64297e809db7
                                                      2025-01-15 01:53:39 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:53:39 UTC58INData Raw: 4d 53 2d 43 56 3a 20 7a 30 6c 66 43 45 51 47 4b 55 47 38 4b 30 63 78 32 39 50 76 4e 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: z0lfCEQGKUG8K0cx29PvNw.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      11192.168.2.55067440.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:54:09 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4e 63 6f 78 4a 66 2f 6c 6c 6b 47 57 61 31 79 4f 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 36 65 64 38 35 32 38 35 37 36 64 38 34 38 30 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: NcoxJf/llkGWa1yO.1Context: 96ed8528576d8480
                                                      2025-01-15 01:54:09 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:54:09 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4e 63 6f 78 4a 66 2f 6c 6c 6b 47 57 61 31 79 4f 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 36 65 64 38 35 32 38 35 37 36 64 38 34 38 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: NcoxJf/llkGWa1yO.2Context: 96ed8528576d8480<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:54:09 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4e 63 6f 78 4a 66 2f 6c 6c 6b 47 57 61 31 79 4f 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 36 65 64 38 35 32 38 35 37 36 64 38 34 38 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                                      Data Ascii: BND 3 CON\WNS 0 197MS-CV: NcoxJf/llkGWa1yO.3Context: 96ed8528576d8480<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                                      2025-01-15 01:54:09 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:54:09 UTC58INData Raw: 4d 53 2d 43 56 3a 20 58 52 63 66 77 63 44 45 72 6b 4f 45 66 46 71 42 37 37 58 54 63 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: XRcfwcDErkOEfFqB77XTcw.0Payload parsing failed.


                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                      12192.168.2.55067540.115.3.253443
                                                      TimestampBytes transferredDirectionData
                                                      2025-01-15 01:54:16 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6d 59 39 71 79 78 4c 47 2f 55 65 4f 41 63 2f 46 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 65 30 38 34 32 35 32 32 34 61 31 65 39 37 61 0d 0a 0d 0a
                                                      Data Ascii: CNT 1 CON 305MS-CV: mY9qyxLG/UeOAc/F.1Context: be08425224a1e97a
                                                      2025-01-15 01:54:16 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                                      Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                                      2025-01-15 01:54:16 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6d 59 39 71 79 78 4c 47 2f 55 65 4f 41 63 2f 46 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 65 30 38 34 32 35 32 32 34 61 31 65 39 37 61 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 51 30 74 6d 6a 44 79 7a 73 73 67 73 73 6a 55 72 36 6f 71 35 30 72 31 43 6d 55 38 67 67 46 59 6b 46 49 46 77 4c 6f 59 65 56 47 63 6c 38 2b 46 35 64 5a 42 72 4c 41 56 4e 37 61 62 62 71 7a 73 6e 4a 47 6d 2b 55 79 74 64 37 59 4e 31 50 70 45 57 74 47 36 4d 30 75 6b 70 34 48 50 78 62 4d 56 77 57 53 70 61 2b 50 45 37 51 31 43 58 65
                                                      Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: mY9qyxLG/UeOAc/F.2Context: be08425224a1e97a<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAQ0tmjDyzssgssjUr6oq50r1CmU8ggFYkFIFwLoYeVGcl8+F5dZBrLAVN7abbqzsnJGm+Uytd7YN1PpEWtG6M0ukp4HPxbMVwWSpa+PE7Q1CXe
                                                      2025-01-15 01:54:16 UTC74OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 6d 59 39 71 79 78 4c 47 2f 55 65 4f 41 63 2f 46 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 65 30 38 34 32 35 32 32 34 61 31 65 39 37 61 0d 0a 0d 0a
                                                      Data Ascii: BND 3 CON\QOS 56MS-CV: mY9qyxLG/UeOAc/F.3Context: be08425224a1e97a
                                                      2025-01-15 01:54:16 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                                      Data Ascii: 202 1 CON 58
                                                      2025-01-15 01:54:16 UTC58INData Raw: 4d 53 2d 43 56 3a 20 33 71 42 6a 59 4c 79 30 32 30 65 54 49 53 38 6d 5a 51 4e 2b 7a 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                                      Data Ascii: MS-CV: 3qBjYLy020eTIS8mZQN+zA.0Payload parsing failed.


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\loaddll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:loaddll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll"
                                                      Imagebase:0x730000
                                                      File size:126'464 bytes
                                                      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:1
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff6d64d0000
                                                      File size:862'208 bytes
                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:2
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1
                                                      Imagebase:0x790000
                                                      File size:236'544 bytes
                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:3
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe C:\Users\user\Desktop\542CxvZnI5.dll,PlayGame
                                                      Imagebase:0xe40000
                                                      File size:61'440 bytes
                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:4
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",#1
                                                      Imagebase:0xe40000
                                                      File size:61'440 bytes
                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\mssecsvc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\WINDOWS\mssecsvc.exe
                                                      Imagebase:0x400000
                                                      File size:3'784'704 bytes
                                                      MD5 hash:433720564D376A59C4FC3F2F8ACEC030
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000005.00000002.2369222468.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2367955469.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2155806207.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000005.00000002.2372011334.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2155929134.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2155929134.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2368237677.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.2368237677.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                      • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                      • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                      Antivirus matches:
                                                      • Detection: 100%, Avira
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 95%, ReversingLabs
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:7
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\winlogon.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:winlogon.exe
                                                      Imagebase:0x7ff6156c0000
                                                      File size:906'240 bytes
                                                      MD5 hash:F8B41A1B3E569E7E6F990567F21DCE97
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.3402551905.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.3403262644.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.2157612272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:8
                                                      Start time:20:52:14
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\lsass.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\lsass.exe
                                                      Imagebase:0x7ff654c90000
                                                      File size:59'456 bytes
                                                      MD5 hash:A1CC00332BBF370654EE3DC8CDC8C95A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.3403585451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.3402846585.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000000.2159244338.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:9
                                                      Start time:20:52:15
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.3402992756.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.3403852852.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000000.2162403933.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:high
                                                      Has exited:false

                                                      General

                                                      Target ID:10
                                                      Start time:20:52:16
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\fontdrvhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"fontdrvhost.exe"
                                                      Imagebase:0x7ff7b5950000
                                                      File size:827'408 bytes
                                                      MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.3493795280.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.3402819580.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000000.2172969564.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Reputation:moderate
                                                      Has exited:false

                                                      General

                                                      Target ID:11
                                                      Start time:20:52:16
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\fontdrvhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"fontdrvhost.exe"
                                                      Imagebase:0x7ff7b5950000
                                                      File size:827'408 bytes
                                                      MD5 hash:BBCB897697B3442657C7D6E3EDDBD25F
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000000.2174451067.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.3402735400.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000B.00000002.3493788665.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:12
                                                      Start time:20:52:16
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k RPCSS -p
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.3403150697.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.3403935827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000000.2175662143.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:13
                                                      Start time:20:52:16
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.2179195689.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.3400994676.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.3400610797.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:14
                                                      Start time:20:52:17
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\dwm.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:"dwm.exe"
                                                      Imagebase:0x7ff79d4a0000
                                                      File size:94'720 bytes
                                                      MD5 hash:5C27608411832C5B39BA04E33D53536C
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.3403338621.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000000.2181731693.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.3493625570.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:15
                                                      Start time:20:52:17
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:rundll32.exe "C:\Users\user\Desktop\542CxvZnI5.dll",PlayGame
                                                      Imagebase:0xe40000
                                                      File size:61'440 bytes
                                                      MD5 hash:889B99C52A60DD49227C5E485A016679
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Has exited:true

                                                      General

                                                      Target ID:16
                                                      Start time:20:52:17
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\mssecsvc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\WINDOWS\mssecsvc.exe
                                                      Imagebase:0x400000
                                                      File size:3'784'704 bytes
                                                      MD5 hash:433720564D376A59C4FC3F2F8ACEC030
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000000.2185024353.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000002.2367251245.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000002.2367554645.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000010.00000002.2367554645.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000000.2185188875.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000010.00000000.2185188875.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:true

                                                      General

                                                      Target ID:17
                                                      Start time:20:52:17
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\mssecsvc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\WINDOWS\mssecsvc.exe -m security
                                                      Imagebase:0x400000
                                                      File size:3'784'704 bytes
                                                      MD5 hash:433720564D376A59C4FC3F2F8ACEC030
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.3006271461.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2980161347.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000002.2980161347.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2983639240.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000002.2983639240.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.2980597130.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2979906966.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000000.2188065513.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2982951688.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000002.2982951688.0000000001FA0000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
                                                      • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000000.2188241979.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                      • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000000.2188241979.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                      Has exited:true

                                                      General

                                                      Target ID:18
                                                      Start time:20:52:17
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000002.3402282133.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000000.2190133611.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000002.3402842670.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:19
                                                      Start time:20:52:18
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000002.3400697506.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000002.3400562813.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000000.2193268117.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:20
                                                      Start time:20:52:18
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000000.2196070682.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000002.3403105922.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000002.3402428958.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:21
                                                      Start time:20:52:18
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.3403522882.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000000.2198977925.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.3404464062.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:22
                                                      Start time:20:52:19
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.2202870396.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.3404523967.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.3403542982.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:23
                                                      Start time:20:52:19
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.3400997195.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.3400698716.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000000.2205891354.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:24
                                                      Start time:20:52:21
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.3400695649.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000000.2223034706.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.3401226137.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:25
                                                      Start time:20:52:21
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.3400704837.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000000.2223988543.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.3401117945.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:26
                                                      Start time:20:52:21
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.2228632401.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.3403667247.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.3404729920.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:27
                                                      Start time:20:52:22
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000000.2236151257.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.3401002112.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.3400703981.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:28
                                                      Start time:20:52:23
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000000.2241048704.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000002.3403893417.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000002.3404976335.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:29
                                                      Start time:20:52:23
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000002.3402243073.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000000.2247232722.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000002.3401707801.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:30
                                                      Start time:20:52:23
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000002.3402432003.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000000.2248711553.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000002.3401875690.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:31
                                                      Start time:20:52:24
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000002.3401714846.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000002.3402354767.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000000.2253051631.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:32
                                                      Start time:20:52:24
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000002.3405291179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000000.2254076183.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000002.3404111410.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:33
                                                      Start time:20:52:24
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000002.3404348411.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000002.3405677404.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000000.2256281044.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:34
                                                      Start time:20:52:24
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000000.2258234045.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.3404477534.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.3405775251.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:35
                                                      Start time:20:52:24
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.3405944268.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000000.2259095161.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.3404573979.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:36
                                                      Start time:20:52:25
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.3402001391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000000.2262953528.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.3402662179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:37
                                                      Start time:20:52:25
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.3406217056.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000000.2264447813.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.3404889708.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:38
                                                      Start time:20:52:25
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:false
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.3402824272.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000000.2267954326.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.3402229166.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:39
                                                      Start time:20:52:26
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.3406467423.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.3405187204.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000000.2271192362.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:40
                                                      Start time:20:52:26
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:false
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000000.2275357508.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.3406751993.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.3405487489.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      General

                                                      Target ID:41
                                                      Start time:20:52:26
                                                      Start date:14/01/2025
                                                      Path:C:\Windows\System32\svchost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      Imagebase:0x7ff7e52b0000
                                                      File size:55'320 bytes
                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000000.2276062758.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.3402235476.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.3402829287.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:3.3%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:31.7%
                                                        Total number of Nodes:634
                                                        Total number of Limit Nodes:3
                                                        execution_graph 6532 ad1169 LoadLibraryA 6537 ad1190 GetProcAddress 6532->6537 6534 ad121a 6535 ad117a 6535->6534 6536 ad1429 LookupPrivilegeValueA NtAdjustPrivilegesToken 6535->6536 6537->6535 5862 ad37ab 5864 ad37b1 WaitForSingleObject 5862->5864 5865 ad37cd closesocket 5864->5865 5866 ad37d7 5864->5866 5865->5866 6093 ad332b 6095 ad3334 6093->6095 6096 ad333b Sleep 6095->6096 6096->6096 5837 7fe34ba4 5840 7fe34bd7 5837->5840 5841 7fe34be3 5840->5841 5848 7fe343d2 5841->5848 5843 7fe34bf0 5844 7fe343d2 CreateFileA 5843->5844 5847 7fe34c9d 5843->5847 5845 7fe34c91 5844->5845 5846 7fe343d2 CreateFileA 5845->5846 5845->5847 5846->5847 5849 7fe343dc CreateFileA 5848->5849 5851 7fe34435 5849->5851 5851->5843 6542 ad6566 6545 ad6580 6542->6545 6546 ad658b 6545->6546 6547 ad6570 6545->6547 6549 ad6591 6546->6549 6550 ad256e 5 API calls 6549->6550 6551 ad65a3 6550->6551 6551->6547 5800 7fe36573 5803 7fe36580 5800->5803 5804 7fe3657d 5803->5804 5805 7fe3658b 5803->5805 5807 7fe36591 5805->5807 5810 7fe3256e 5807->5810 5829 7fe32529 NtOpenSection 5810->5829 5812 7fe32576 5813 7fe3265b 5812->5813 5814 7fe3257c NtMapViewOfSection CloseHandle 5812->5814 5813->5804 5814->5813 5816 7fe325b4 5814->5816 5815 7fe325e9 5831 7fe32471 NtProtectVirtualMemory NtWriteVirtualMemory 5815->5831 5816->5815 5830 7fe32471 NtProtectVirtualMemory NtWriteVirtualMemory 5816->5830 5819 7fe325fa 5832 7fe32471 NtProtectVirtualMemory NtWriteVirtualMemory 5819->5832 5821 7fe3260b 5833 7fe32471 NtProtectVirtualMemory NtWriteVirtualMemory 5821->5833 5823 7fe3261c 5824 7fe32631 5823->5824 5834 7fe32471 NtProtectVirtualMemory NtWriteVirtualMemory 5823->5834 5825 7fe32646 5824->5825 5835 7fe32471 NtProtectVirtualMemory NtWriteVirtualMemory 5824->5835 5825->5813 5836 7fe32471 NtProtectVirtualMemory NtWriteVirtualMemory 5825->5836 5829->5812 5830->5815 5831->5819 5832->5821 5833->5823 5834->5824 5835->5825 5836->5813 5968 ad02fe 5969 ad0415 5968->5969 5971 ad042d 5969->5971 6000 ad10c8 5971->6000 5973 ad048f 5974 ad04dd 5973->5974 5975 ad04b0 GetModuleHandleA 5973->5975 5976 ad04f8 GetVersion 5974->5976 5975->5974 5977 ad050f VirtualAlloc 5976->5977 5991 ad05ca 5976->5991 5978 ad05a9 CloseHandle 5977->5978 5981 ad0532 5977->5981 5978->5991 5979 ad05d3 SetProcessAffinityMask 6007 ad05f2 GetModuleHandleA 5979->6007 5981->5978 6004 ad05ba 5981->6004 5982 ad06fc lstrcpyW 6029 ad24a8 lstrcpyW lstrlenW 5982->6029 5984 ad0717 GetPEB lstrcpyW lstrcatW 5986 ad24a8 3 API calls 5984->5986 5985 ad0746 NtMapViewOfSection 5985->5978 5985->5991 5986->5991 5988 ad077a NtOpenProcessToken 5989 ad07bf CreateToolhelp32Snapshot Process32First 5988->5989 5988->5991 5990 ad07e5 Process32Next 5989->5990 5990->5991 5992 ad085f CloseHandle 5990->5992 5991->5978 5991->5979 5991->5982 5991->5984 5991->5985 5991->5988 5991->5990 5993 ad07f7 OpenProcess 5991->5993 5996 ad07b1 CreateToolhelp32Snapshot Process32First 5991->5996 5997 ad0856 CloseHandle 5991->5997 5998 ad082e CreateRemoteThread 5991->5998 5999 ad05ba Sleep 5991->5999 6032 ad07a6 5991->6032 6055 ad256e 5991->6055 5992->5978 5993->5990 5993->5991 5996->5990 5997->5990 5998->5991 5998->5997 5999->5997 6003 ad10d5 6000->6003 6001 ad1156 6001->5973 6002 ad112d GetModuleHandleA GetProcAddress 6002->6003 6003->6000 6003->6001 6003->6002 6005 ad05bf Sleep 6004->6005 6006 ad05c9 6004->6006 6005->6004 6006->5978 6008 ad10c8 2 API calls 6007->6008 6020 ad05ca 6008->6020 6009 ad05a9 CloseHandle 6009->6020 6010 ad05d3 SetProcessAffinityMask 6011 ad05f2 30 API calls 6010->6011 6011->6020 6012 ad06fc lstrcpyW 6013 ad24a8 3 API calls 6012->6013 6013->6020 6014 ad0717 GetPEB lstrcpyW lstrcatW 6016 ad24a8 3 API calls 6014->6016 6015 ad0746 NtMapViewOfSection 6015->6009 6015->6020 6016->6020 6017 ad077a NtOpenProcessToken 6018 ad07bf CreateToolhelp32Snapshot Process32First 6017->6018 6017->6020 6019 ad07e5 Process32Next 6018->6019 6019->6020 6021 ad085f CloseHandle 6019->6021 6020->6009 6020->6010 6020->6012 6020->6014 6020->6015 6020->6017 6020->6019 6022 ad07f7 OpenProcess 6020->6022 6023 ad07a6 30 API calls 6020->6023 6024 ad256e 5 API calls 6020->6024 6025 ad07b1 CreateToolhelp32Snapshot Process32First 6020->6025 6026 ad0856 CloseHandle 6020->6026 6027 ad082e CreateRemoteThread 6020->6027 6028 ad05ba Sleep 6020->6028 6021->6009 6022->6019 6022->6020 6023->6020 6024->6020 6025->6019 6026->6019 6027->6020 6027->6026 6028->6026 6074 ad029d 6029->6074 6031 ad24e4 NtCreateSection 6031->5991 6076 ad1444 LookupPrivilegeValueA NtAdjustPrivilegesToken 6032->6076 6034 ad07ac FreeLibrary CloseHandle 6035 ad07bf CreateToolhelp32Snapshot Process32First 6034->6035 6036 ad07e5 Process32Next 6035->6036 6037 ad085f CloseHandle 6036->6037 6045 ad05ca 6036->6045 6039 ad05a9 CloseHandle 6037->6039 6038 ad07f7 OpenProcess 6038->6036 6038->6045 6039->6045 6040 ad05d3 SetProcessAffinityMask 6042 ad05f2 29 API calls 6040->6042 6041 ad256e 5 API calls 6041->6045 6042->6045 6043 ad0856 CloseHandle 6043->6036 6044 ad082e CreateRemoteThread 6044->6043 6044->6045 6045->6036 6045->6038 6045->6039 6045->6040 6045->6041 6045->6043 6045->6044 6046 ad05ba Sleep 6045->6046 6047 ad06fc lstrcpyW 6045->6047 6049 ad0717 GetPEB lstrcpyW lstrcatW 6045->6049 6050 ad0746 NtMapViewOfSection 6045->6050 6052 ad077a NtOpenProcessToken 6045->6052 6053 ad07a6 29 API calls 6045->6053 6054 ad07b1 CreateToolhelp32Snapshot Process32First 6045->6054 6046->6043 6048 ad24a8 3 API calls 6047->6048 6048->6045 6051 ad24a8 3 API calls 6049->6051 6050->6039 6050->6045 6051->6045 6052->6035 6052->6045 6053->6045 6054->6036 6077 ad2529 NtOpenSection 6055->6077 6057 ad2576 6058 ad257c NtMapViewOfSection CloseHandle 6057->6058 6059 ad265b 6057->6059 6058->6059 6062 ad25b4 6058->6062 6059->5991 6060 ad25e9 6079 ad2471 NtProtectVirtualMemory NtWriteVirtualMemory 6060->6079 6062->6060 6078 ad2471 NtProtectVirtualMemory NtWriteVirtualMemory 6062->6078 6063 ad25fa 6080 ad2471 NtProtectVirtualMemory NtWriteVirtualMemory 6063->6080 6066 ad260b 6081 ad2471 NtProtectVirtualMemory NtWriteVirtualMemory 6066->6081 6068 ad261c 6069 ad2631 6068->6069 6082 ad2471 NtProtectVirtualMemory NtWriteVirtualMemory 6068->6082 6071 ad2646 6069->6071 6083 ad2471 NtProtectVirtualMemory NtWriteVirtualMemory 6069->6083 6071->6059 6084 ad2471 NtProtectVirtualMemory NtWriteVirtualMemory 6071->6084 6075 ad02a0 6074->6075 6075->6031 6076->6034 6077->6057 6078->6060 6079->6063 6080->6066 6081->6068 6082->6069 6083->6071 6084->6059 6552 7fe34334 6555 7fe31444 LookupPrivilegeValueA NtAdjustPrivilegesToken 6552->6555 6554 7fe3433a 6555->6554 5867 ad13b4 5868 ad1379 5867->5868 5869 ad1429 LookupPrivilegeValueA NtAdjustPrivilegesToken 5868->5869 5870 ad13fd 5868->5870 6109 ad4334 6112 ad1444 LookupPrivilegeValueA NtAdjustPrivilegesToken 6109->6112 6111 ad433a 6112->6111 5871 7fe302fe 5872 7fe30415 5871->5872 5874 7fe3042d 5872->5874 5905 7fe310c8 5874->5905 5876 7fe3048f 5877 7fe304dd 5876->5877 5878 7fe304b0 GetModuleHandleA 5876->5878 5879 7fe304f8 GetVersion 5877->5879 5878->5877 5880 7fe305ca 5879->5880 5881 7fe3050f VirtualAlloc 5879->5881 5882 7fe305a9 CloseHandle 5880->5882 5883 7fe305d3 SetProcessAffinityMask 5880->5883 5881->5882 5887 7fe30532 5881->5887 5885 7fe305f2 GetModuleHandleA 5882->5885 5912 7fe305f2 GetModuleHandleA 5883->5912 5886 7fe310c8 2 API calls 5885->5886 5899 7fe305ec 5886->5899 5887->5882 5909 7fe305ba 5887->5909 5888 7fe306fc lstrcpyW 5931 7fe324a8 lstrcpyW lstrlenW 5888->5931 5890 7fe30717 GetPEB lstrcpyW lstrcatW 5892 7fe324a8 3 API calls 5890->5892 5891 7fe30746 NtMapViewOfSection 5891->5882 5891->5899 5892->5899 5894 7fe3077a NtOpenProcessToken 5895 7fe307bf CreateToolhelp32Snapshot Process32First 5894->5895 5894->5899 5895->5899 5896 7fe307e5 Process32Next 5898 7fe3085f CloseHandle 5896->5898 5896->5899 5898->5882 5899->5882 5899->5888 5899->5890 5899->5891 5899->5894 5899->5895 5899->5896 5900 7fe307f7 OpenProcess 5899->5900 5901 7fe3256e 5 API calls 5899->5901 5902 7fe30856 CloseHandle 5899->5902 5903 7fe3082e CreateRemoteThread 5899->5903 5904 7fe305ba Sleep 5899->5904 5934 7fe307a6 5899->5934 5900->5896 5900->5899 5901->5899 5902->5896 5903->5899 5903->5902 5904->5902 5906 7fe310d5 5905->5906 5906->5905 5907 7fe31156 5906->5907 5908 7fe3112d GetModuleHandleA GetProcAddress 5906->5908 5907->5876 5908->5906 5910 7fe305c9 5909->5910 5911 7fe305bf Sleep 5909->5911 5910->5882 5911->5909 5913 7fe310c8 2 API calls 5912->5913 5929 7fe3060e 5913->5929 5914 7fe305a9 CloseHandle 5914->5912 5915 7fe306fc lstrcpyW 5916 7fe324a8 3 API calls 5915->5916 5916->5929 5917 7fe30717 GetPEB lstrcpyW lstrcatW 5919 7fe324a8 3 API calls 5917->5919 5918 7fe30746 NtMapViewOfSection 5918->5914 5918->5929 5919->5929 5920 7fe3077a NtOpenProcessToken 5921 7fe307bf CreateToolhelp32Snapshot Process32First 5920->5921 5920->5929 5921->5929 5922 7fe307e5 Process32Next 5924 7fe3085f CloseHandle 5922->5924 5922->5929 5923 7fe307a6 30 API calls 5923->5929 5924->5914 5925 7fe307f7 OpenProcess 5925->5922 5925->5929 5926 7fe3256e 5 API calls 5926->5929 5927 7fe30856 CloseHandle 5927->5922 5928 7fe3082e CreateRemoteThread 5928->5927 5928->5929 5929->5914 5929->5915 5929->5917 5929->5918 5929->5920 5929->5921 5929->5922 5929->5923 5929->5925 5929->5926 5929->5927 5929->5928 5930 7fe305ba Sleep 5929->5930 5930->5927 5956 7fe3029d 5931->5956 5933 7fe324e4 NtCreateSection 5933->5899 5958 7fe31444 LookupPrivilegeValueA NtAdjustPrivilegesToken 5934->5958 5936 7fe307ac FreeLibrary CloseHandle 5937 7fe307bf CreateToolhelp32Snapshot Process32First 5936->5937 5945 7fe3060e 5937->5945 5938 7fe307e5 Process32Next 5939 7fe3085f CloseHandle 5938->5939 5938->5945 5940 7fe305a9 CloseHandle 5939->5940 5942 7fe305f2 GetModuleHandleA 5940->5942 5941 7fe307f7 OpenProcess 5941->5938 5941->5945 5943 7fe310c8 2 API calls 5942->5943 5943->5945 5944 7fe3256e 5 API calls 5944->5945 5945->5937 5945->5938 5945->5940 5945->5941 5945->5944 5946 7fe30856 CloseHandle 5945->5946 5947 7fe3082e CreateRemoteThread 5945->5947 5948 7fe305ba Sleep 5945->5948 5949 7fe306fc lstrcpyW 5945->5949 5951 7fe30717 GetPEB lstrcpyW lstrcatW 5945->5951 5952 7fe30746 NtMapViewOfSection 5945->5952 5954 7fe3077a NtOpenProcessToken 5945->5954 5955 7fe307a6 13 API calls 5945->5955 5946->5938 5947->5945 5947->5946 5948->5946 5950 7fe324a8 3 API calls 5949->5950 5950->5945 5953 7fe324a8 3 API calls 5951->5953 5952->5940 5952->5945 5953->5945 5954->5937 5954->5945 5955->5945 5957 7fe302a0 5956->5957 5957->5933 5958->5936 6563 ad3372 6564 ad3377 6563->6564 6565 ad3401 MapViewOfFile CloseHandle 6564->6565 6568 ad33d2 NtOpenSection 6564->6568 6566 ad3585 6565->6566 6570 ad3442 6565->6570 6567 ad3449 UnmapViewOfFile 6567->6566 6568->6566 6569 ad33f1 NtQuerySystemInformation 6568->6569 6569->6565 6570->6566 6570->6567 6085 ad10c5 6086 ad10c8 6085->6086 6087 ad1156 6086->6087 6088 ad112d GetModuleHandleA GetProcAddress 6086->6088 6088->6086 5852 a7978c 5853 a79790 5852->5853 5854 a798ce 5853->5854 5856 a7302f 5853->5856 5860 a730c5 5856->5860 5859 a73045 5861 a73039 GetPEB 5860->5861 5861->5859 6113 ad0000 6114 ad0004 6113->6114 6115 ad00a1 6114->6115 6117 ad025e 6114->6117 6121 ad0105 6117->6121 6120 ad0278 6120->6115 6122 ad0116 GetPEB 6121->6122 6122->6120 6123 ad141c 6124 ad1429 LookupPrivilegeValueA NtAdjustPrivilegesToken 6123->6124 6581 ad275c 6583 ad2762 6581->6583 6584 ad277a GetTempPathA 6583->6584 6585 ad2833 InternetCloseHandle 6583->6585 6593 ad27a1 GetTempFileNameA CreateFileA 6584->6593 6587 ad279d CreateFileA 6588 ad27c8 InternetReadFile 6587->6588 6589 ad2823 InternetCloseHandle 6587->6589 6590 ad27f8 CloseHandle CreateProcessA 6588->6590 6591 ad27e2 6588->6591 6589->6585 6590->6589 6591->6590 6592 ad27e4 WriteFile 6591->6592 6592->6588 6592->6590 6594 ad27c8 InternetReadFile 6593->6594 6595 ad2823 InternetCloseHandle 6593->6595 6596 ad27f8 CloseHandle CreateProcessA 6594->6596 6597 ad27e2 6594->6597 6598 ad2833 InternetCloseHandle 6595->6598 6596->6595 6597->6596 6599 ad27e4 WriteFile 6597->6599 6598->6587 6599->6594 6599->6596 6600 ad265f 6602 ad2665 CreateThread CloseHandle 6600->6602 6603 ad3bca 6602->6603 6605 ad3bcf 6603->6605 6606 ad3c3b 6605->6606 6609 ad3bed GetWindowsDirectoryA 6605->6609 6658 ad2529 NtOpenSection 6606->6658 6608 ad3c40 6611 ad3c8d GetSystemDirectoryA 6608->6611 6612 ad3c47 6608->6612 6614 ad3cb8 6609->6614 6701 ad3cb1 lstrcat 6611->6701 6659 ad3c54 GetModuleHandleA 6612->6659 6741 ad3cc8 LoadLibraryA 6614->6741 6658->6608 6660 ad3c5e 6659->6660 6661 ad3c70 6659->6661 6663 ad3c66 GetProcAddress 6660->6663 6780 ad3c82 GetModuleHandleA 6661->6780 6663->6661 6702 ad3cb8 6701->6702 6703 ad3cc8 144 API calls 6702->6703 6704 ad3cbd GetProcAddress LoadLibraryA 6703->6704 6706 ad10c8 2 API calls 6704->6706 6707 ad3d0f 6706->6707 6708 ad3d24 GetTickCount 6707->6708 6709 ad3d3c 6708->6709 6710 ad3dd9 GetVolumeInformationA 6709->6710 6711 ad3e0c 6710->6711 6712 ad3eb7 6711->6712 6713 ad3e47 93 API calls 6711->6713 6714 ad3ee1 6712->6714 6715 ad3ec3 CreateThread CloseHandle 6712->6715 6719 ad3e3b 6713->6719 6716 ad3ef2 42 API calls 6714->6716 6715->6714 6717 ad3ee6 6716->6717 6718 ad10c8 2 API calls 6717->6718 6720 ad3f10 6718->6720 6719->6712 6723 ad3397 5 API calls 6719->6723 6721 ad3f21 22 API calls 6720->6721 6722 ad3f15 6721->6722 6724 ad10c8 2 API calls 6722->6724 6723->6712 6725 ad3f47 6724->6725 6726 ad4259 RtlExitUserThread 6725->6726 6727 ad3f54 WSAStartup CreateThread CloseHandle CreateEventA 6725->6727 6730 ad3f9d 6727->6730 6728 ad3fe1 lstrlen 6728->6728 6729 ad3ff0 gethostbyname 6728->6729 6729->6730 6730->6726 6730->6728 6730->6729 6731 ad400c socket 6730->6731 6732 ad4219 SetEvent 6730->6732 6733 ad422b Sleep ResetEvent 6730->6733 6735 ad4200 closesocket 6730->6735 6736 ad407a GetVersionExA 6730->6736 6737 ad40fd wsprintfA 6730->6737 6738 ad4125 CreateThread CloseHandle 6730->6738 6739 ad41d1 Sleep 6730->6739 6731->6730 6734 ad4031 connect 6731->6734 6732->6733 6733->6730 6734->6730 6734->6735 6735->6730 6736->6730 6737->6730 6738->6730 6739->6730 6740 ad41dd GetTickCount 6739->6740 6740->6730 6931 ad3cdd GetProcAddress LoadLibraryA 6741->6931 6821 ad26ce 6780->6821 6783 ad3cb1 170 API calls 6784 ad3ca4 GetProcAddress LoadLibraryA 6783->6784 6786 ad10c8 2 API calls 6784->6786 6787 ad3d0f 6786->6787 6788 ad3d24 GetTickCount 6787->6788 6789 ad3d3c 6788->6789 6790 ad3dd9 GetVolumeInformationA 6789->6790 6791 ad3e0c 6790->6791 6792 ad3eb7 6791->6792 6823 ad3e47 LoadLibraryA 6791->6823 6794 ad3ee1 6792->6794 6795 ad3ec3 CreateThread CloseHandle 6792->6795 6853 ad3ef2 LoadLibraryA 6794->6853 6795->6794 6822 ad26c2 GetSystemDirectoryA 6821->6822 6822->6783 6875 ad3e5e GetProcAddress GetModuleFileNameA wsprintfA 6823->6875 6854 ad3f10 6853->6854 6855 ad10c8 2 API calls 6853->6855 6856 ad3f21 22 API calls 6854->6856 6855->6854 6857 ad3f15 6856->6857 6858 ad10c8 2 API calls 6857->6858 6859 ad3f47 6858->6859 6860 ad4259 RtlExitUserThread 6859->6860 6861 ad3f54 WSAStartup CreateThread CloseHandle CreateEventA 6859->6861 6871 ad3f9d 6861->6871 6862 ad3fe1 lstrlen 6862->6862 6863 ad3ff0 gethostbyname 6862->6863 6863->6871 6864 ad400c socket 6867 ad4031 connect 6864->6867 6864->6871 6865 ad4219 SetEvent 6866 ad422b Sleep ResetEvent 6865->6866 6866->6871 6868 ad4200 closesocket 6867->6868 6867->6871 6868->6871 6869 ad407a GetVersionExA 6869->6871 6870 ad40fd wsprintfA 6870->6871 6871->6860 6871->6862 6871->6863 6871->6864 6871->6865 6871->6866 6871->6868 6871->6869 6871->6870 6872 ad4125 CreateThread CloseHandle 6871->6872 6873 ad41d1 Sleep 6871->6873 6872->6871 6873->6871 6874 ad41dd GetTickCount 6873->6874 6874->6871 6876 ad3e92 6875->6876 6877 ad3eb7 6876->6877 6904 ad3397 6876->6904 6879 ad3ee1 6877->6879 6880 ad3ec3 CreateThread CloseHandle 6877->6880 6881 ad3ef2 42 API calls 6879->6881 6880->6879 6882 ad3ee6 6881->6882 6883 ad10c8 2 API calls 6882->6883 6884 ad3f10 6883->6884 6912 ad3f21 LoadLibraryA 6884->6912 6905 ad33cd 6904->6905 6905->6905 6906 ad33d2 NtOpenSection 6905->6906 6907 ad33f1 NtQuerySystemInformation 6906->6907 6911 ad3585 6906->6911 6908 ad3401 MapViewOfFile CloseHandle 6907->6908 6910 ad3442 6908->6910 6908->6911 6909 ad3449 UnmapViewOfFile 6909->6911 6910->6909 6910->6911 6911->6877 6913 ad3f2f 6912->6913 6914 ad4259 RtlExitUserThread 6912->6914 6915 ad3f47 6913->6915 6916 ad10c8 2 API calls 6913->6916 6915->6914 6917 ad3f54 WSAStartup CreateThread CloseHandle CreateEventA 6915->6917 6916->6915 6920 ad3f9d 6917->6920 6918 ad3fe1 lstrlen 6918->6918 6919 ad3ff0 gethostbyname 6918->6919 6919->6920 6920->6914 6920->6918 6920->6919 6921 ad400c socket 6920->6921 6922 ad4219 SetEvent 6920->6922 6923 ad422b Sleep ResetEvent 6920->6923 6925 ad4200 closesocket 6920->6925 6926 ad407a GetVersionExA 6920->6926 6927 ad40fd wsprintfA 6920->6927 6928 ad4125 CreateThread CloseHandle 6920->6928 6929 ad41d1 Sleep 6920->6929 6921->6920 6924 ad4031 connect 6921->6924 6922->6923 6923->6920 6924->6920 6924->6925 6925->6920 6926->6920 6927->6920 6928->6920 6929->6920 6930 ad41dd GetTickCount 6929->6930 6930->6920 6932 ad3d0f 6931->6932 6933 ad10c8 2 API calls 6931->6933 6934 ad3d24 GetTickCount 6932->6934 6933->6932 6935 ad3d3c 6934->6935 6936 ad3dd9 GetVolumeInformationA 6935->6936 6937 ad3e0c 6936->6937 6938 ad3eb7 6937->6938 6939 ad3e47 93 API calls 6937->6939 6940 ad3ee1 6938->6940 6941 ad3ec3 CreateThread CloseHandle 6938->6941 6945 ad3e3b 6939->6945 6942 ad3ef2 42 API calls 6940->6942 6941->6940 6943 ad3ee6 6942->6943 6944 ad10c8 2 API calls 6943->6944 6946 ad3f10 6944->6946 6945->6938 6949 ad3397 5 API calls 6945->6949 6947 ad3f21 22 API calls 6946->6947 6948 ad3f15 6947->6948 6950 ad10c8 2 API calls 6948->6950 6949->6938 6951 ad3f47 6950->6951 6952 ad4259 RtlExitUserThread 6951->6952 6953 ad3f54 WSAStartup CreateThread CloseHandle CreateEventA 6951->6953 6964 ad3f9d 6953->6964 6954 ad3fe1 lstrlen 6954->6954 6955 ad3ff0 gethostbyname 6954->6955 6955->6964 6956 ad400c socket 6959 ad4031 connect 6956->6959 6956->6964 6957 ad4219 SetEvent 6958 ad422b Sleep ResetEvent 6957->6958 6958->6964 6960 ad4200 closesocket 6959->6960 6959->6964 6960->6964 6961 ad407a GetVersionExA 6961->6964 6962 ad40fd wsprintfA 6962->6964 6963 ad4125 CreateThread CloseHandle 6963->6964 6964->6952 6964->6954 6964->6955 6964->6956 6964->6957 6964->6958 6964->6960 6964->6961 6964->6962 6964->6963 6965 ad41d1 Sleep 6964->6965 6965->6964 6966 ad41dd GetTickCount 6965->6966 6966->6964 6089 7fe31190 GetProcAddress 6967 ad6559 6968 ad6580 5 API calls 6967->6968 6969 ad6563 6968->6969 6125 ad381a 6127 ad3820 GetSystemTime 6125->6127 6135 ad3864 6127->6135 6128 ad389e Sleep 6128->6135 6129 ad39c4 6130 ad38b6 InternetGetConnectedState 6130->6135 6131 ad38e6 gethostbyname 6132 ad390c socket 6131->6132 6131->6135 6133 ad3922 ioctlsocket connect Sleep 6132->6133 6132->6135 6133->6135 6134 ad39b1 closesocket 6134->6135 6135->6128 6135->6129 6135->6130 6135->6131 6135->6134 6139 7fe3265f 6141 7fe32665 CreateThread CloseHandle 6139->6141 6142 7fe33bca 6141->6142 6144 7fe33bcf 6142->6144 6145 7fe33c3b 6144->6145 6150 7fe33bed GetWindowsDirectoryA 6144->6150 6197 7fe32529 NtOpenSection 6145->6197 6147 7fe33c40 6149 7fe33c8d GetSystemDirectoryA 6147->6149 6198 7fe33c54 GetModuleHandleA 6147->6198 6245 7fe33cb1 lstrcat 6149->6245 6152 7fe33ca3 6150->6152 6285 7fe33cc8 LoadLibraryA 6152->6285 6197->6147 6199 7fe33c70 6198->6199 6200 7fe33c5e 6198->6200 6324 7fe33c82 GetModuleHandleA 6199->6324 6201 7fe33c66 GetProcAddress 6200->6201 6201->6199 6246 7fe33cb8 6245->6246 6247 7fe33cc8 144 API calls 6246->6247 6248 7fe33cbc GetProcAddress LoadLibraryA 6247->6248 6250 7fe310c8 2 API calls 6248->6250 6251 7fe33d0f 6250->6251 6252 7fe33d24 GetTickCount 6251->6252 6253 7fe33d3c 6252->6253 6254 7fe33dd9 GetVolumeInformationA 6253->6254 6255 7fe33e0c 6254->6255 6256 7fe33eb7 6255->6256 6257 7fe33e47 93 API calls 6255->6257 6258 7fe33ec3 CreateThread CloseHandle 6256->6258 6259 7fe33ee1 6256->6259 6266 7fe33e3b 6257->6266 6258->6259 6260 7fe33ef2 42 API calls 6259->6260 6261 7fe33ee6 6260->6261 6262 7fe310c8 2 API calls 6261->6262 6263 7fe33f10 6262->6263 6264 7fe33f21 22 API calls 6263->6264 6265 7fe33f15 6264->6265 6267 7fe310c8 2 API calls 6265->6267 6266->6256 6268 7fe33397 5 API calls 6266->6268 6269 7fe33f47 6267->6269 6268->6256 6270 7fe33f54 WSAStartup CreateThread CloseHandle CreateEventA 6269->6270 6271 7fe34259 RtlExitUserThread 6269->6271 6274 7fe33f9d 6270->6274 6272 7fe33fe1 lstrlen 6272->6272 6273 7fe33ff0 gethostbyname 6272->6273 6273->6274 6274->6271 6274->6272 6274->6273 6275 7fe3400c socket 6274->6275 6277 7fe3422b Sleep ResetEvent 6274->6277 6278 7fe34219 SetEvent 6274->6278 6279 7fe34200 closesocket 6274->6279 6280 7fe3407a GetVersionExA 6274->6280 6281 7fe340fd wsprintfA 6274->6281 6282 7fe34125 CreateThread CloseHandle 6274->6282 6283 7fe341d1 Sleep 6274->6283 6275->6274 6276 7fe34031 connect 6275->6276 6276->6274 6276->6279 6277->6274 6278->6277 6279->6274 6280->6274 6281->6274 6282->6274 6283->6274 6284 7fe341dd GetTickCount 6283->6284 6284->6274 6477 7fe33cdd GetProcAddress LoadLibraryA 6285->6477 6325 7fe33c8d GetSystemDirectoryA 6324->6325 6367 7fe326ce 6324->6367 6327 7fe33cb1 170 API calls 6325->6327 6328 7fe33ca3 6327->6328 6329 7fe33cc8 144 API calls 6328->6329 6330 7fe33cbc GetProcAddress LoadLibraryA 6329->6330 6332 7fe310c8 2 API calls 6330->6332 6333 7fe33d0f 6332->6333 6334 7fe33d24 GetTickCount 6333->6334 6335 7fe33d3c 6334->6335 6336 7fe33dd9 GetVolumeInformationA 6335->6336 6337 7fe33e0c 6336->6337 6338 7fe33eb7 6337->6338 6369 7fe33e47 LoadLibraryA 6337->6369 6340 7fe33ec3 CreateThread CloseHandle 6338->6340 6341 7fe33ee1 6338->6341 6340->6341 6399 7fe33ef2 LoadLibraryA 6341->6399 6368 7fe326c2 6367->6368 6368->6325 6421 7fe33e5e GetProcAddress GetModuleFileNameA wsprintfA 6369->6421 6400 7fe33f10 6399->6400 6401 7fe310c8 2 API calls 6399->6401 6402 7fe33f21 22 API calls 6400->6402 6401->6400 6403 7fe33f15 6402->6403 6404 7fe310c8 2 API calls 6403->6404 6405 7fe33f47 6404->6405 6406 7fe33f54 WSAStartup CreateThread CloseHandle CreateEventA 6405->6406 6407 7fe34259 RtlExitUserThread 6405->6407 6417 7fe33f9d 6406->6417 6408 7fe33fe1 lstrlen 6408->6408 6409 7fe33ff0 gethostbyname 6408->6409 6409->6417 6410 7fe3400c socket 6411 7fe34031 connect 6410->6411 6410->6417 6414 7fe34200 closesocket 6411->6414 6411->6417 6412 7fe3422b Sleep ResetEvent 6412->6417 6413 7fe34219 SetEvent 6413->6412 6414->6417 6415 7fe3407a GetVersionExA 6415->6417 6416 7fe340fd wsprintfA 6416->6417 6417->6407 6417->6408 6417->6409 6417->6410 6417->6412 6417->6413 6417->6414 6417->6415 6417->6416 6418 7fe34125 CreateThread CloseHandle 6417->6418 6419 7fe341d1 Sleep 6417->6419 6418->6417 6419->6417 6420 7fe341dd GetTickCount 6419->6420 6420->6417 6422 7fe33e92 6421->6422 6423 7fe33eb7 6422->6423 6450 7fe33397 6422->6450 6425 7fe33ec3 CreateThread CloseHandle 6423->6425 6426 7fe33ee1 6423->6426 6425->6426 6427 7fe33ef2 42 API calls 6426->6427 6428 7fe33ee6 6427->6428 6429 7fe310c8 2 API calls 6428->6429 6430 7fe33f10 6429->6430 6458 7fe33f21 LoadLibraryA 6430->6458 6451 7fe333cd 6450->6451 6451->6451 6452 7fe333d2 NtOpenSection 6451->6452 6453 7fe333f1 NtQuerySystemInformation 6452->6453 6457 7fe33585 6452->6457 6454 7fe33401 MapViewOfFile CloseHandle 6453->6454 6456 7fe33442 6454->6456 6454->6457 6455 7fe33449 UnmapViewOfFile 6455->6457 6456->6455 6456->6457 6457->6423 6459 7fe34259 RtlExitUserThread 6458->6459 6460 7fe33f2f 6458->6460 6461 7fe33f47 6460->6461 6462 7fe310c8 2 API calls 6460->6462 6461->6459 6463 7fe33f54 WSAStartup CreateThread CloseHandle CreateEventA 6461->6463 6462->6461 6474 7fe33f9d 6463->6474 6464 7fe33fe1 lstrlen 6464->6464 6465 7fe33ff0 gethostbyname 6464->6465 6465->6474 6466 7fe3400c socket 6467 7fe34031 connect 6466->6467 6466->6474 6470 7fe34200 closesocket 6467->6470 6467->6474 6468 7fe3422b Sleep ResetEvent 6468->6474 6469 7fe34219 SetEvent 6469->6468 6470->6474 6471 7fe3407a GetVersionExA 6471->6474 6472 7fe340fd wsprintfA 6472->6474 6473 7fe34125 CreateThread CloseHandle 6473->6474 6474->6459 6474->6464 6474->6465 6474->6466 6474->6468 6474->6469 6474->6470 6474->6471 6474->6472 6474->6473 6475 7fe341d1 Sleep 6474->6475 6475->6474 6476 7fe341dd GetTickCount 6475->6476 6476->6474 6478 7fe33d0f 6477->6478 6479 7fe310c8 2 API calls 6477->6479 6480 7fe33d24 GetTickCount 6478->6480 6479->6478 6481 7fe33d3c 6480->6481 6482 7fe33dd9 GetVolumeInformationA 6481->6482 6483 7fe33e0c 6482->6483 6484 7fe33eb7 6483->6484 6485 7fe33e47 93 API calls 6483->6485 6486 7fe33ec3 CreateThread CloseHandle 6484->6486 6487 7fe33ee1 6484->6487 6488 7fe33e3b 6485->6488 6486->6487 6489 7fe33ef2 42 API calls 6487->6489 6488->6484 6496 7fe33397 5 API calls 6488->6496 6490 7fe33ee6 6489->6490 6491 7fe310c8 2 API calls 6490->6491 6492 7fe33f10 6491->6492 6493 7fe33f21 22 API calls 6492->6493 6494 7fe33f15 6493->6494 6495 7fe310c8 2 API calls 6494->6495 6497 7fe33f47 6495->6497 6496->6484 6498 7fe33f54 WSAStartup CreateThread CloseHandle CreateEventA 6497->6498 6499 7fe34259 RtlExitUserThread 6497->6499 6510 7fe33f9d 6498->6510 6500 7fe33fe1 lstrlen 6500->6500 6501 7fe33ff0 gethostbyname 6500->6501 6501->6510 6502 7fe3400c socket 6503 7fe34031 connect 6502->6503 6502->6510 6506 7fe34200 closesocket 6503->6506 6503->6510 6504 7fe3422b Sleep ResetEvent 6504->6510 6505 7fe34219 SetEvent 6505->6504 6506->6510 6507 7fe3407a GetVersionExA 6507->6510 6508 7fe340fd wsprintfA 6508->6510 6509 7fe34125 CreateThread CloseHandle 6509->6510 6510->6499 6510->6500 6510->6501 6510->6502 6510->6504 6510->6505 6510->6506 6510->6507 6510->6508 6510->6509 6511 7fe341d1 Sleep 6510->6511 6511->6510 6512 7fe341dd GetTickCount 6511->6512 6512->6510 6981 7fe3141c LookupPrivilegeValueA NtAdjustPrivilegesToken

                                                        Executed Functions

                                                        Function 00AD042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 287memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 ad042d-ad04a4 call ad10c8 3 ad04dd 0->3 4 ad04a6-ad04db call ad2736 GetModuleHandleA 0->4 6 ad04e4-ad0509 call ad274a GetVersion 3->6 4->6 10 ad050f-ad0530 VirtualAlloc 6->10 11 ad05ca-ad05d1 6->11 12 ad05a9-ad05b3 CloseHandle 10->12 13 ad0532-ad0562 call ad0305 10->13 11->12 14 ad05d3-ad05fc SetProcessAffinityMask call ad05f2 11->14 12->11 13->12 24 ad0564-ad057b 13->24 19 ad05fe-ad061c 14->19 20 ad0621-ad0630 14->20 19->20 22 ad0639-ad0652 20->22 23 ad0632 20->23 22->12 25 ad0658-ad0671 22->25 23->22 24->12 29 ad057d-ad05a4 call ad05ba 24->29 25->12 26 ad0677-ad0690 25->26 26->12 28 ad0696-ad069c 26->28 30 ad069e-ad06b1 28->30 31 ad06d8-ad06de 28->31 29->12 30->12 32 ad06b7-ad06bd 30->32 33 ad06fc-ad0715 lstrcpyW call ad24a8 31->33 34 ad06e0-ad06f3 31->34 32->31 38 ad06bf-ad06d2 32->38 40 ad0717-ad0740 GetPEB lstrcpyW lstrcatW call ad24a8 33->40 41 ad0746-ad076f NtMapViewOfSection 33->41 34->33 35 ad06f5 34->35 35->33 38->12 38->31 40->12 40->41 41->12 44 ad0775-ad0789 call ad0305 NtOpenProcessToken 41->44 49 ad07bf-ad07de CreateToolhelp32Snapshot Process32First 44->49 50 ad078b-ad079d call ad1157 call ad07a6 44->50 51 ad07e5-ad07ef Process32Next 49->51 60 ad079f 50->60 61 ad0808-ad0809 50->61 53 ad085f-ad086c CloseHandle 51->53 54 ad07f1-ad07f5 51->54 53->12 54->51 56 ad07f7-ad0807 OpenProcess 54->56 56->51 58 ad0809 56->58 62 ad080a-ad0812 call ad256e 58->62 60->62 63 ad07a1-ad07de CreateToolhelp32Snapshot Process32First 60->63 61->62 67 ad0814-ad081a 62->67 68 ad0856-ad085d CloseHandle 62->68 63->51 67->68 69 ad081c-ad082c 67->69 68->51 69->68 70 ad082e-ad0845 CreateRemoteThread 69->70 70->68 71 ad0847-ad0851 call ad05ba 70->71 71->68
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00AD04BE
                                                        • GetVersion.KERNEL32 ref: 00AD0500
                                                        • VirtualAlloc.KERNEL32(00000000,000076FC,08001000,00000040), ref: 00AD0528
                                                        • CloseHandle.KERNELBASE(?), ref: 00AD05AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$AllocCloseModuleVersionVirtual
                                                        • String ID: \BaseNamedObjects\qsttVt$\BaseNamedObjects\qsttVt$csrs
                                                        • API String ID: 3017432202-1323636118
                                                        • Opcode ID: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction ID: 7d66780ce2e84aae8e160708174802d39c618fe116bf39eb3d1152bb37a2fade
                                                        • Opcode Fuzzy Hash: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction Fuzzy Hash: A0B18B71614249FFEB219F20D809FAE3BA9EF41711F04412AFD0A9E281C7F1AB45DB65
                                                        Function 00AD05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 192stringnativeprocessCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 73 ad05f2-ad0615 GetModuleHandleA call ad10c8 76 ad05a9-ad05b3 CloseHandle 73->76 77 ad0617-ad0630 73->77 80 ad05ca-ad05d1 76->80 78 ad0639-ad0652 77->78 79 ad0632 77->79 78->76 81 ad0658-ad0671 78->81 79->78 80->76 82 ad05d3-ad05fc SetProcessAffinityMask call ad05f2 80->82 81->76 83 ad0677-ad0690 81->83 89 ad05fe-ad061c 82->89 90 ad0621-ad0630 82->90 83->76 85 ad0696-ad069c 83->85 87 ad069e-ad06b1 85->87 88 ad06d8-ad06de 85->88 87->76 91 ad06b7-ad06bd 87->91 92 ad06fc-ad0715 lstrcpyW call ad24a8 88->92 93 ad06e0-ad06f3 88->93 89->90 90->78 90->79 91->88 96 ad06bf-ad06d2 91->96 98 ad0717-ad0740 GetPEB lstrcpyW lstrcatW call ad24a8 92->98 99 ad0746-ad076f NtMapViewOfSection 92->99 93->92 94 ad06f5 93->94 94->92 96->76 96->88 98->76 98->99 99->76 101 ad0775-ad0789 call ad0305 NtOpenProcessToken 99->101 105 ad07bf-ad07de CreateToolhelp32Snapshot Process32First 101->105 106 ad078b-ad079d call ad1157 call ad07a6 101->106 107 ad07e5-ad07ef Process32Next 105->107 116 ad079f 106->116 117 ad0808-ad0809 106->117 109 ad085f-ad086c CloseHandle 107->109 110 ad07f1-ad07f5 107->110 109->76 110->107 112 ad07f7-ad0807 OpenProcess 110->112 112->107 114 ad0809 112->114 118 ad080a-ad0812 call ad256e 114->118 116->118 119 ad07a1-ad07de CreateToolhelp32Snapshot Process32First 116->119 117->118 123 ad0814-ad081a 118->123 124 ad0856-ad085d CloseHandle 118->124 119->107 123->124 125 ad081c-ad082c 123->125 124->107 125->124 126 ad082e-ad0845 CreateRemoteThread 125->126 126->124 127 ad0847-ad0851 call ad05ba 126->127 127->124
                                                        APIs
                                                        • CloseHandle.KERNELBASE(?), ref: 00AD05AD
                                                        • GetModuleHandleA.KERNEL32(00AD05EC), ref: 00AD05F2
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\qsttVt,\BaseNamedObjects\qsttVt,?,?,?,?), ref: 00AD070A
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\qsttVt,?), ref: 00AD0727
                                                        • lstrcatW.KERNEL32(\BaseNamedObjects\qsttVt,\qsttVt), ref: 00AD0735
                                                        • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000076FC,00000000,?,00000002,00000000,00000040), ref: 00AD0765
                                                        • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00AD0780
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD07C3
                                                        • Process32First.KERNEL32 ref: 00AD07D6
                                                        • Process32Next.KERNEL32 ref: 00AD07E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD07FF
                                                        • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 00AD083C
                                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD0857
                                                        • CloseHandle.KERNELBASE ref: 00AD0866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                        • String ID: \BaseNamedObjects\qsttVt$\BaseNamedObjects\qsttVt$csrs
                                                        • API String ID: 1545766225-1323636118
                                                        • Opcode ID: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction ID: 53d6151e64933bc42ae61b309bf5a736567cc01b2034f31e5ec370622739af7f
                                                        • Opcode Fuzzy Hash: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction Fuzzy Hash: 8F716A31500209FFEB259F20D849FAE3BADEF45711F04402AED0A9E291C7B5AF459B69
                                                        Function 00AD1169 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 328libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 184 ad1169-ad1181 LoadLibraryA call ad1190 187 ad11ec 184->187 188 ad1183 184->188 189 ad11ee-ad11f2 187->189 188->189 190 ad1185-ad118c 188->190 191 ad11f3-ad1209 189->191 190->191 192 ad118e-ad1194 190->192 193 ad11e9 191->193 194 ad120b-ad120f 191->194 195 ad11bd 192->195 196 ad1196-ad11b3 192->196 198 ad1259-ad1264 193->198 199 ad11eb 193->199 200 ad1279-ad1280 194->200 201 ad1210-ad1218 194->201 197 ad11be-ad11d2 195->197 208 ad11b5-ad11bc 196->208 197->208 217 ad11d4-ad11d6 197->217 205 ad1265-ad1271 198->205 199->187 204 ad1281-ad1298 200->204 206 ad11da-ad11e6 201->206 207 ad121a-ad1243 201->207 215 ad1299-ad129e 204->215 206->193 216 ad1250-ad1256 207->216 208->195 208->197 218 ad12a1-ad12ab 215->218 216->198 217->206 219 ad131d-ad131f 218->219 220 ad12ad-ad12b3 218->220 221 ad1351-ad1353 219->221 222 ad1321-ad1323 219->222 223 ad1315 220->223 224 ad12b5-ad12b7 220->224 225 ad13a5-ad13aa 221->225 226 ad1355-ad1357 221->226 228 ad1375-ad1377 222->228 229 ad1325-ad132b 222->229 227 ad1319-ad131b 223->227 230 ad12f9-ad12fb 224->230 231 ad12b9-ad12bd 224->231 239 ad13b5-ad13bf 225->239 232 ad13c9-ad13cb 226->232 233 ad1359-ad135b 226->233 227->219 234 ad137d-ad1389 227->234 237 ad1379-ad137c 228->237 238 ad13e7 228->238 235 ad12fd-ad12ff 229->235 236 ad132d-ad1333 229->236 230->235 230->236 231->216 241 ad12bf 231->241 248 ad13fd-ad1404 232->248 249 ad13cd-ad13cf 232->249 242 ad134d 233->242 243 ad135d-ad1361 233->243 250 ad138d-ad1390 234->250 235->204 251 ad1301-ad1307 235->251 246 ad1365-ad136b 236->246 247 ad1335-ad1337 236->247 237->234 238->237 252 ad13e9-ad13ef 238->252 244 ad13a1 239->244 245 ad13c1-ad13c7 239->245 241->218 255 ad12c1-ad12c3 241->255 242->221 243->246 244->225 245->232 268 ad1429-ad146e LookupPrivilegeValueA NtAdjustPrivilegesToken 245->268 246->236 257 ad136d-ad136f 246->257 247->227 259 ad1339-ad133b 247->259 260 ad13e1-ad13e6 249->260 261 ad13d1-ad13df 249->261 262 ad1391-ad139b 250->262 251->215 253 ad1309-ad130b 251->253 252->262 264 ad13f1-ad13fb 252->264 253->235 263 ad130d-ad1313 253->263 255->229 265 ad12c5 255->265 266 ad1341-ad1343 257->266 267 ad1371 257->267 259->250 269 ad133d 259->269 260->238 261->260 261->264 271 ad139d-ad13a0 262->271 263->223 263->224 264->248 264->271 273 ad12c9-ad12cb 265->273 266->239 276 ad1345-ad134b 266->276 267->228 274 ad133f 269->274 275 ad12d0-ad12d3 269->275 271->244 273->235 277 ad12cd 273->277 274->251 274->266 275->205 278 ad12d5-ad12db 275->278 276->242 276->277 277->275 279 ad12ed-ad12ef 278->279 280 ad12dd-ad12e3 278->280 279->251 282 ad12f1-ad12f3 279->282 280->226 281 ad12e5-ad12e7 280->281 281->273 283 ad12e9 281->283 282->226 284 ad12f5-ad12f7 282->284 283->279 284->200 284->230
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00AD115C,00AD0790,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD1169
                                                          • Part of subcall function 00AD1190: GetProcAddress.KERNEL32(00000000,00AD117A), ref: 00AD1191
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: \qsttVt
                                                        • API String ID: 2574300362-188326006
                                                        • Opcode ID: 1e35bcb8b8532a76048d0d86edb04d2014c8a2691d4d50d2cd834940a34cba53
                                                        • Instruction ID: 978591bf8bf87abb4ff433b377978e46bc8d4eb2b671bbc846fcf6c05fce6a48
                                                        • Opcode Fuzzy Hash: 1e35bcb8b8532a76048d0d86edb04d2014c8a2691d4d50d2cd834940a34cba53
                                                        • Instruction Fuzzy Hash: AEA17B659582937BCB629B358C894E9BF61EB3336474846EFE043CF783E2128947C791
                                                        Function 00AD2529 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 285 ad2529-ad256d NtOpenSection
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,0000000E), ref: 00AD2558
                                                        Strings
                                                        • \BaseNamedObjects\qsttVt, xrefs: 00AD2545
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: OpenSection
                                                        • String ID: \BaseNamedObjects\qsttVt
                                                        • API String ID: 1950954290-689536162
                                                        • Opcode ID: c6b8e9e32f6dcba079ef7aea98ec054ed3ce8beadf41c2fd00718ee6712a4e74
                                                        • Instruction ID: b3aacc91b347d59d7f115e11f4200a74d00a3252589c1a9605fbc5584bb4d301
                                                        • Opcode Fuzzy Hash: c6b8e9e32f6dcba079ef7aea98ec054ed3ce8beadf41c2fd00718ee6712a4e74
                                                        • Instruction Fuzzy Hash: C2E0D8F17401063EFB185719CC07FF7218DDB80601F048508F914DA080E5F4DF1182B8
                                                        Function 00AD256E Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 286 ad256e-ad2576 call ad2529 289 ad257c-ad25ae NtMapViewOfSection CloseHandle 286->289 290 ad265b-ad265e 286->290 289->290 291 ad25b4-ad25ba 289->291 292 ad25bc-ad25c5 291->292 293 ad25c8-ad25d2 291->293 292->293 294 ad25e9-ad2624 call ad2471 * 3 293->294 295 ad25d4-ad25dc 293->295 304 ad2626-ad262c call ad2471 294->304 305 ad2631-ad2639 294->305 295->294 297 ad25de-ad25e4 call ad2471 295->297 297->294 304->305 307 ad263b-ad2641 call ad2471 305->307 308 ad2646-ad264e 305->308 307->308 308->290 310 ad2650-ad2656 call ad2471 308->310 310->290
                                                        APIs
                                                          • Part of subcall function 00AD2529: NtOpenSection.NTDLL(?,0000000E), ref: 00AD2558
                                                        • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B6FC,00000000,?,00000002,00100000,00000040), ref: 00AD259E
                                                        • CloseHandle.KERNELBASE(00000000,0000B6FC,00000000,?,00000002,00100000,00000040,00000000,0000B6FC,00000000,?,00AD080F), ref: 00AD25A6
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Section$CloseHandleOpenView
                                                        • String ID:
                                                        • API String ID: 2731707328-0
                                                        • Opcode ID: 021b1acb1bf40c706123403cc397f8585b61a767fc7f0a33a1c3ace3a91a31f2
                                                        • Instruction ID: b2e73985a9a7b7b952443b30ab2ea9ac9dfdd61704f696baa1779b37126f5dbf
                                                        • Opcode Fuzzy Hash: 021b1acb1bf40c706123403cc397f8585b61a767fc7f0a33a1c3ace3a91a31f2
                                                        • Instruction Fuzzy Hash: 1F212CB4300606AAEB28DB25DD96FA97369EFA0740F000129FD1A8F2D4DBB1AF55C754
                                                        Function 00AD141C Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 312 ad141c-ad146e LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                        APIs
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AD1454
                                                        • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AD1464
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                        • String ID:
                                                        • API String ID: 3615134276-0
                                                        • Opcode ID: 7157bc59c0e3de482e8bd6b2610b223013a43f583be5db88b94377e31208a128
                                                        • Instruction ID: 01f7e7575b44af39e84b9ee94f66a89c6d22cfdb503e39dbcfd023e7ab42d64d
                                                        • Opcode Fuzzy Hash: 7157bc59c0e3de482e8bd6b2610b223013a43f583be5db88b94377e31208a128
                                                        • Instruction Fuzzy Hash: 9FF08236542520BBD6206F56CC8EED77E28EF533A0F144956F4484E156C2A28BA5D3E4
                                                        Function 00AD2471 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 314 ad2471-ad24a7 NtProtectVirtualMemory NtWriteVirtualMemory
                                                        APIs
                                                        • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00AD2495
                                                        • NtWriteVirtualMemory.NTDLL ref: 00AD249E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MemoryVirtual$ProtectWrite
                                                        • String ID:
                                                        • API String ID: 151266762-0
                                                        • Opcode ID: 17dce67c487cc0ef90ba526871884689c6391e914ce978ece8a073020b9af88e
                                                        • Instruction ID: bec36d184e0d76b253c82774af185ce515cf0d17d059aebebe1b98a4915fad90
                                                        • Opcode Fuzzy Hash: 17dce67c487cc0ef90ba526871884689c6391e914ce978ece8a073020b9af88e
                                                        • Instruction Fuzzy Hash: 7AE0ECA06502007FF5185B159C5BF7B391DDB41A45F410108FA0A98184F9A15E14467A
                                                        Function 00AD1444 Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 315 ad1444-ad146e LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                        APIs
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AD1454
                                                        • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AD1464
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                        • String ID:
                                                        • API String ID: 3615134276-0
                                                        • Opcode ID: 98fd101a259c938ae854db39385a2a060802fe35a78288dc9bd6859ea4aae5d1
                                                        • Instruction ID: 0db5ea05f469a6ff49ad20a45e501a6d4802517c6c4e4fc049ea7a79551dc49b
                                                        • Opcode Fuzzy Hash: 98fd101a259c938ae854db39385a2a060802fe35a78288dc9bd6859ea4aae5d1
                                                        • Instruction Fuzzy Hash: 06D05E31603030BBD6302E0A8C0EED73D1DEF537B0F004400F80C8A191C1A28EA1C6F5
                                                        Function 00A7302F Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 346 a7302f-a73043 call a730c5 GetPEB 349 a73045-a73068 call a730c5 call a730c1 346->349 350 a73071-a798fa call a73008 346->350 356 a7306d-a73070 349->356 359 a79932-a79946 call a798f1 350->359 360 a798fc-a79904 350->360 356->350 360->359 361 a79906-a79931 360->361 361->359
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369222468.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.2367775905.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367835613.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367898202.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367955469.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367955469.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2368099020.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2368237677.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4656093ae1c7bbb04d21488f95fe7bddf1a9615c02ec3ad5a29a1aa1a73d1730
                                                        • Instruction ID: 423065dfefecc7dea162951949b78e36b3c1b093d43354c81d1a365680741e01
                                                        • Opcode Fuzzy Hash: 4656093ae1c7bbb04d21488f95fe7bddf1a9615c02ec3ad5a29a1aa1a73d1730
                                                        • Instruction Fuzzy Hash: 28118C737042519BEB119E2CCD81EAE7762EFC4324F10C31AA5085F182CA3296439681
                                                        Function 7FE36573 Relevance: .0, Instructions: 3COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 364 7fe36573-7fe3657d call 7fe36580
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 18debca8f2dd2d1ca2f8adb3937bfd968cff8255c5041bfcf825438cbb2dca55
                                                        • Instruction ID: 682ed4916e240e91bb3464655f64230a32071a9ff5bd5beac95eb51c5ce772d4
                                                        • Opcode Fuzzy Hash: 18debca8f2dd2d1ca2f8adb3937bfd968cff8255c5041bfcf825438cbb2dca55
                                                        • Instruction Fuzzy Hash:
                                                        Function 00AD07A6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 129 ad07a6-ad07b9 call ad1444 FreeLibrary CloseHandle 132 ad07bf-ad07de CreateToolhelp32Snapshot Process32First 129->132 133 ad07e5-ad07ef Process32Next 132->133 134 ad085f-ad086c CloseHandle 133->134 135 ad07f1-ad07f5 133->135 137 ad05a9-ad05d1 CloseHandle 134->137 135->133 136 ad07f7-ad0807 OpenProcess 135->136 136->133 138 ad0809 136->138 141 ad05d3-ad05fc SetProcessAffinityMask call ad05f2 137->141 140 ad080a-ad0812 call ad256e 138->140 146 ad0814-ad081a 140->146 147 ad0856-ad085d CloseHandle 140->147 148 ad05fe-ad061c 141->148 149 ad0621-ad0630 141->149 146->147 150 ad081c-ad082c 146->150 147->133 148->149 151 ad0639-ad0652 149->151 152 ad0632 149->152 150->147 153 ad082e-ad0845 CreateRemoteThread 150->153 151->137 154 ad0658-ad0671 151->154 152->151 153->147 155 ad0847-ad0851 call ad05ba 153->155 154->137 156 ad0677-ad0690 154->156 155->147 156->137 158 ad0696-ad069c 156->158 159 ad069e-ad06b1 158->159 160 ad06d8-ad06de 158->160 159->137 161 ad06b7-ad06bd 159->161 162 ad06fc-ad0715 lstrcpyW call ad24a8 160->162 163 ad06e0-ad06f3 160->163 161->160 166 ad06bf-ad06d2 161->166 168 ad0717-ad0740 GetPEB lstrcpyW lstrcatW call ad24a8 162->168 169 ad0746-ad076f NtMapViewOfSection 162->169 163->162 164 ad06f5 163->164 164->162 166->137 166->160 168->137 168->169 169->137 171 ad0775-ad0789 call ad0305 NtOpenProcessToken 169->171 171->132 175 ad078b-ad079d call ad1157 call ad07a6 171->175 180 ad079f 175->180 181 ad0808-ad0809 175->181 180->140 182 ad07a1-ad07de CreateToolhelp32Snapshot Process32First 180->182 181->140 182->133
                                                        APIs
                                                          • Part of subcall function 00AD1444: LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AD1454
                                                          • Part of subcall function 00AD1444: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AD1464
                                                        • CloseHandle.KERNELBASE(?), ref: 00AD05AD
                                                        • FreeLibrary.KERNEL32(75070000,?,00AD0795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD07B2
                                                        • CloseHandle.KERNELBASE(?,?,00AD0795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD07B9
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD07C3
                                                        • Process32First.KERNEL32 ref: 00AD07D6
                                                        • Process32Next.KERNEL32 ref: 00AD07E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD07FF
                                                        • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 00AD083C
                                                        • CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00AD0857
                                                        • CloseHandle.KERNELBASE ref: 00AD0866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                        • String ID: csrs
                                                        • API String ID: 3908997113-2321902090
                                                        • Opcode ID: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction ID: 123a81c40f25fdebda7a90497da1887e2f3515fa74237ab6176f182a5619d291
                                                        • Opcode Fuzzy Hash: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction Fuzzy Hash: 21112E71506205FBEB255F21CD4DFBE3A6DEF44711F00002EF94B9A192DBB09B41966A
                                                        Function 7FE343D2 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 316 7fe343d2-7fe343da 317 7fe34401-7fe3442f CreateFileA 316->317 318 7fe343dc-7fe343e6 316->318 324 7fe34435-7fe3443d 317->324 318->317 323 7fe343e8-7fe343f9 318->323 323->317 328 7fe343fb 323->328 326 7fe34460-7fe34486 324->326 327 7fe3443f-7fe34458 324->327 333 7fe34491-7fe344bb 326->333 334 7fe34488-7fe3448f 326->334 327->326 331 7fe3445a 327->331 328->317 331->326 338 7fe344c6-7fe344e7 333->338 339 7fe344bd-7fe344c4 333->339 334->333 339->338
                                                        APIs
                                                        • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FE3433F,?,7FE34321,?,7FE342FD), ref: 7FE34426
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID:
                                                        • API String ID: 823142352-0
                                                        • Opcode ID: 84c08d243356dc0fc919d1563c1c0c01b0b950833543c4e03403cfd72bfabd16
                                                        • Instruction ID: 8717e8b6497a710bd36704dbfe5b8924ce3f99e2975c281af0b22079df04dbef
                                                        • Opcode Fuzzy Hash: 84c08d243356dc0fc919d1563c1c0c01b0b950833543c4e03403cfd72bfabd16
                                                        • Instruction Fuzzy Hash: 5F21257060530ABAEB264E608D4DBFA366D9F01308F514239F91B9E094E7F56F05D714
                                                        Function 00AD05BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 343 ad05ba-ad05bd 344 ad05bf-ad05c7 Sleep 343->344 345 ad05c9 343->345 344->343
                                                        APIs
                                                        • Sleep.KERNELBASE(0000000A,00AD0856,?,00000000,00000000,-00003BCA,00000002,00000000,?,00000000), ref: 00AD05C1
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: cbe9f769ebb1c608110980d8cf827f438a34bc7706bd5e9152dadd0aa2487085
                                                        • Instruction ID: 964d894fd2a793776e974d311a5db8452aeb17e8a98a3e14336dc8c19994ee66
                                                        • Opcode Fuzzy Hash: cbe9f769ebb1c608110980d8cf827f438a34bc7706bd5e9152dadd0aa2487085
                                                        • Instruction Fuzzy Hash: 52B01238240304D5DA140910640EF443B24BF01B11FE04056FA070C1C406E00600180D

                                                        Non-executed Functions

                                                        Function 00AD3CC8 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 364libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00AD3CBD), ref: 00AD3CC8
                                                          • Part of subcall function 00AD3CDD: GetProcAddress.KERNEL32(00000000,00AD3CD3), ref: 00AD3CDE
                                                          • Part of subcall function 00AD3CDD: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3CF1
                                                          • Part of subcall function 00AD3CDD: GetTickCount.KERNEL32 ref: 00AD3D25
                                                          • Part of subcall function 00AD3CDD: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6E32,00000000,00000000,00000000,00000000), ref: 00AD3DF7
                                                        Strings
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3E9E
                                                        • C:\WINDOWS\SYSTEM32\IMM32.DLL, xrefs: 00AD4151
                                                        • ADVAPI32.DLL, xrefs: 00AD3CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 00AD4113, 00AD4152
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 3734769084-2898123092
                                                        • Opcode ID: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction ID: 255b576ff8016ab71e2a2e3b426d281b27046e8c722242e88a42ec6686f35b3f
                                                        • Opcode Fuzzy Hash: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction Fuzzy Hash: 06C1E572515259BEDF35AF24CC1ABEA3BACEF11300F00051BF84A9E181D6F45F45CAA6
                                                        Function 7FE3042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 287memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 7FE304BE
                                                        • GetVersion.KERNEL32 ref: 7FE30500
                                                        • VirtualAlloc.KERNEL32(00000000,000076FC,08001000,00000040), ref: 7FE30528
                                                        • CloseHandle.KERNEL32(?), ref: 7FE305AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$AllocCloseModuleVersionVirtual
                                                        • String ID: \BaseNamedObjects\yietVt$\BaseNamedObjects\yietVt$csrs
                                                        • API String ID: 3017432202-3480717028
                                                        • Opcode ID: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction ID: 04f34b70a3527beab436bb0bff5453feb2d818ff2f8925b7a06916a221e9b453
                                                        • Opcode Fuzzy Hash: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction Fuzzy Hash: D3B1AC71915349FFEB229F20CC09BEA3BA9EF41719F404129EE0A9E181C7F0AB45CB55
                                                        Function 7FE305F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 192stringnativeprocessCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNEL32(?), ref: 7FE305AD
                                                        • GetModuleHandleA.KERNEL32(7FE305EC), ref: 7FE305F2
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\yietVt,\BaseNamedObjects\yietVt,?,?,?,?), ref: 7FE3070A
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\yietVt,?), ref: 7FE30727
                                                        • lstrcatW.KERNEL32(\BaseNamedObjects\yietVt,\yietVt), ref: 7FE30735
                                                        • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000076FC,00000000,?,00000002,00000000,00000040), ref: 7FE30765
                                                        • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE30780
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE307C3
                                                        • Process32First.KERNEL32 ref: 7FE307D6
                                                        • Process32Next.KERNEL32 ref: 7FE307E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE307FF
                                                        • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 7FE3083C
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE30857
                                                        • CloseHandle.KERNEL32 ref: 7FE30866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                        • String ID: \BaseNamedObjects\yietVt$\BaseNamedObjects\yietVt$csrs
                                                        • API String ID: 1545766225-3480717028
                                                        • Opcode ID: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction ID: 5f8d29788b043f7579ddb3552f6ead3fe933542943f9b5d3a9fd129d50e69607
                                                        • Opcode Fuzzy Hash: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction Fuzzy Hash: F8717E31901219FFDB229F10CC4DBAD3BAEEF45719F800029EA0A9E191C7B5AB45DB55
                                                        Function 00AD3820 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(00AD74C0), ref: 00AD3831
                                                        • Sleep.KERNEL32(0000EA60), ref: 00AD38A3
                                                        • InternetGetConnectedState.WININET(?,00000000), ref: 00AD38BC
                                                        • gethostbyname.WS2_32(0D278061), ref: 00AD38FE
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00AD3913
                                                        • ioctlsocket.WS2_32(?,8004667E), ref: 00AD392C
                                                        • connect.WS2_32(?,?,00000010), ref: 00AD3945
                                                        • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00AD3953
                                                        • closesocket.WS2_32 ref: 00AD39B2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                        • String ID: ceiphj.com
                                                        • API String ID: 159131500-6118775
                                                        • Opcode ID: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction ID: 03dab0c03696cbb48b8462064fafa246a57d4c98600274ddb68a437c2a9b6177
                                                        • Opcode Fuzzy Hash: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction Fuzzy Hash: 1341E272705249BADB315F248C5DBADBA6EAF85710F04401AF90A9E2C1D6F18F00C625
                                                        Function 00AD3372 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AD33DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AD33FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AD3425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AD3432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 00AD344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$\Device\PhysicalMemory
                                                        • API String ID: 2985292042-1440550476
                                                        • Opcode ID: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction ID: 3347d35f520ad2ad6cb8c8480a12756c5046917d8116c21bfe01025f46d17f17
                                                        • Opcode Fuzzy Hash: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction Fuzzy Hash: 34819BB2500208FFEF248F14CC8AAAA37BCEF44711F504559FD1A9B291D6B0AF558AA5
                                                        Function 7FE33372 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE333DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE333FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE33425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE33432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 7FE3344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$\Device\PhysicalMemory
                                                        • API String ID: 2985292042-1440550476
                                                        • Opcode ID: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction ID: dae858870bd32466b7bddd82511c493b39ec6c13607736059af140c559e1dea1
                                                        • Opcode Fuzzy Hash: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction Fuzzy Hash: 8781CC71900208FFEB258F14CC8AEAA37BDEF04704F914518FD1A9B291D6B0AF55DBA4
                                                        Function 00AD3397 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AD33DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AD33FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AD3425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AD3432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 00AD344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$ysic
                                                        • API String ID: 2985292042-2852681185
                                                        • Opcode ID: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction ID: e5d39e792b0a550b1476985585d03d1798d987fb9f5b82fb56589eb60b6aae1b
                                                        • Opcode Fuzzy Hash: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction Fuzzy Hash: 89116D71140609FBEB248F10CC5AFAB367CEF88704F504519FB1A9A290D7B4AF248655
                                                        Function 7FE33397 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE333DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE333FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE33425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE33432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 7FE3344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$ysic
                                                        • API String ID: 2985292042-2852681185
                                                        • Opcode ID: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction ID: c22d13a93bd3b9c73f168f7cf7bdc03220e19a3a5620524a59d81e800a0a7989
                                                        • Opcode Fuzzy Hash: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction Fuzzy Hash: 94115B74940609FFEB258F10CC5AFAB367DEF88704F404518EA1A9A291D7B46F289654
                                                        Function 00AD27A1 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempFileNameA.KERNEL32(?,00AD279D,00000000,?), ref: 00AD27A2
                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AD279D,00000000,?), ref: 00AD27BD
                                                        • InternetReadFile.WININET(?,?,00000104), ref: 00AD27D7
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AD279D,00000000,?), ref: 00AD27ED
                                                        • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AD279D,00000000,?), ref: 00AD27F9
                                                        • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AD279D), ref: 00AD281D
                                                        • InternetCloseHandle.WININET(?), ref: 00AD282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 00AD2834
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                        • String ID:
                                                        • API String ID: 3452404049-0
                                                        • Opcode ID: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction ID: 3b8ca853eee6214f1c13ae3b1aba47129e2d059189a50d4634309c32f6723930
                                                        • Opcode Fuzzy Hash: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction Fuzzy Hash: CB116DB1142606BBEB350B20CC4DFEF7A6CEF95B11F004519FA0A8D181DBB09E50D6B9
                                                        Function 7FE34BD7 Relevance: 7.1, Strings: 5, Instructions: 887COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFile
                                                        • String ID: !$&$&$($@
                                                        • API String ID: 823142352-3998544071
                                                        • Opcode ID: 935d3fe01e483ae9b1e380af8f2d7e4f9ebb9ebdfa7ef0ecd0523d0a373f3978
                                                        • Instruction ID: 42dae100fec18222106f7dafdc1752d7360eb2aa2eb29d0e1fc5392f25e0b5cc
                                                        • Opcode Fuzzy Hash: 935d3fe01e483ae9b1e380af8f2d7e4f9ebb9ebdfa7ef0ecd0523d0a373f3978
                                                        • Instruction Fuzzy Hash: 8382023190534AEFDB26CF28C8497997BBAEF40319F944219C82A8F285D3F4AF51CB51
                                                        Function 00AD24A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpyW.KERNEL32(?,\BaseNamedObjects\qsttVt), ref: 00AD24B4
                                                        • lstrlenW.KERNEL32(?), ref: 00AD24BB
                                                        • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00AD2510
                                                        Strings
                                                        • \BaseNamedObjects\qsttVt, xrefs: 00AD24B2
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateSectionlstrcpylstrlen
                                                        • String ID: \BaseNamedObjects\qsttVt
                                                        • API String ID: 2597515329-689536162
                                                        • Opcode ID: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction ID: 6d2c312854f6121ce401f046694641950b81a493101a9980076e275459001e0b
                                                        • Opcode Fuzzy Hash: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction Fuzzy Hash: 9F01A4B0B803057AF7305B79CC8FF5A7A68DF81B50F508518F719AE1C4D6B89A0483A9
                                                        Function 7FE324A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpyW.KERNEL32(?,\BaseNamedObjects\yietVt), ref: 7FE324B4
                                                        • lstrlenW.KERNEL32(?), ref: 7FE324BB
                                                        • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE32510
                                                        Strings
                                                        • \BaseNamedObjects\yietVt, xrefs: 7FE324B2
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateSectionlstrcpylstrlen
                                                        • String ID: \BaseNamedObjects\yietVt
                                                        • API String ID: 2597515329-129974550
                                                        • Opcode ID: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction ID: 9d30c6d5b88624d8d5e8cf60965674804df526b05ac6bdb63d529ecfc8a1f6c0
                                                        • Opcode Fuzzy Hash: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction Fuzzy Hash: 1D01A4B0B803057AF7305B79CC8FF5A7E68DF81B50F908518F718AE1C4D6B89A0483A9
                                                        Function 7FE32529 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,0000000E), ref: 7FE32558
                                                        Strings
                                                        • \BaseNamedObjects\yietVt, xrefs: 7FE32545
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: OpenSection
                                                        • String ID: \BaseNamedObjects\yietVt
                                                        • API String ID: 1950954290-129974550
                                                        • Opcode ID: c6b8e9e32f6dcba079ef7aea98ec054ed3ce8beadf41c2fd00718ee6712a4e74
                                                        • Instruction ID: b3aacc91b347d59d7f115e11f4200a74d00a3252589c1a9605fbc5584bb4d301
                                                        • Opcode Fuzzy Hash: c6b8e9e32f6dcba079ef7aea98ec054ed3ce8beadf41c2fd00718ee6712a4e74
                                                        • Instruction Fuzzy Hash: C2E0D8F17401063EFB185719CC07FF7218DDB80601F048508F914DA080E5F4DF1182B8
                                                        Function 7FE3256E Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7FE32529: NtOpenSection.NTDLL(?,0000000E), ref: 7FE32558
                                                        • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B6FC,00000000,?,00000002,00100000,00000040), ref: 7FE3259E
                                                        • CloseHandle.KERNEL32(00000000,0000B6FC,00000000,?,00000002,00100000,00000040,00000000,0000B6FC,00000000,?,7FE3080F), ref: 7FE325A6
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Section$CloseHandleOpenView
                                                        • String ID:
                                                        • API String ID: 2731707328-0
                                                        • Opcode ID: 021b1acb1bf40c706123403cc397f8585b61a767fc7f0a33a1c3ace3a91a31f2
                                                        • Instruction ID: 7e00d63353bb450a698177bfab7b78e78f9df3cb21cfb0c2f97f42846b99aac6
                                                        • Opcode Fuzzy Hash: 021b1acb1bf40c706123403cc397f8585b61a767fc7f0a33a1c3ace3a91a31f2
                                                        • Instruction Fuzzy Hash: DF215E70701706BADB14CE29CC99BE97369EF80B44F800118F9AA8E1D4DBB1BF55C754
                                                        Function 7FE3141C Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE31454
                                                        • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE31464
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                        • String ID:
                                                        • API String ID: 3615134276-0
                                                        • Opcode ID: 7157bc59c0e3de482e8bd6b2610b223013a43f583be5db88b94377e31208a128
                                                        • Instruction ID: 01f7e7575b44af39e84b9ee94f66a89c6d22cfdb503e39dbcfd023e7ab42d64d
                                                        • Opcode Fuzzy Hash: 7157bc59c0e3de482e8bd6b2610b223013a43f583be5db88b94377e31208a128
                                                        • Instruction Fuzzy Hash: 9FF08236542520BBD6206F56CC8EED77E28EF533A0F144956F4484E156C2A28BA5D3E4
                                                        Function 7FE32471 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 7FE32495
                                                        • NtWriteVirtualMemory.NTDLL ref: 7FE3249E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MemoryVirtual$ProtectWrite
                                                        • String ID:
                                                        • API String ID: 151266762-0
                                                        • Opcode ID: 17dce67c487cc0ef90ba526871884689c6391e914ce978ece8a073020b9af88e
                                                        • Instruction ID: bec36d184e0d76b253c82774af185ce515cf0d17d059aebebe1b98a4915fad90
                                                        • Opcode Fuzzy Hash: 17dce67c487cc0ef90ba526871884689c6391e914ce978ece8a073020b9af88e
                                                        • Instruction Fuzzy Hash: 7AE0ECA06502007FF5185B159C5BF7B391DDB41A45F410108FA0A98184F9A15E14467A
                                                        Function 7FE31444 Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE31454
                                                        • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE31464
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                        • String ID:
                                                        • API String ID: 3615134276-0
                                                        • Opcode ID: 98fd101a259c938ae854db39385a2a060802fe35a78288dc9bd6859ea4aae5d1
                                                        • Instruction ID: 0db5ea05f469a6ff49ad20a45e501a6d4802517c6c4e4fc049ea7a79551dc49b
                                                        • Opcode Fuzzy Hash: 98fd101a259c938ae854db39385a2a060802fe35a78288dc9bd6859ea4aae5d1
                                                        • Instruction Fuzzy Hash: 06D05E31603030BBD6302E0A8C0EED73D1DEF537B0F004400F80C8A191C1A28EA1C6F5
                                                        Function 00AD28C2 Relevance: .1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                        • Instruction ID: b5ba4eb2f9a533b20c83361a45d7c357f26364b44b0134e84347205d32ac30b9
                                                        • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                        • Instruction Fuzzy Hash: 6A314A326006158FEB248E38C85079AB7F2FBA0304F10863DE557E7690E675FA89CBC0
                                                        Function 7FE328C2 Relevance: .1, Instructions: 107COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                        • Instruction ID: ca3a9a37b74bf7aa586a4064ea8576876fc0c0323dbac7bcaac21d1f4a8500d1
                                                        • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                        • Instruction Fuzzy Hash: D4312732A006158BEB148E38C84478AB3F2FF80308F50863CE597E7598E675F689CBC0
                                                        Function 00AD025E Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4547b3fe3f7ade73cb4b8cd50c3b6c2eeef74501d41428d812dece7d1f783b26
                                                        • Instruction ID: 81a9d6d4fa21d13140c361b215f045ee1f13936df36b75a41ee8aed2659f6ea5
                                                        • Opcode Fuzzy Hash: 4547b3fe3f7ade73cb4b8cd50c3b6c2eeef74501d41428d812dece7d1f783b26
                                                        • Instruction Fuzzy Hash: 100147723451459BD720EF28CD88FEDB7A1EBC8334F24832AF5555B28AD732B281C651
                                                        Function 7FE3025E Relevance: .0, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 572a3687137416e2f1393bb95436ee19a00af6eeea5e865505a5396fd5f2180a
                                                        • Instruction ID: 8b3b2c02e8159a845957be8b6a6804547998441cb8766027518aa4d06a51a22c
                                                        • Opcode Fuzzy Hash: 572a3687137416e2f1393bb95436ee19a00af6eeea5e865505a5396fd5f2180a
                                                        • Instruction Fuzzy Hash: 77012472A052415AD721DF28CC8CB9EBBA1EFC433CF508365E6544A08ADB32A281C791
                                                        Function 00A79868 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369222468.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.2367775905.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367835613.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367898202.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367955469.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2367955469.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2368099020.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000005.00000002.2368237677.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7d3fcd72a7bd03043e237b6fb81569234861e2c05d060d0b7c2db648b0d2632e
                                                        • Instruction ID: 94d818b1ef28d16b92e94c67afe63a3f6943ffa20059e7ad0ce01537133526f2
                                                        • Opcode Fuzzy Hash: 7d3fcd72a7bd03043e237b6fb81569234861e2c05d060d0b7c2db648b0d2632e
                                                        • Instruction Fuzzy Hash: B1D067714082568FC7512BA4DC4D6DEFBA4AF84382F118829B59A94061DEA489819B53
                                                        Function 00AD3BCF Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 472libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 367 ad3bcf-ad3beb 368 ad3bed-ad3bf5 367->368 369 ad3c3b-ad3c45 call ad2529 367->369 370 ad3bf6-ad3bf9 368->370 377 ad3c8d-ad3cd5 GetSystemDirectoryA call ad3cb1 369->377 378 ad3c47-ad3c60 call ad3c54 369->378 372 ad3bfb-ad3c00 370->372 373 ad3c25 370->373 372->373 375 ad3c02-ad3c23 372->375 373->370 376 ad3c27-ad3cd5 GetWindowsDirectoryA call ad3cc8 373->376 375->373 385 ad3cd7-ad3d52 GetProcAddress LoadLibraryA call ad10c8 call ad01cb GetTickCount call ad3b08 376->385 377->385 387 ad3c66-ad3c6e GetProcAddress 378->387 388 ad3c61 call ad26ce 378->388 399 ad3d5a-ad3d5f call ad3b08 385->399 400 ad3d54 385->400 389 ad3c70 387->389 390 ad3c72-ad3cd5 call ad3c82 387->390 388->387 389->390 390->385 403 ad3d61-ad3d78 399->403 400->399 404 ad3d7a-ad3d8a call ad62d9 call ad2736 403->404 409 ad3d8c-ad3d8e 404->409 410 ad3d90-ad3dac call ad62d9 404->410 412 ad3dad-ad3dae 409->412 410->412 412->404 414 ad3db0-ad3db6 412->414 414->403 415 ad3db8-ad3dc2 call ad2736 414->415 418 ad3dc4-ad3dcc call ad274a 415->418 419 ad3dd1-ad3e0a call ad2736 GetVolumeInformationA 415->419 418->419 423 ad3e0c-ad3e12 419->423 424 ad3e14-ad3e1a 419->424 426 ad3e23-ad3e30 423->426 425 ad3e1c 424->425 424->426 425->426 427 ad3eb7 426->427 428 ad3e36-ad3e5a call ad3e47 426->428 429 ad3ec1 427->429 428->429 437 ad3e5c-ad3e62 428->437 431 ad3ee1-ad3f4e call ad3ef2 call ad10c8 call ad3f21 call ad10c8 429->431 432 ad3ec3-ad3edb CreateThread CloseHandle 429->432 451 ad4259-ad425b RtlExitUserThread 431->451 452 ad3f54-ad3f97 WSAStartup CreateThread CloseHandle CreateEventA 431->452 432->431 439 ad3e8b-ad3e9f 437->439 440 ad3e64-ad3e69 437->440 444 ad3ea6-ad3eb0 439->444 442 ad3e6b-ad3e8a 440->442 443 ad3e92-ad3e9f 440->443 442->439 443->444 444->427 446 ad3eb2 call ad3397 444->446 446->427 453 ad3f9d-ad3fb5 call ad378c 452->453 456 ad3fbc-ad3fcf call ad3b22 453->456 457 ad3fb7-ad3fba 453->457 463 ad3fd5 456->463 464 ad4207-ad420e 456->464 457->456 458 ad3fd7-ad3fdf 457->458 461 ad3fe1-ad3fee lstrlen 458->461 462 ad3ff0-ad3ff9 gethostbyname 458->462 461->461 461->462 465 ad3fff-ad4006 462->465 466 ad424e-ad4254 462->466 468 ad400c-ad402b socket 463->468 464->451 467 ad4210-ad4217 464->467 465->468 466->453 469 ad4219-ad4225 SetEvent 467->469 470 ad422b-ad4249 Sleep ResetEvent 467->470 468->464 471 ad4031-ad4044 connect 468->471 469->470 470->453 472 ad404a-ad4123 call ad2736 call ad274a GetVersionExA call ad274a call ad32ea call ad4103 wsprintfA call ad32ea 471->472 473 ad4200-ad4201 closesocket 471->473 488 ad4125-ad413b CreateThread CloseHandle 472->488 489 ad4141 472->489 473->464 488->489 490 ad4147-ad415d 489->490 490->473 492 ad4163-ad4165 490->492 493 ad4167-ad417f 492->493 494 ad4184-ad418c 493->494 495 ad4181 493->495 494->493 496 ad418e 494->496 495->494 497 ad4194-ad4198 496->497 498 ad41aa-ad41ac 497->498 499 ad419a-ad41a1 call ad2f02 497->499 500 ad41ae-ad41b8 498->500 499->473 505 ad41a3 499->505 502 ad41bd-ad41cb call ad647a call ad6494 500->502 502->490 510 ad41d1-ad41db Sleep 502->510 505->500 507 ad41a5-ad41a8 505->507 507->497 510->502 511 ad41dd-ad41ee GetTickCount 510->511 511->490 512 ad41f4-ad41fb 511->512 512->473 512->490
                                                        APIs
                                                        • GetWindowsDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 00AD3C33
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 00AD3C66
                                                        • GetProcAddress.KERNEL32(00000000,00AD3CD3), ref: 00AD3CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3CF1
                                                        • GetTickCount.KERNEL32 ref: 00AD3D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6E32,00000000,00000000,00000000,00000000), ref: 00AD3DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 3969011833-2898123092
                                                        • Opcode ID: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction ID: 8151d29ed86bca491de4e1773e54f6c2de13c0aa2291fd2ad5e740f5a9b794cf
                                                        • Opcode Fuzzy Hash: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction Fuzzy Hash: F9F10572519258BEDF35AF24CC5ABEA7BACEF11300F00451BE84A9F181D6F05F45CAA6
                                                        Function 7FE33BCF Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 472libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 513 7fe33bcf-7fe33beb 514 7fe33c3b-7fe33c45 call 7fe32529 513->514 515 7fe33bed-7fe33bf5 513->515 522 7fe33c47-7fe33c6e call 7fe33c54 call 7fe326ce GetProcAddress 514->522 523 7fe33c8d-7fe33cb7 GetSystemDirectoryA call 7fe33cb1 514->523 517 7fe33bf6-7fe33bf9 515->517 519 7fe33c25 517->519 520 7fe33bfb-7fe33c00 517->520 519->517 521 7fe33c27-7fe33c39 GetWindowsDirectoryA 519->521 520->519 524 7fe33c02-7fe33c23 520->524 526 7fe33cb8-7fe33d52 call 7fe33cc8 GetProcAddress LoadLibraryA call 7fe310c8 call 7fe301cb GetTickCount call 7fe33b08 521->526 536 7fe33c72-7fe33c8c call 7fe33c82 522->536 537 7fe33c70 522->537 523->526 524->519 545 7fe33d54 526->545 546 7fe33d5a-7fe33d5f call 7fe33b08 526->546 536->523 537->536 545->546 549 7fe33d61-7fe33d78 546->549 550 7fe33d7a-7fe33d8a call 7fe362d9 call 7fe32736 549->550 555 7fe33d90-7fe33dac call 7fe362d9 550->555 556 7fe33d8c-7fe33d8e 550->556 557 7fe33dad-7fe33dae 555->557 556->557 557->550 559 7fe33db0-7fe33db6 557->559 559->549 561 7fe33db8-7fe33dc2 call 7fe32736 559->561 564 7fe33dd1-7fe33e0a call 7fe32736 GetVolumeInformationA 561->564 565 7fe33dc4-7fe33dcc call 7fe3274a 561->565 569 7fe33e14-7fe33e1a 564->569 570 7fe33e0c-7fe33e12 564->570 565->564 571 7fe33e23-7fe33e30 569->571 572 7fe33e1c 569->572 570->571 573 7fe33eb7 571->573 574 7fe33e36-7fe33e5a call 7fe33e47 571->574 572->571 575 7fe33ec1 573->575 574->575 583 7fe33e5c-7fe33e62 574->583 577 7fe33ec3-7fe33edb CreateThread CloseHandle 575->577 578 7fe33ee1-7fe33f4e call 7fe33ef2 call 7fe310c8 call 7fe33f21 call 7fe310c8 575->578 577->578 597 7fe33f54-7fe33f97 WSAStartup CreateThread CloseHandle CreateEventA 578->597 598 7fe34259-7fe3425b RtlExitUserThread 578->598 585 7fe33e64-7fe33e69 583->585 586 7fe33e8b-7fe33e9f 583->586 588 7fe33e92-7fe33e9f 585->588 589 7fe33e6b-7fe33e8a 585->589 591 7fe33ea6-7fe33eb0 586->591 588->591 589->586 591->573 593 7fe33eb2 call 7fe33397 591->593 593->573 599 7fe33f9d-7fe33fb5 call 7fe3378c 597->599 602 7fe33fb7-7fe33fba 599->602 603 7fe33fbc-7fe33fcf call 7fe33b22 599->603 602->603 604 7fe33fd7-7fe33fdf 602->604 609 7fe34207-7fe3420e 603->609 610 7fe33fd5 603->610 607 7fe33fe1-7fe33fee lstrlen 604->607 608 7fe33ff0-7fe33ff9 gethostbyname 604->608 607->607 607->608 611 7fe33fff-7fe34006 608->611 612 7fe3424e-7fe34254 608->612 609->598 614 7fe34210-7fe34217 609->614 613 7fe3400c-7fe3402b socket 610->613 611->613 612->599 613->609 615 7fe34031-7fe34044 connect 613->615 616 7fe3422b-7fe34249 Sleep ResetEvent 614->616 617 7fe34219-7fe34225 SetEvent 614->617 618 7fe34200-7fe34201 closesocket 615->618 619 7fe3404a-7fe34123 call 7fe32736 call 7fe3274a GetVersionExA call 7fe3274a call 7fe332ea call 7fe34103 wsprintfA call 7fe332ea 615->619 616->599 617->616 618->609 634 7fe34141 619->634 635 7fe34125-7fe3413b CreateThread CloseHandle 619->635 636 7fe34147-7fe3415d 634->636 635->634 636->618 638 7fe34163-7fe34165 636->638 639 7fe34167-7fe3417f 638->639 640 7fe34181 639->640 641 7fe34184-7fe3418c 639->641 640->641 641->639 642 7fe3418e 641->642 643 7fe34194-7fe34198 642->643 644 7fe341aa-7fe341ac 643->644 645 7fe3419a-7fe341a1 call 7fe32f02 643->645 647 7fe341ae-7fe341b8 644->647 645->618 650 7fe341a3 645->650 649 7fe341bd-7fe341cb call 7fe3647a call 7fe36494 647->649 649->636 656 7fe341d1-7fe341db Sleep 649->656 650->647 652 7fe341a5-7fe341a8 650->652 652->643 656->649 657 7fe341dd-7fe341ee GetTickCount 656->657 657->636 658 7fe341f4-7fe341fb 657->658 658->618 658->636
                                                        APIs
                                                        • GetWindowsDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 7FE33C33
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE33C66
                                                        • GetProcAddress.KERNEL32(00000000,7FE33CD3), ref: 7FE33CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33CF1
                                                        • GetTickCount.KERNEL32 ref: 7FE33D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36E32,00000000,00000000,00000000,00000000), ref: 7FE33DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3969011833-1880045089
                                                        • Opcode ID: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction ID: da1604d828438dcac60165ae72afd15238aa5ff539de2de622a5dcc37a23a33c
                                                        • Opcode Fuzzy Hash: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction Fuzzy Hash: 44F1057191A349BEDB229F20CC5EBDA7BACEF41304F40451AE8499F081D6F46F45CBA6
                                                        Function 00AD3C54 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 417libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00AD3C4C), ref: 00AD3C54
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 00AD3C66
                                                        • GetProcAddress.KERNEL32(00000000,00AD3CD3), ref: 00AD3CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3CF1
                                                        • GetTickCount.KERNEL32 ref: 00AD3D25
                                                        Strings
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3E9E
                                                        • C:\WINDOWS\SYSTEM32\IMM32.DLL, xrefs: 00AD4151
                                                        • ADVAPI32.DLL, xrefs: 00AD3CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 00AD3CA8, 00AD4113, 00AD4152
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 2837544101-2898123092
                                                        • Opcode ID: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction ID: f3a67a0a7350aed83eef8a1491480b57fb22319146da1518df07b34107d263a2
                                                        • Opcode Fuzzy Hash: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction Fuzzy Hash: 46E10671519259BEDF35AF30CC5ABEA3BACEF11300F00051BE84A9E182D6F05F45CAA6
                                                        Function 7FE33C54 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 417libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(7FE33C4C), ref: 7FE33C54
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE33C66
                                                        • GetProcAddress.KERNEL32(00000000,7FE33CD3), ref: 7FE33CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33CF1
                                                        • GetTickCount.KERNEL32 ref: 7FE33D25
                                                        Strings
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE34151
                                                        • ADVAPI32.DLL, xrefs: 7FE33CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE33CA8, 7FE34113, 7FE34152
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33E9E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2837544101-1880045089
                                                        • Opcode ID: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction ID: 70a4d518b3b81bee048e16ce87541070b4c0732f49a9e57f97ab6540a5d80f79
                                                        • Opcode Fuzzy Hash: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction Fuzzy Hash: 86E1177191A345BEDB269F30CC5EBEA7BACEF41300F40451AE8498E081D6F46F45CBA6
                                                        Function 00AD3C82 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 394COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00AD3C77), ref: 00AD3C82
                                                        • GetSystemDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 00AD3C99
                                                          • Part of subcall function 00AD3CB1: lstrcat.KERNEL32(020a00 . . :#997242831 +*,00AD3CA4), ref: 00AD3CB2
                                                          • Part of subcall function 00AD3CB1: GetProcAddress.KERNEL32(00000000,00AD3CD3), ref: 00AD3CDE
                                                          • Part of subcall function 00AD3CB1: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3CF1
                                                          • Part of subcall function 00AD3CB1: GetTickCount.KERNEL32 ref: 00AD3D25
                                                          • Part of subcall function 00AD3CB1: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6E32,00000000,00000000,00000000,00000000), ref: 00AD3DF7
                                                        Strings
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3E9E
                                                        • C:\WINDOWS\SYSTEM32\IMM32.DLL, xrefs: 00AD4151
                                                        • ADVAPI32.DLL, xrefs: 00AD3CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 00AD3C98, 00AD3CA8, 00AD4113, 00AD4152
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 215653160-2898123092
                                                        • Opcode ID: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction ID: 5416825b854dd29231142e2045ac573d03f6646c759c7858448cabf52c307d98
                                                        • Opcode Fuzzy Hash: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction Fuzzy Hash: 83D1F572515259BEDF35AF20CC5ABEA3BACEF11300F00451AF84A9E182D6F45F45CBA6
                                                        Function 7FE33C82 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 394COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(7FE33C77), ref: 7FE33C82
                                                        • GetSystemDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 7FE33C99
                                                          • Part of subcall function 7FE33CB1: lstrcat.KERNEL32(020a00 . . :#997242831 +*,7FE33CA4), ref: 7FE33CB2
                                                          • Part of subcall function 7FE33CB1: GetProcAddress.KERNEL32(00000000,7FE33CD3), ref: 7FE33CDE
                                                          • Part of subcall function 7FE33CB1: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33CF1
                                                          • Part of subcall function 7FE33CB1: GetTickCount.KERNEL32 ref: 7FE33D25
                                                          • Part of subcall function 7FE33CB1: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36E32,00000000,00000000,00000000,00000000), ref: 7FE33DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 215653160-1880045089
                                                        • Opcode ID: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction ID: 83dcdcace0a305a03f866234c87c2166a0dafa159639c374a62d1877331dd441
                                                        • Opcode Fuzzy Hash: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction Fuzzy Hash: 62D1067191A349BEDB269F30CC5EBEA3BACEF41300F40451AE8499E081D6F46F45CBA5
                                                        Function 00AD3CB1 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 374stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcat.KERNEL32(020a00 . . :#997242831 +*,00AD3CA4), ref: 00AD3CB2
                                                          • Part of subcall function 00AD3CC8: LoadLibraryA.KERNEL32(00AD3CBD), ref: 00AD3CC8
                                                          • Part of subcall function 00AD3CC8: GetProcAddress.KERNEL32(00000000,00AD3CD3), ref: 00AD3CDE
                                                          • Part of subcall function 00AD3CC8: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3CF1
                                                          • Part of subcall function 00AD3CC8: GetTickCount.KERNEL32 ref: 00AD3D25
                                                          • Part of subcall function 00AD3CC8: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6E32,00000000,00000000,00000000,00000000), ref: 00AD3DF7
                                                        Strings
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3E9E
                                                        • C:\WINDOWS\SYSTEM32\IMM32.DLL, xrefs: 00AD4151
                                                        • ADVAPI32.DLL, xrefs: 00AD3CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 00AD3CB1, 00AD4113, 00AD4152
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 2038497427-2898123092
                                                        • Opcode ID: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction ID: 68674a65dcacff37754a8e8cc12ac445b37c3bbd00cb11b3aeaeaba76037c588
                                                        • Opcode Fuzzy Hash: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction Fuzzy Hash: 85D1F472515259BEDF35AF34CC1ABEA3BACEF11300F00051AF84A9E181D6F45F45CAA6
                                                        Function 7FE33CB1 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 374stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcat.KERNEL32(020a00 . . :#997242831 +*,7FE33CA4), ref: 7FE33CB2
                                                          • Part of subcall function 7FE33CC8: LoadLibraryA.KERNEL32(7FE33CBD), ref: 7FE33CC8
                                                          • Part of subcall function 7FE33CC8: GetProcAddress.KERNEL32(00000000,7FE33CD3), ref: 7FE33CDE
                                                          • Part of subcall function 7FE33CC8: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33CF1
                                                          • Part of subcall function 7FE33CC8: GetTickCount.KERNEL32 ref: 7FE33D25
                                                          • Part of subcall function 7FE33CC8: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36E32,00000000,00000000,00000000,00000000), ref: 7FE33DF7
                                                        Strings
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE34151
                                                        • ADVAPI32.DLL, xrefs: 7FE33CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE33CB1, 7FE34113, 7FE34152
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33E9E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2038497427-1880045089
                                                        • Opcode ID: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction ID: 4ff958fbc77df0c06950529926399d06ecb6471fa7ea1c68174c22b5ddb7eb65
                                                        • Opcode Fuzzy Hash: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction Fuzzy Hash: E9D1067191A349BEDB269F30CC5EBEA7BACEF41300F40451AE8499E081D6F46F45CBA5
                                                        Function 7FE33CC8 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 364libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE33CBD), ref: 7FE33CC8
                                                          • Part of subcall function 7FE33CDD: GetProcAddress.KERNEL32(00000000,7FE33CD3), ref: 7FE33CDE
                                                          • Part of subcall function 7FE33CDD: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33CF1
                                                          • Part of subcall function 7FE33CDD: GetTickCount.KERNEL32 ref: 7FE33D25
                                                          • Part of subcall function 7FE33CDD: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36E32,00000000,00000000,00000000,00000000), ref: 7FE33DF7
                                                        Strings
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE34151
                                                        • ADVAPI32.DLL, xrefs: 7FE33CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE34113, 7FE34152
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33E9E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3734769084-1880045089
                                                        • Opcode ID: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction ID: d7a75b92e3d121634934339876560cbfcea646d92f54ea58f82db6636dbb7707
                                                        • Opcode Fuzzy Hash: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction Fuzzy Hash: 05C1F87191A345BEDB269F30CC5EBDA7BACEF41300F80451AE8499E081D6F46F45CBA5
                                                        Function 00AD3F21 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205networkthreadlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00AD3F15), ref: 00AD3F21
                                                        • WSAStartup.WS2_32(00000101), ref: 00AD3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00AD3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00AD3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3F91
                                                        • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AD3FE2
                                                        • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AD3FF1
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00AD4022
                                                        • connect.WS2_32(6F6C6902,00AD3A9B,00000010), ref: 00AD403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD4086
                                                        • wsprintfA.USER32 ref: 00AD4104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 00AD4132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,00AD6E32,00000099,6F6C6902,6F6C6902,00AD3AE4,00000014,00000000), ref: 00AD413B
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 00AD425B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$CloseHandle$EventExitLibraryLoadStartupUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$C:\WINDOWS\SYSTEM32\IMM32.DLL$ilo.brenz.pl
                                                        • API String ID: 3947895852-2013876662
                                                        • Opcode ID: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction ID: fe5248c2a45eb6e640fe31c1f8c6008f9dfb3265a81ac95f64759c9dbe6e222b
                                                        • Opcode Fuzzy Hash: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction Fuzzy Hash: 5381CF71505249BFEF359F24C81ABEA7BACEF45300F04060AF85A5E291D6F09F45C7AA
                                                        Function 7FE33F21 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205networkthreadlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE33F15), ref: 7FE33F21
                                                        • WSAStartup.WS2_32(00000101), ref: 7FE33F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE33F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE33F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33F91
                                                        • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE33FE2
                                                        • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE33FF1
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE34022
                                                        • connect.WS2_32(6F6C6902,7FE33A9B,00000010), ref: 7FE3403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE34086
                                                        • wsprintfA.USER32 ref: 7FE34104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 7FE34132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,7FE36E32,00000099,6F6C6902,6F6C6902,7FE33AE4,00000014,00000000), ref: 7FE3413B
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 7FE3425B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$CloseHandle$EventExitLibraryLoadStartupUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
                                                        • API String ID: 3947895852-2481640231
                                                        • Opcode ID: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction ID: c49a2c14bca3a15c4feb8626536a0a70f50950f38cdf95da694c6cce0e188f31
                                                        • Opcode Fuzzy Hash: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction Fuzzy Hash: 7F81D271909349FEEB219F30CC1DBDA7BADEF41304F800649E85A5E091D6F4AB45CB99
                                                        Function 00AD3CDD Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 371networklibrarythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,00AD3CD3), ref: 00AD3CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3CF1
                                                        • GetTickCount.KERNEL32 ref: 00AD3D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6E32,00000000,00000000,00000000,00000000), ref: 00AD3DF7
                                                        • CreateThread.KERNEL32(00000000,00000000,00AD3623,00000000,00000000), ref: 00AD3ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 00AD3EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 00AD3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00AD3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00AD3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00AD4022
                                                        • connect.WS2_32(6F6C6902,00AD3A9B,00000010), ref: 00AD403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD4086
                                                        • wsprintfA.USER32 ref: 00AD4104
                                                        • SetEvent.KERNEL32(000003D8,?,00000000), ref: 00AD421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 00AD4230
                                                        • ResetEvent.KERNEL32(000003D8,?,00000000), ref: 00AD4243
                                                        Strings
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3E9E
                                                        • C:\WINDOWS\SYSTEM32\IMM32.DLL, xrefs: 00AD4151
                                                        • ADVAPI32.DLL, xrefs: 00AD3CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 00AD4113, 00AD4152
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepStartupTickVersionVolumeconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 927156256-2898123092
                                                        • Opcode ID: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction ID: 383fe12cf6e5059fe91e2678d253756f6ee73d91b0939745e113397651b5b88c
                                                        • Opcode Fuzzy Hash: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction Fuzzy Hash: 96D1F472515258BEDF35AF24CC5ABEA3BACEF15300F00051AF84A9E182D6F45F45CBA6
                                                        Function 7FE33CDD Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 371networklibrarythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,7FE33CD3), ref: 7FE33CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33CF1
                                                        • GetTickCount.KERNEL32 ref: 7FE33D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36E32,00000000,00000000,00000000,00000000), ref: 7FE33DF7
                                                        • CreateThread.KERNEL32(00000000,00000000,7FE33623,00000000,00000000), ref: 7FE33ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 7FE33EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 7FE33F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE33F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE33F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE34022
                                                        • connect.WS2_32(6F6C6902,7FE33A9B,00000010), ref: 7FE3403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE34086
                                                        • wsprintfA.USER32 ref: 7FE34104
                                                        • SetEvent.KERNEL32(00000644,?,00000000), ref: 7FE3421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 7FE34230
                                                        • ResetEvent.KERNEL32(00000644,?,00000000), ref: 7FE34243
                                                        Strings
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE34151
                                                        • ADVAPI32.DLL, xrefs: 7FE33CF0
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE34113, 7FE34152
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33E9E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepStartupTickVersionVolumeconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 927156256-1880045089
                                                        • Opcode ID: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction ID: 5ef1025bd57abed28f7472cc32f9ff5e11ae30dcc27ab3629cd55a7518a2afca
                                                        • Opcode Fuzzy Hash: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction Fuzzy Hash: FDD1E37191A349BEDB269F30CC5EBEA7BACEF41300F40451AE8499E081D6F46F45CBA5
                                                        Function 00AD3E5E Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 246threadlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,00AD3E52), ref: 00AD3E5F
                                                        • GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 00AD3E74
                                                        • wsprintfA.USER32 ref: 00AD3E89
                                                        • CreateThread.KERNEL32(00000000,00000000,00AD3623,00000000,00000000), ref: 00AD3ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 00AD3EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 00AD3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00AD3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00AD3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3F91
                                                          • Part of subcall function 00AD3397: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AD33DC
                                                          • Part of subcall function 00AD3397: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AD33FB
                                                          • Part of subcall function 00AD3397: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AD3425
                                                          • Part of subcall function 00AD3397: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AD3432
                                                          • Part of subcall function 00AD3397: UnmapViewOfFile.KERNEL32(?), ref: 00AD344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionStartupSystemUnmapwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$C:,$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 3630706530-3879727862
                                                        • Opcode ID: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction ID: 0fe6675104d39a8230c60ab3a41a3442f2f8d1e004f3421bd32eaa2e095780eb
                                                        • Opcode Fuzzy Hash: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction Fuzzy Hash: B491DE72505249BFEB35AF24CC5ABEA7B6CEF45300F00460AF85A5E181D6F06F45CBA6
                                                        Function 7FE33E5E Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 246threadlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,7FE33E52), ref: 7FE33E5F
                                                        • GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 7FE33E74
                                                        • wsprintfA.USER32 ref: 7FE33E89
                                                        • CreateThread.KERNEL32(00000000,00000000,7FE33623,00000000,00000000), ref: 7FE33ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 7FE33EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 7FE33F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE33F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE33F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33F91
                                                          • Part of subcall function 7FE33397: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE333DC
                                                          • Part of subcall function 7FE33397: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE333FB
                                                          • Part of subcall function 7FE33397: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE33425
                                                          • Part of subcall function 7FE33397: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE33432
                                                          • Part of subcall function 7FE33397: UnmapViewOfFile.KERNEL32(?), ref: 7FE3344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionStartupSystemUnmapwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$C:,$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3630706530-3937138646
                                                        • Opcode ID: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction ID: e287b5dbb4dcb83f0000e9e9e189b7e46bf931402bad6951306266e8dca3cb8a
                                                        • Opcode Fuzzy Hash: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction Fuzzy Hash: 5691C07190A349BEDB219F20CC5EBEA7B6CEF41304F40465AE8595F081D6F06F45CBA6
                                                        Function 00AD3E47 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262networklibrarythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00AD3E3B), ref: 00AD3E47
                                                          • Part of subcall function 00AD3E5E: GetProcAddress.KERNEL32(00000000,00AD3E52), ref: 00AD3E5F
                                                          • Part of subcall function 00AD3E5E: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 00AD3E74
                                                          • Part of subcall function 00AD3E5E: wsprintfA.USER32 ref: 00AD3E89
                                                          • Part of subcall function 00AD3E5E: CreateThread.KERNEL32(00000000,00000000,00AD3623,00000000,00000000), ref: 00AD3ED2
                                                          • Part of subcall function 00AD3E5E: CloseHandle.KERNEL32(?,8CAEFD3D), ref: 00AD3EDB
                                                          • Part of subcall function 00AD3E5E: WSAStartup.WS2_32(00000101), ref: 00AD3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00AD3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00AD3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00AD4022
                                                        • connect.WS2_32(6F6C6902,00AD3A9B,00000010), ref: 00AD403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD4086
                                                        • wsprintfA.USER32 ref: 00AD4104
                                                        Strings
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3E9E
                                                        • C:\WINDOWS\SYSTEM32\IMM32.DLL, xrefs: 00AD4151
                                                        • 020a00 . . :#997242831 +*, xrefs: 00AD4113, 00AD4152
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcStartupVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$C:\WINDOWS\SYSTEM32\IMM32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                        • API String ID: 2507355515-3602139811
                                                        • Opcode ID: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction ID: 4d26e04371ae7356be0087a3f02ca1cb807f32e572a39b7413589c1eb7b95703
                                                        • Opcode Fuzzy Hash: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction Fuzzy Hash: AC91F372509245BFDB21AF34CC5ABEA7BACEF55300F00461AF84A4E182D6F05F45C7A6
                                                        Function 7FE33E47 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262networklibrarythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE33E3B), ref: 7FE33E47
                                                          • Part of subcall function 7FE33E5E: GetProcAddress.KERNEL32(00000000,7FE33E52), ref: 7FE33E5F
                                                          • Part of subcall function 7FE33E5E: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 7FE33E74
                                                          • Part of subcall function 7FE33E5E: wsprintfA.USER32 ref: 7FE33E89
                                                          • Part of subcall function 7FE33E5E: CreateThread.KERNEL32(00000000,00000000,7FE33623,00000000,00000000), ref: 7FE33ED2
                                                          • Part of subcall function 7FE33E5E: CloseHandle.KERNEL32(?,8CAEFD3D), ref: 7FE33EDB
                                                          • Part of subcall function 7FE33E5E: WSAStartup.WS2_32(00000101), ref: 7FE33F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE33F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE33F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE34022
                                                        • connect.WS2_32(6F6C6902,7FE33A9B,00000010), ref: 7FE3403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE34086
                                                        • wsprintfA.USER32 ref: 7FE34104
                                                        Strings
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE34151
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE34113, 7FE34152
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33E9E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcStartupVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2507355515-4156410515
                                                        • Opcode ID: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction ID: 855f5b7b019b07e2a89f946e0bb5f816d22db4f82193620642819dc2dbd1b454
                                                        • Opcode Fuzzy Hash: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction Fuzzy Hash: 22910671919745BEDB229F30CC5EBEA7BACEF41300F40465AE84A5E081D6F0AF45C7A6
                                                        Function 00AD4103 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 178sleepnetworkthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00AD4022
                                                        • connect.WS2_32(6F6C6902,00AD3A9B,00000010), ref: 00AD403C
                                                        • wsprintfA.USER32 ref: 00AD4104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 00AD4132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,00AD6E32,00000099,6F6C6902,6F6C6902,00AD3AE4,00000014,00000000), ref: 00AD413B
                                                        • Sleep.KERNEL32(00000064,?,?,?,Function_000037AB,6F6C6902,?,?,00000023,00AD6E32,00000099,6F6C6902,6F6C6902,00AD3AE4,00000014,00000000), ref: 00AD41D4
                                                        • GetTickCount.KERNEL32 ref: 00AD41DD
                                                        • closesocket.WS2_32(6F6C6902), ref: 00AD4201
                                                        • SetEvent.KERNEL32(000003D8,?,00000000), ref: 00AD421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 00AD4230
                                                        • ResetEvent.KERNEL32(000003D8,?,00000000), ref: 00AD4243
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventSleep$CloseCountCreateHandleResetThreadTickclosesocketconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$C:\WINDOWS\SYSTEM32\IMM32.DLL
                                                        • API String ID: 2506426657-2921996410
                                                        • Opcode ID: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction ID: 3210b0315255ceb2088307f16aeacc17951357c811bda3fc8dc437aa4a9a8305
                                                        • Opcode Fuzzy Hash: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction Fuzzy Hash: B061E471504249BBEF359F34C91ABEE7B6CAF55300F04060AF85A5E281D2F09F45C79A
                                                        Function 7FE34103 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 178sleepnetworkthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE34022
                                                        • connect.WS2_32(6F6C6902,7FE33A9B,00000010), ref: 7FE3403C
                                                        • wsprintfA.USER32 ref: 7FE34104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 7FE34132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,7FE36E32,00000099,6F6C6902,6F6C6902,7FE33AE4,00000014,00000000), ref: 7FE3413B
                                                        • Sleep.KERNEL32(00000064,?,?,?,Function_000037AB,6F6C6902,?,?,00000023,7FE36E32,00000099,6F6C6902,6F6C6902,7FE33AE4,00000014,00000000), ref: 7FE341D4
                                                        • GetTickCount.KERNEL32 ref: 7FE341DD
                                                        • closesocket.WS2_32(6F6C6902), ref: 7FE34201
                                                        • SetEvent.KERNEL32(00000644,?,00000000), ref: 7FE3421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 7FE34230
                                                        • ResetEvent.KERNEL32(00000644,?,00000000), ref: 7FE34243
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventSleep$CloseCountCreateHandleResetThreadTickclosesocketconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2506426657-2210051122
                                                        • Opcode ID: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction ID: 76272657368349d062e88a1bc77ba226330b7c07dac0fd75f08f595097f98bff
                                                        • Opcode Fuzzy Hash: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction Fuzzy Hash: D5610471909349BEEB229F34CC1DBDE7BADEF41304F800649E85A5E081C2F0AB44C7A9
                                                        Function 00AD3EF2 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00AD3EE6), ref: 00AD3EF2
                                                          • Part of subcall function 00AD3F21: LoadLibraryA.KERNEL32(00AD3F15), ref: 00AD3F21
                                                          • Part of subcall function 00AD3F21: WSAStartup.WS2_32(00000101), ref: 00AD3F60
                                                          • Part of subcall function 00AD3F21: CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00AD3F7B
                                                          • Part of subcall function 00AD3F21: CloseHandle.KERNEL32(?,00000000), ref: 00AD3F84
                                                          • Part of subcall function 00AD3F21: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3F91
                                                          • Part of subcall function 00AD3F21: socket.WS2_32(00000002,00000001,00000000), ref: 00AD4022
                                                          • Part of subcall function 00AD3F21: connect.WS2_32(6F6C6902,00AD3A9B,00000010), ref: 00AD403C
                                                          • Part of subcall function 00AD3F21: GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD4086
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateLibraryLoad$CloseEventHandleStartupThreadVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$C:\WINDOWS\SYSTEM32\IMM32.DLL
                                                        • API String ID: 3793714048-2921996410
                                                        • Opcode ID: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction ID: e7326dcdfcfc5d651a254a083b37986d4ca5c0d037ccf80289be79a5826b7f16
                                                        • Opcode Fuzzy Hash: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction Fuzzy Hash: FA61B171505249BFEB35AF34CC1ABEA7BACEF55300F04060AF85A5E181D6F05F4587AA
                                                        Function 7FE33EF2 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE33EE6), ref: 7FE33EF2
                                                          • Part of subcall function 7FE33F21: LoadLibraryA.KERNEL32(7FE33F15), ref: 7FE33F21
                                                          • Part of subcall function 7FE33F21: WSAStartup.WS2_32(00000101), ref: 7FE33F60
                                                          • Part of subcall function 7FE33F21: CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE33F7B
                                                          • Part of subcall function 7FE33F21: CloseHandle.KERNEL32(?,00000000), ref: 7FE33F84
                                                          • Part of subcall function 7FE33F21: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33F91
                                                          • Part of subcall function 7FE33F21: socket.WS2_32(00000002,00000001,00000000), ref: 7FE34022
                                                          • Part of subcall function 7FE33F21: connect.WS2_32(6F6C6902,7FE33A9B,00000010), ref: 7FE3403C
                                                          • Part of subcall function 7FE33F21: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE34086
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateLibraryLoad$CloseEventHandleStartupThreadVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3793714048-2210051122
                                                        • Opcode ID: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction ID: 4e920c301c49f875f50b73b01831a6672dbc736e801ca3cbe81cd66c3204aae9
                                                        • Opcode Fuzzy Hash: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction Fuzzy Hash: A361D37190A349BEDB219F34CC1EBDA7BACEF41314F400659E8595F081D2F0AB45C7AA
                                                        Function 7FE33820 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(7FE374C0), ref: 7FE33831
                                                        • Sleep.KERNEL32(0000EA60), ref: 7FE338A3
                                                        • InternetGetConnectedState.WININET(?,00000000), ref: 7FE338BC
                                                        • gethostbyname.WS2_32(0D278061), ref: 7FE338FE
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE33913
                                                        • ioctlsocket.WS2_32(?,8004667E), ref: 7FE3392C
                                                        • connect.WS2_32(?,?,00000010), ref: 7FE33945
                                                        • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FE33953
                                                        • closesocket.WS2_32 ref: 7FE339B2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                        • String ID: toexkd.com
                                                        • API String ID: 159131500-233167519
                                                        • Opcode ID: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction ID: deb79b1937d1423498e0a7a80cbe143ebc5a87d424a5e867cfedaf71006b2062
                                                        • Opcode Fuzzy Hash: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction Fuzzy Hash: 0041BE31A06349FEEB314E248C4DFEABB6EEF86714F404019F94A9E0C0D6F5AB40D664
                                                        Function 7FE307A6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7FE31444: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE31454
                                                          • Part of subcall function 7FE31444: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE31464
                                                        • CloseHandle.KERNEL32(?), ref: 7FE305AD
                                                        • FreeLibrary.KERNEL32(75070000,?,7FE30795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE307B2
                                                        • CloseHandle.KERNEL32(?,?,7FE30795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE307B9
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE307C3
                                                        • Process32First.KERNEL32 ref: 7FE307D6
                                                        • Process32Next.KERNEL32 ref: 7FE307E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE307FF
                                                        • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 7FE3083C
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE30857
                                                        • CloseHandle.KERNEL32 ref: 7FE30866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                        • String ID: csrs
                                                        • API String ID: 3908997113-2321902090
                                                        • Opcode ID: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction ID: 92ca5db62fc4d460b14863946a251a09930613efaf769028bb5080d10fdb1b25
                                                        • Opcode Fuzzy Hash: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction Fuzzy Hash: EC116031906204FBEB211F21CD4DBBF3A7DEF40755F40001DFA4A9A091DBB09B01D66A
                                                        Function 00AD2762 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathA.KERNEL32(00000104), ref: 00AD2786
                                                          • Part of subcall function 00AD27A1: GetTempFileNameA.KERNEL32(?,00AD279D,00000000,?), ref: 00AD27A2
                                                          • Part of subcall function 00AD27A1: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AD279D,00000000,?), ref: 00AD27BD
                                                          • Part of subcall function 00AD27A1: InternetReadFile.WININET(?,?,00000104), ref: 00AD27D7
                                                          • Part of subcall function 00AD27A1: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AD279D,00000000,?), ref: 00AD27ED
                                                          • Part of subcall function 00AD27A1: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AD279D,00000000,?), ref: 00AD27F9
                                                          • Part of subcall function 00AD27A1: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AD279D), ref: 00AD281D
                                                          • Part of subcall function 00AD27A1: InternetCloseHandle.WININET(?), ref: 00AD282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 00AD2834
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                        • String ID:
                                                        • API String ID: 1995088466-0
                                                        • Opcode ID: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction ID: b57de49abcbe2e75262144659881376b2e63ac9d2e4ef6441280cad3a97b8607
                                                        • Opcode Fuzzy Hash: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction Fuzzy Hash: E621AEB1146306BFE7311B20CC8EFEB7A6CEFA1B00F004119FA0989191D7B19E41C6B6
                                                        Function 7FE32762 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathA.KERNEL32(00000104), ref: 7FE32786
                                                          • Part of subcall function 7FE327A1: GetTempFileNameA.KERNEL32(?,7FE3279D,00000000,?), ref: 7FE327A2
                                                          • Part of subcall function 7FE327A1: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3279D,00000000,?), ref: 7FE327BD
                                                          • Part of subcall function 7FE327A1: InternetReadFile.WININET(?,?,00000104), ref: 7FE327D7
                                                          • Part of subcall function 7FE327A1: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3279D,00000000,?), ref: 7FE327ED
                                                          • Part of subcall function 7FE327A1: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3279D,00000000,?), ref: 7FE327F9
                                                          • Part of subcall function 7FE327A1: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3279D), ref: 7FE3281D
                                                          • Part of subcall function 7FE327A1: InternetCloseHandle.WININET(?), ref: 7FE3282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 7FE32834
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                        • String ID:
                                                        • API String ID: 1995088466-0
                                                        • Opcode ID: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction ID: c98827b822e57f48b5d4a43ef92a54b34b66a7b4a04052ca5de360e27e3fb09a
                                                        • Opcode Fuzzy Hash: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction Fuzzy Hash: 1621E4B1146306BFE7211B20DC8DFEF7A6CEF91B00F004119FA498D081D7B1AA51C6B6
                                                        Function 7FE327A1 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempFileNameA.KERNEL32(?,7FE3279D,00000000,?), ref: 7FE327A2
                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE3279D,00000000,?), ref: 7FE327BD
                                                        • InternetReadFile.WININET(?,?,00000104), ref: 7FE327D7
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE3279D,00000000,?), ref: 7FE327ED
                                                        • CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE3279D,00000000,?), ref: 7FE327F9
                                                        • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE3279D), ref: 7FE3281D
                                                        • InternetCloseHandle.WININET(?), ref: 7FE3282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 7FE32834
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                        • String ID:
                                                        • API String ID: 3452404049-0
                                                        • Opcode ID: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction ID: a77174973ad35195ef94212858385f5fa4a2173b876276f6e60842574595c7ec
                                                        • Opcode Fuzzy Hash: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction Fuzzy Hash: 7F116DB1142606BFEB250B20DC4DFEF7A7DEF85B11F404518FA4A8D081DBB0AA50C6B9
                                                        Function 00AD10C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(0371FEC8), ref: 00AD1137
                                                        • GetProcAddress.KERNEL32(00000000,00AD11D0), ref: 00AD1142
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2369512201.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_ad0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: .DLL
                                                        • API String ID: 1646373207-899428287
                                                        • Opcode ID: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction ID: c4c892f3d81becd70c436f6c399543c71994ad8f9dc4728b4453257fc16400ae
                                                        • Opcode Fuzzy Hash: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction Fuzzy Hash: 7C01B530205206BADB64DF2CC949AEA37B8EF05342F10461AFA1B8B655C7709F80DB95
                                                        Function 7FE310C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(039CFF54), ref: 7FE31137
                                                        • GetProcAddress.KERNEL32(00000000,7FE311D0), ref: 7FE31142
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.2371948554.000000007FE30000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_7fe30000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: .DLL
                                                        • API String ID: 1646373207-899428287
                                                        • Opcode ID: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction ID: a78e103fc99eeb5c5ea1456bc366a5c5cd3c11171152997d3bb8b369502d5a1c
                                                        • Opcode Fuzzy Hash: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction Fuzzy Hash: 4F01D234D00206EADB568E38CC4DADE37BDEF05366F80451ED81A8F049CA78AB40CF92

                                                        Execution Graph

                                                        Execution Coverage:1.6%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:353
                                                        Total number of Limit Nodes:2
                                                        execution_graph 3825 7fe44ba4 3828 7fe44bd7 3825->3828 3829 7fe44be3 3828->3829 3836 7fe443d2 3829->3836 3831 7fe44bf0 3832 7fe443d2 5 API calls 3831->3832 3835 7fe44c9d 3831->3835 3833 7fe44c91 3832->3833 3834 7fe443d2 5 API calls 3833->3834 3833->3835 3834->3835 3837 7fe443fb CreateFileA 3836->3837 3838 7fe443dc GetFileAttributesA 3836->3838 3841 7fe44435 CreateFileMappingA 3837->3841 3838->3837 3839 7fe443e8 SetFileAttributesA 3838->3839 3839->3837 3843 7fe444ac MapViewOfFile 3841->3843 3845 7fe444e1 3843->3845 3845->3831 3996 7fe410c5 3998 7fe410c8 3996->3998 3997 7fe41156 3998->3997 3999 7fe4112d GetModuleHandleA GetProcAddress 3998->3999 3999->3998 4409 7fe40000 4410 7fe40004 4409->4410 4411 7fe400a1 4410->4411 4413 7fe4025e 4410->4413 4417 7fe40105 4413->4417 4416 7fe40278 4416->4411 4418 7fe40116 GetPEB 4417->4418 4418->4416 3883 a7978c 3884 a79790 3883->3884 3885 a798ce 3884->3885 3887 a7302f 3884->3887 3891 a730c5 3887->3891 3890 a73045 3890->3885 3892 a73039 GetPEB 3891->3892 3892->3890 4396 7fe437ab 4398 7fe437b1 WaitForSingleObject 4396->4398 4399 7fe437d7 4398->4399 4400 7fe437cd closesocket 4398->4400 4400->4399 4401 7fe4332b 4403 7fe43334 4401->4403 4404 7fe4333b Sleep 4403->4404 4404->4404 4405 7fe44334 4408 7fe41444 LookupPrivilegeValueA NtAdjustPrivilegesToken 4405->4408 4407 7fe4433a 4408->4407 4419 7fe41190 GetProcAddress 3900 7fe43372 3901 7fe43377 3900->3901 3902 7fe43401 MapViewOfFile CloseHandle 3901->3902 3903 7fe433d2 NtOpenSection 3901->3903 3906 7fe43442 3902->3906 3907 7fe43585 3902->3907 3905 7fe433f1 NtQuerySystemInformation 3903->3905 3903->3907 3904 7fe43449 UnmapViewOfFile 3904->3907 3905->3902 3906->3904 3906->3907 3846 7fe46573 3849 7fe46580 3846->3849 3850 7fe4657d 3849->3850 3851 7fe4658b 3849->3851 3853 7fe46591 3851->3853 3856 7fe4256e 3853->3856 3875 7fe42529 NtOpenSection 3856->3875 3858 7fe42576 3859 7fe4257c NtMapViewOfSection CloseHandle 3858->3859 3860 7fe4265b 3858->3860 3859->3860 3861 7fe425b4 3859->3861 3860->3850 3862 7fe425e9 3861->3862 3876 7fe42471 NtProtectVirtualMemory NtWriteVirtualMemory 3861->3876 3877 7fe42471 NtProtectVirtualMemory NtWriteVirtualMemory 3862->3877 3865 7fe425fa 3878 7fe42471 NtProtectVirtualMemory NtWriteVirtualMemory 3865->3878 3867 7fe4260b 3879 7fe42471 NtProtectVirtualMemory NtWriteVirtualMemory 3867->3879 3869 7fe4261c 3870 7fe42631 3869->3870 3880 7fe42471 NtProtectVirtualMemory NtWriteVirtualMemory 3869->3880 3872 7fe42646 3870->3872 3881 7fe42471 NtProtectVirtualMemory NtWriteVirtualMemory 3870->3881 3872->3860 3882 7fe42471 NtProtectVirtualMemory NtWriteVirtualMemory 3872->3882 3875->3858 3876->3862 3877->3865 3878->3867 3879->3869 3880->3870 3881->3872 3882->3860 4000 7fe4275c 4002 7fe42762 4000->4002 4003 7fe42833 InternetCloseHandle 4002->4003 4004 7fe4277a GetTempPathA 4002->4004 4012 7fe427a1 GetTempFileNameA CreateFileA 4004->4012 4006 7fe4279d CreateFileA 4007 7fe42823 InternetCloseHandle 4006->4007 4008 7fe427c8 InternetReadFile 4006->4008 4007->4003 4009 7fe427e2 4008->4009 4010 7fe427f8 CloseHandle CreateProcessA 4008->4010 4009->4010 4011 7fe427e4 WriteFile 4009->4011 4010->4007 4011->4008 4011->4010 4013 7fe42823 InternetCloseHandle 4012->4013 4014 7fe427c8 InternetReadFile 4012->4014 4017 7fe42833 InternetCloseHandle 4013->4017 4015 7fe427e2 4014->4015 4016 7fe427f8 CloseHandle CreateProcessA 4014->4016 4015->4016 4018 7fe427e4 WriteFile 4015->4018 4016->4013 4017->4006 4018->4014 4018->4016 4420 7fe4141c LookupPrivilegeValueA NtAdjustPrivilegesToken 3908 7fe402fe 3909 7fe40415 3908->3909 3911 7fe4042d 3909->3911 3942 7fe410c8 3911->3942 3913 7fe4048f 3914 7fe404dd 3913->3914 3915 7fe404b0 GetModuleHandleA 3913->3915 3916 7fe404f8 GetVersion 3914->3916 3915->3914 3917 7fe4050f VirtualAlloc 3916->3917 3918 7fe405ca 3916->3918 3919 7fe405a9 CloseHandle 3917->3919 3924 7fe40532 3917->3924 3918->3919 3920 7fe405d3 SetProcessAffinityMask 3918->3920 3922 7fe405f2 GetModuleHandleA 3919->3922 3949 7fe405f2 GetModuleHandleA 3920->3949 3923 7fe410c8 2 API calls 3922->3923 3931 7fe405ec 3923->3931 3924->3919 3946 7fe405ba 3924->3946 3925 7fe406fc lstrcpyW 3968 7fe424a8 lstrcpyW lstrlenW 3925->3968 3927 7fe40746 NtMapViewOfSection 3927->3919 3927->3931 3928 7fe40717 GetPEB lstrcpyW lstrcatW 3930 7fe424a8 3 API calls 3928->3930 3930->3931 3931->3919 3931->3925 3931->3927 3931->3928 3932 7fe4077a NtOpenProcessToken 3931->3932 3933 7fe407bf CreateToolhelp32Snapshot Process32First 3931->3933 3934 7fe407e5 Process32Next 3931->3934 3937 7fe407f7 OpenProcess 3931->3937 3938 7fe4256e 5 API calls 3931->3938 3939 7fe40856 CloseHandle 3931->3939 3940 7fe4082e CreateRemoteThread 3931->3940 3941 7fe405ba Sleep 3931->3941 3971 7fe407a6 3931->3971 3932->3931 3932->3933 3933->3931 3934->3931 3936 7fe4085f CloseHandle 3934->3936 3936->3919 3937->3931 3937->3934 3938->3931 3939->3934 3940->3931 3940->3939 3941->3939 3944 7fe410d5 3942->3944 3943 7fe41156 3943->3913 3944->3942 3944->3943 3945 7fe4112d GetModuleHandleA GetProcAddress 3944->3945 3945->3944 3947 7fe405bf Sleep 3946->3947 3948 7fe405c9 3946->3948 3947->3946 3948->3919 3950 7fe410c8 2 API calls 3949->3950 3966 7fe4060e 3950->3966 3951 7fe405a9 CloseHandle 3951->3949 3952 7fe406fc lstrcpyW 3953 7fe424a8 3 API calls 3952->3953 3953->3966 3954 7fe40746 NtMapViewOfSection 3954->3951 3954->3966 3955 7fe40717 GetPEB lstrcpyW lstrcatW 3956 7fe424a8 3 API calls 3955->3956 3956->3966 3957 7fe4077a NtOpenProcessToken 3958 7fe407bf CreateToolhelp32Snapshot Process32First 3957->3958 3957->3966 3958->3966 3959 7fe407e5 Process32Next 3961 7fe4085f CloseHandle 3959->3961 3959->3966 3960 7fe407a6 30 API calls 3960->3966 3961->3951 3962 7fe407f7 OpenProcess 3962->3959 3962->3966 3963 7fe4256e 5 API calls 3963->3966 3964 7fe40856 CloseHandle 3964->3959 3965 7fe4082e CreateRemoteThread 3965->3964 3965->3966 3966->3951 3966->3952 3966->3954 3966->3955 3966->3957 3966->3958 3966->3959 3966->3960 3966->3962 3966->3963 3966->3964 3966->3965 3967 7fe405ba Sleep 3966->3967 3967->3964 3993 7fe4029d 3968->3993 3970 7fe424e4 NtCreateSection 3970->3931 3995 7fe41444 LookupPrivilegeValueA NtAdjustPrivilegesToken 3971->3995 3973 7fe407ac FreeLibrary CloseHandle 3974 7fe407bf CreateToolhelp32Snapshot Process32First 3973->3974 3991 7fe4060e 3974->3991 3975 7fe407e5 Process32Next 3976 7fe4085f CloseHandle 3975->3976 3975->3991 3978 7fe405a9 CloseHandle 3976->3978 3977 7fe407f7 OpenProcess 3977->3975 3977->3991 3979 7fe405f2 GetModuleHandleA 3978->3979 3981 7fe410c8 2 API calls 3979->3981 3980 7fe4256e 5 API calls 3980->3991 3981->3991 3982 7fe40856 CloseHandle 3982->3975 3983 7fe4082e CreateRemoteThread 3983->3982 3983->3991 3984 7fe405ba Sleep 3984->3982 3985 7fe406fc lstrcpyW 3986 7fe424a8 3 API calls 3985->3986 3986->3991 3987 7fe40746 NtMapViewOfSection 3987->3978 3987->3991 3988 7fe40717 GetPEB lstrcpyW lstrcatW 3989 7fe424a8 3 API calls 3988->3989 3989->3991 3990 7fe4077a NtOpenProcessToken 3990->3974 3990->3991 3991->3974 3991->3975 3991->3977 3991->3978 3991->3980 3991->3982 3991->3983 3991->3984 3991->3985 3991->3987 3991->3988 3991->3990 3992 7fe407a6 13 API calls 3991->3992 3992->3991 3994 7fe402a0 3993->3994 3994->3970 3995->3973 4019 7fe4265f 4021 7fe42665 CreateThread CloseHandle 4019->4021 4022 7fe43bca 4021->4022 4024 7fe43bcf 4022->4024 4025 7fe43c3b 4024->4025 4030 7fe43bed GetWindowsDirectoryA 4024->4030 4077 7fe42529 NtOpenSection 4025->4077 4027 7fe43c40 4029 7fe43c8d GetSystemDirectoryA 4027->4029 4078 7fe43c54 GetModuleHandleA 4027->4078 4125 7fe43cb1 lstrcat 4029->4125 4031 7fe43ca3 4030->4031 4165 7fe43cc8 LoadLibraryA 4031->4165 4077->4027 4079 7fe43c70 4078->4079 4080 7fe43c5e 4078->4080 4204 7fe43c82 GetModuleHandleA 4079->4204 4082 7fe43c66 GetProcAddress 4080->4082 4082->4079 4126 7fe43cb8 4125->4126 4127 7fe43cc8 144 API calls 4126->4127 4128 7fe43cbc GetProcAddress LoadLibraryA 4127->4128 4130 7fe410c8 2 API calls 4128->4130 4131 7fe43d0f 4130->4131 4132 7fe43d24 GetTickCount 4131->4132 4133 7fe43d3c 4132->4133 4134 7fe43dd9 GetVolumeInformationA 4133->4134 4135 7fe43e0c 4134->4135 4136 7fe43eb7 4135->4136 4137 7fe43e47 93 API calls 4135->4137 4138 7fe43ee1 4136->4138 4139 7fe43ec3 CreateThread CloseHandle 4136->4139 4146 7fe43e3b 4137->4146 4140 7fe43ef2 42 API calls 4138->4140 4139->4138 4141 7fe43ee6 4140->4141 4142 7fe43f10 4141->4142 4143 7fe410c8 2 API calls 4141->4143 4144 7fe43f21 22 API calls 4142->4144 4143->4142 4145 7fe43f15 4144->4145 4147 7fe410c8 2 API calls 4145->4147 4146->4136 4148 7fe43397 5 API calls 4146->4148 4149 7fe43f47 4147->4149 4148->4136 4150 7fe43f54 WSAStartup CreateThread CloseHandle CreateEventA 4149->4150 4151 7fe44259 RtlExitUserThread 4149->4151 4162 7fe43f9d 4150->4162 4152 7fe43ff0 gethostbyname 4152->4162 4153 7fe43fe1 lstrlen 4153->4152 4153->4153 4154 7fe4400c socket 4155 7fe44031 connect 4154->4155 4154->4162 4158 7fe44200 closesocket 4155->4158 4155->4162 4156 7fe44219 SetEvent 4157 7fe4422b Sleep ResetEvent 4156->4157 4157->4162 4158->4162 4159 7fe4407a GetVersionExA 4159->4162 4160 7fe440fd wsprintfA 4160->4162 4161 7fe44125 CreateThread CloseHandle 4161->4162 4162->4151 4162->4152 4162->4153 4162->4154 4162->4156 4162->4157 4162->4158 4162->4159 4162->4160 4162->4161 4163 7fe441d1 Sleep 4162->4163 4163->4162 4164 7fe441dd GetTickCount 4163->4164 4164->4162 4357 7fe43cdd GetProcAddress LoadLibraryA 4165->4357 4205 7fe43c8d GetSystemDirectoryA 4204->4205 4247 7fe426ce 4204->4247 4207 7fe43cb1 170 API calls 4205->4207 4208 7fe43ca3 4207->4208 4209 7fe43cc8 144 API calls 4208->4209 4210 7fe43cbc GetProcAddress LoadLibraryA 4209->4210 4212 7fe410c8 2 API calls 4210->4212 4213 7fe43d0f 4212->4213 4214 7fe43d24 GetTickCount 4213->4214 4215 7fe43d3c 4214->4215 4216 7fe43dd9 GetVolumeInformationA 4215->4216 4217 7fe43e0c 4216->4217 4218 7fe43eb7 4217->4218 4249 7fe43e47 LoadLibraryA 4217->4249 4220 7fe43ee1 4218->4220 4221 7fe43ec3 CreateThread CloseHandle 4218->4221 4279 7fe43ef2 LoadLibraryA 4220->4279 4221->4220 4248 7fe426c2 4247->4248 4248->4205 4301 7fe43e5e GetProcAddress GetModuleFileNameA wsprintfA 4249->4301 4280 7fe410c8 2 API calls 4279->4280 4281 7fe43f10 4280->4281 4282 7fe43f21 22 API calls 4281->4282 4283 7fe43f15 4282->4283 4284 7fe410c8 2 API calls 4283->4284 4285 7fe43f47 4284->4285 4286 7fe43f54 WSAStartup CreateThread CloseHandle CreateEventA 4285->4286 4287 7fe44259 RtlExitUserThread 4285->4287 4298 7fe43f9d 4286->4298 4288 7fe43ff0 gethostbyname 4288->4298 4289 7fe43fe1 lstrlen 4289->4288 4289->4289 4290 7fe4400c socket 4291 7fe44031 connect 4290->4291 4290->4298 4294 7fe44200 closesocket 4291->4294 4291->4298 4292 7fe44219 SetEvent 4293 7fe4422b Sleep ResetEvent 4292->4293 4293->4298 4294->4298 4295 7fe4407a GetVersionExA 4295->4298 4296 7fe440fd wsprintfA 4296->4298 4297 7fe44125 CreateThread CloseHandle 4297->4298 4298->4287 4298->4288 4298->4289 4298->4290 4298->4292 4298->4293 4298->4294 4298->4295 4298->4296 4298->4297 4299 7fe441d1 Sleep 4298->4299 4299->4298 4300 7fe441dd GetTickCount 4299->4300 4300->4298 4302 7fe43e92 4301->4302 4303 7fe43eb7 4302->4303 4330 7fe43397 4302->4330 4305 7fe43ee1 4303->4305 4306 7fe43ec3 CreateThread CloseHandle 4303->4306 4307 7fe43ef2 42 API calls 4305->4307 4306->4305 4308 7fe43ee6 4307->4308 4309 7fe43f10 4308->4309 4310 7fe410c8 2 API calls 4308->4310 4338 7fe43f21 LoadLibraryA 4309->4338 4310->4309 4331 7fe433cd 4330->4331 4331->4331 4332 7fe433d2 NtOpenSection 4331->4332 4333 7fe433f1 NtQuerySystemInformation 4332->4333 4337 7fe43585 4332->4337 4334 7fe43401 MapViewOfFile CloseHandle 4333->4334 4336 7fe43442 4334->4336 4334->4337 4335 7fe43449 UnmapViewOfFile 4335->4337 4336->4335 4336->4337 4337->4303 4339 7fe43f2f 4338->4339 4340 7fe44259 RtlExitUserThread 4338->4340 4341 7fe43f47 4339->4341 4342 7fe410c8 2 API calls 4339->4342 4341->4340 4343 7fe43f54 WSAStartup CreateThread CloseHandle CreateEventA 4341->4343 4342->4341 4354 7fe43f9d 4343->4354 4344 7fe43ff0 gethostbyname 4344->4354 4345 7fe43fe1 lstrlen 4345->4344 4345->4345 4346 7fe4400c socket 4347 7fe44031 connect 4346->4347 4346->4354 4350 7fe44200 closesocket 4347->4350 4347->4354 4348 7fe44219 SetEvent 4349 7fe4422b Sleep ResetEvent 4348->4349 4349->4354 4350->4354 4351 7fe4407a GetVersionExA 4351->4354 4352 7fe440fd wsprintfA 4352->4354 4353 7fe44125 CreateThread CloseHandle 4353->4354 4354->4340 4354->4344 4354->4345 4354->4346 4354->4348 4354->4349 4354->4350 4354->4351 4354->4352 4354->4353 4355 7fe441d1 Sleep 4354->4355 4355->4354 4356 7fe441dd GetTickCount 4355->4356 4356->4354 4358 7fe43d0f 4357->4358 4359 7fe410c8 2 API calls 4357->4359 4360 7fe43d24 GetTickCount 4358->4360 4359->4358 4361 7fe43d3c 4360->4361 4362 7fe43dd9 GetVolumeInformationA 4361->4362 4363 7fe43e0c 4362->4363 4364 7fe43eb7 4363->4364 4365 7fe43e47 93 API calls 4363->4365 4366 7fe43ee1 4364->4366 4367 7fe43ec3 CreateThread CloseHandle 4364->4367 4374 7fe43e3b 4365->4374 4368 7fe43ef2 42 API calls 4366->4368 4367->4366 4369 7fe43ee6 4368->4369 4370 7fe43f10 4369->4370 4371 7fe410c8 2 API calls 4369->4371 4372 7fe43f21 22 API calls 4370->4372 4371->4370 4373 7fe43f15 4372->4373 4375 7fe410c8 2 API calls 4373->4375 4374->4364 4376 7fe43397 5 API calls 4374->4376 4377 7fe43f47 4375->4377 4376->4364 4378 7fe43f54 WSAStartup CreateThread CloseHandle CreateEventA 4377->4378 4379 7fe44259 RtlExitUserThread 4377->4379 4382 7fe43f9d 4378->4382 4380 7fe43ff0 gethostbyname 4380->4382 4381 7fe43fe1 lstrlen 4381->4380 4381->4381 4382->4379 4382->4380 4382->4381 4383 7fe4400c socket 4382->4383 4385 7fe44219 SetEvent 4382->4385 4386 7fe4422b Sleep ResetEvent 4382->4386 4387 7fe44200 closesocket 4382->4387 4388 7fe4407a GetVersionExA 4382->4388 4389 7fe440fd wsprintfA 4382->4389 4390 7fe44125 CreateThread CloseHandle 4382->4390 4391 7fe441d1 Sleep 4382->4391 4383->4382 4384 7fe44031 connect 4383->4384 4384->4382 4384->4387 4385->4386 4386->4382 4387->4382 4388->4382 4389->4382 4390->4382 4391->4382 4392 7fe441dd GetTickCount 4391->4392 4392->4382 4393 7fe46559 4394 7fe46580 5 API calls 4393->4394 4395 7fe46563 4394->4395 4421 7fe4381a 4423 7fe43820 GetSystemTime 4421->4423 4431 7fe43864 4423->4431 4424 7fe4389e Sleep 4424->4431 4425 7fe439c4 4426 7fe438b6 InternetGetConnectedState 4426->4431 4427 7fe438e6 gethostbyname 4428 7fe4390c socket 4427->4428 4427->4431 4429 7fe43922 ioctlsocket connect Sleep 4428->4429 4428->4431 4429->4431 4430 7fe439b1 closesocket 4430->4431 4431->4424 4431->4425 4431->4426 4431->4427 4431->4430

                                                        Executed Functions

                                                        Function 7FE443D2 Relevance: 7.6, APIs: 5, Instructions: 83fileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • GetFileAttributesA.KERNELBASE(?,65676E61,?,?,7FE4433F,?,7FE44321,?,7FE442FD), ref: 7FE443DD
                                                        • SetFileAttributesA.KERNELBASE(?,00000000,?,65676E61,?,?,7FE4433F,?,7FE44321,?,7FE442FD), ref: 7FE443F1
                                                        • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FE4433F,?,7FE44321,?,7FE442FD), ref: 7FE44426
                                                        • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FE4449E
                                                        • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FE444D3
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$AttributesCreate$MappingView
                                                        • String ID:
                                                        • API String ID: 1961427682-0
                                                        • Opcode ID: 84c08d243356dc0fc919d1563c1c0c01b0b950833543c4e03403cfd72bfabd16
                                                        • Instruction ID: 2b4a20b50233f56e7f54b5ec202d99873a4131f26e0425720c375215398a4466
                                                        • Opcode Fuzzy Hash: 84c08d243356dc0fc919d1563c1c0c01b0b950833543c4e03403cfd72bfabd16
                                                        • Instruction Fuzzy Hash: A821257030530ABAEB268E609C45BFA366DAF01309F10522DFD1B9E094E7F56F059724
                                                        Function 00A7978C Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 23 a7978c 24 a79790 23->24 24->24 25 a79792-a7979a call a730ab 24->25 27 a7979f 25->27 28 a797a0-a797a2 27->28 28->28 29 a797a4-a797b2 28->29 29->27 30 a797b8-a797be 29->30 30->27 31 a797c0-a797d5 30->31 31->27 32 a797d7-a797f5 call a730c5 call a73116 31->32 37 a798e1-a798ee 32->37 38 a797fb-a79803 32->38 39 a79805-a7980c 38->39 40 a79811-a7981b call a730c5 call a730c1 38->40 41 a79820-a798c3 39->41 40->41 46 a798c5-a798c9 call a7302f 41->46 47 a798ce-a798dc call a730c5 call a730c1 41->47 46->47 47->37
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2368320753.0000000000A79000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000010.00000002.2367044654.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000010.00000002.2367106897.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000010.00000002.2367191422.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000010.00000002.2367251245.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000010.00000002.2367251245.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000010.00000002.2367401562.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000010.00000002.2367554645.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000010.00000002.2367554645.0000000000A73000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_400000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 55a5208f5583e3e8a4c206ae09a1fa44213f94f53e0937a0e400661ffe3e79a0
                                                        • Instruction ID: 2690efa9ad7035e50de8b6dfc28f8e1c0f8c5438f21500557be6f5db97a0216b
                                                        • Opcode Fuzzy Hash: 55a5208f5583e3e8a4c206ae09a1fa44213f94f53e0937a0e400661ffe3e79a0
                                                        • Instruction Fuzzy Hash: FF115C334255004ACA28BF789F029AF77A0FB55732F41C61EF65C460C2DA215A02A657

                                                        Non-executed Functions

                                                        Function 7FE4042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 287memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 904 7fe4042d-7fe404a4 call 7fe410c8 907 7fe404a6-7fe404db call 7fe42736 GetModuleHandleA 904->907 908 7fe404dd 904->908 910 7fe404e4-7fe40509 call 7fe4274a GetVersion 907->910 908->910 914 7fe4050f-7fe40530 VirtualAlloc 910->914 915 7fe405ca-7fe405d1 910->915 916 7fe40532-7fe40562 call 7fe40305 914->916 917 7fe405a9-7fe40615 CloseHandle GetModuleHandleA call 7fe410c8 914->917 915->917 918 7fe405d3-7fe405fc SetProcessAffinityMask call 7fe405f2 915->918 916->917 932 7fe40564-7fe4057b 916->932 933 7fe40617-7fe40630 917->933 925 7fe40621-7fe40630 918->925 926 7fe405fe-7fe4061c 918->926 929 7fe40632 925->929 930 7fe40639-7fe40652 925->930 926->925 929->930 930->917 931 7fe40658-7fe40671 930->931 931->917 934 7fe40677-7fe40690 931->934 932->917 937 7fe4057d-7fe405a4 932->937 933->929 933->930 934->917 935 7fe40696-7fe4069c 934->935 938 7fe4069e-7fe406b1 935->938 939 7fe406d8-7fe406de 935->939 937->917 952 7fe405a4 call 7fe405ba 937->952 938->917 940 7fe406b7-7fe406bd 938->940 941 7fe406e0-7fe406f3 939->941 942 7fe406fc-7fe40715 lstrcpyW call 7fe424a8 939->942 940->939 944 7fe406bf-7fe406d2 940->944 941->942 945 7fe406f5 941->945 949 7fe40746-7fe4076f NtMapViewOfSection 942->949 950 7fe40717-7fe40740 GetPEB lstrcpyW lstrcatW call 7fe424a8 942->950 944->917 944->939 945->942 949->917 951 7fe40775-7fe40789 call 7fe40305 NtOpenProcessToken 949->951 950->917 950->949 957 7fe407bf-7fe407d6 CreateToolhelp32Snapshot Process32First 951->957 958 7fe4078b-7fe4079d call 7fe41157 call 7fe407a6 951->958 952->917 960 7fe407d8-7fe407e3 957->960 968 7fe40808-7fe40809 958->968 969 7fe4079f 958->969 962 7fe407e5-7fe407ef Process32Next 960->962 964 7fe407f1-7fe407f5 962->964 965 7fe4085f-7fe4086c CloseHandle 962->965 964->962 966 7fe407f7-7fe40807 OpenProcess 964->966 965->917 966->962 966->968 970 7fe4080a-7fe40812 call 7fe4256e 968->970 969->970 971 7fe407a1-7fe407af 969->971 975 7fe40814-7fe4081a 970->975 976 7fe40856-7fe4085d CloseHandle 970->976 971->960 973 7fe407b1-7fe407be 971->973 973->957 975->976 977 7fe4081c-7fe4082c 975->977 976->962 977->976 978 7fe4082e-7fe40845 CreateRemoteThread 977->978 978->976 979 7fe40847-7fe40851 call 7fe405ba 978->979 979->976
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 7FE404BE
                                                        • GetVersion.KERNEL32 ref: 7FE40500
                                                        • VirtualAlloc.KERNEL32(00000000,000076FC,08001000,00000040), ref: 7FE40528
                                                        • CloseHandle.KERNEL32(?), ref: 7FE405AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$AllocCloseModuleVersionVirtual
                                                        • String ID: \BaseNamedObjects\yietVt$\BaseNamedObjects\yietVt$csrs
                                                        • API String ID: 3017432202-3480717028
                                                        • Opcode ID: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction ID: 362143324f21d03dcc94089ff1d624cf613d2d90f0004315fb29ef9caf22fe9f
                                                        • Opcode Fuzzy Hash: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction Fuzzy Hash: 6AB19931515309FFEB229F60E809BEA3BA9EF45715F001029FA0A9E181C7F4AB45CB59
                                                        Function 7FE405F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 192stringnativeprocessCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1060 7fe405f2-7fe40615 GetModuleHandleA call 7fe410c8 1063 7fe40617-7fe40630 1060->1063 1064 7fe405a9-7fe405b3 CloseHandle 1060->1064 1065 7fe40632 1063->1065 1066 7fe40639-7fe40652 1063->1066 1064->1060 1065->1066 1066->1064 1067 7fe40658-7fe40671 1066->1067 1067->1064 1068 7fe40677-7fe40690 1067->1068 1068->1064 1069 7fe40696-7fe4069c 1068->1069 1070 7fe4069e-7fe406b1 1069->1070 1071 7fe406d8-7fe406de 1069->1071 1070->1064 1072 7fe406b7-7fe406bd 1070->1072 1073 7fe406e0-7fe406f3 1071->1073 1074 7fe406fc-7fe40715 lstrcpyW call 7fe424a8 1071->1074 1072->1071 1075 7fe406bf-7fe406d2 1072->1075 1073->1074 1076 7fe406f5 1073->1076 1079 7fe40746-7fe4076f NtMapViewOfSection 1074->1079 1080 7fe40717-7fe40740 GetPEB lstrcpyW lstrcatW call 7fe424a8 1074->1080 1075->1064 1075->1071 1076->1074 1079->1064 1081 7fe40775-7fe40789 call 7fe40305 NtOpenProcessToken 1079->1081 1080->1064 1080->1079 1086 7fe407bf-7fe407d6 CreateToolhelp32Snapshot Process32First 1081->1086 1087 7fe4078b-7fe4079d call 7fe41157 call 7fe407a6 1081->1087 1089 7fe407d8-7fe407e3 1086->1089 1097 7fe40808-7fe40809 1087->1097 1098 7fe4079f 1087->1098 1091 7fe407e5-7fe407ef Process32Next 1089->1091 1093 7fe407f1-7fe407f5 1091->1093 1094 7fe4085f-7fe4086c CloseHandle 1091->1094 1093->1091 1095 7fe407f7-7fe40807 OpenProcess 1093->1095 1094->1064 1095->1091 1095->1097 1099 7fe4080a-7fe40812 call 7fe4256e 1097->1099 1098->1099 1100 7fe407a1-7fe407af 1098->1100 1104 7fe40814-7fe4081a 1099->1104 1105 7fe40856-7fe4085d CloseHandle 1099->1105 1100->1089 1102 7fe407b1-7fe407be 1100->1102 1102->1086 1104->1105 1106 7fe4081c-7fe4082c 1104->1106 1105->1091 1106->1105 1107 7fe4082e-7fe40845 CreateRemoteThread 1106->1107 1107->1105 1108 7fe40847-7fe40851 call 7fe405ba 1107->1108 1108->1105
                                                        APIs
                                                        • CloseHandle.KERNEL32(?), ref: 7FE405AD
                                                        • GetModuleHandleA.KERNEL32(7FE405EC), ref: 7FE405F2
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\yietVt,\BaseNamedObjects\yietVt,?,?,?,?), ref: 7FE4070A
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\yietVt,?), ref: 7FE40727
                                                        • lstrcatW.KERNEL32(\BaseNamedObjects\yietVt,\yietVt), ref: 7FE40735
                                                        • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000076FC,00000000,?,00000002,00000000,00000040), ref: 7FE40765
                                                        • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE40780
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE407C3
                                                        • Process32First.KERNEL32 ref: 7FE407D6
                                                        • Process32Next.KERNEL32 ref: 7FE407E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE407FF
                                                        • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 7FE4083C
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE40857
                                                        • CloseHandle.KERNEL32 ref: 7FE40866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                        • String ID: \BaseNamedObjects\yietVt$\BaseNamedObjects\yietVt$csrs
                                                        • API String ID: 1545766225-3480717028
                                                        • Opcode ID: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction ID: 36db534829bb5061fb90fc4ac5bc25e96f43eb41dc334ca13729aae84ff50a29
                                                        • Opcode Fuzzy Hash: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction Fuzzy Hash: F2719B31501209FFEB219F20E849BBE3BAEEF44715F00203CFA0A8E491C7B49B459B59
                                                        Function 7FE43372 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE433DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE433FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE43432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 7FE4344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$\Device\PhysicalMemory
                                                        • API String ID: 2985292042-1440550476
                                                        • Opcode ID: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction ID: 37b8a480eff626d8966e0e384e37038eefb87aa263f9e2ec2c6b84ebe477ef9b
                                                        • Opcode Fuzzy Hash: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction Fuzzy Hash: 5381CB71500208FFEB258F14CC8AEBA37BDEF48704F504518FD1A9B291D6B0AF55ABA4
                                                        Function 7FE43397 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE433DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE433FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE43432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 7FE4344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$ysic
                                                        • API String ID: 2985292042-2852681185
                                                        • Opcode ID: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction ID: 23c415a60edbfa44d4f6afccb8dcfb7f71e2dfe861b5eb419fc20837800e6cf9
                                                        • Opcode Fuzzy Hash: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction Fuzzy Hash: D1118B70140609FBEB248F10DC5AFAB367CEB88704F40451CFA1A9A2D0D7B46F28AA54
                                                        Function 7FE424A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpyW.KERNEL32(?,\BaseNamedObjects\yietVt), ref: 7FE424B4
                                                        • lstrlenW.KERNEL32(?), ref: 7FE424BB
                                                        • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE42510
                                                        Strings
                                                        • \BaseNamedObjects\yietVt, xrefs: 7FE424B2
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateSectionlstrcpylstrlen
                                                        • String ID: \BaseNamedObjects\yietVt
                                                        • API String ID: 2597515329-129974550
                                                        • Opcode ID: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction ID: 587c32acbca54d9de52ade07bcdb7fa3faa61ab6bcf45fda3aa84f30539435c2
                                                        • Opcode Fuzzy Hash: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction Fuzzy Hash: 3401A4B07803057AF7305B79CC8BF5A7E68DF81B50F508518F718AE1C4D6B89A0483A9
                                                        Function 7FE43BCF Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 472libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 57 7fe43bcf-7fe43beb 58 7fe43bed-7fe43bf5 57->58 59 7fe43c3b-7fe43c45 call 7fe42529 57->59 61 7fe43bf6-7fe43bf9 58->61 66 7fe43c47-7fe43c6e call 7fe43c54 call 7fe426ce GetProcAddress 59->66 67 7fe43c8d-7fe43cb7 GetSystemDirectoryA call 7fe43cb1 59->67 63 7fe43c25 61->63 64 7fe43bfb-7fe43c00 61->64 63->61 65 7fe43c27-7fe43c39 GetWindowsDirectoryA 63->65 64->63 68 7fe43c02-7fe43c23 64->68 69 7fe43cb8-7fe43d52 call 7fe43cc8 GetProcAddress LoadLibraryA call 7fe410c8 call 7fe401cb GetTickCount call 7fe43b08 65->69 80 7fe43c70 66->80 81 7fe43c72-7fe43c8c call 7fe43c82 66->81 67->69 68->63 89 7fe43d54 69->89 90 7fe43d5a-7fe43d5f call 7fe43b08 69->90 80->81 81->67 89->90 93 7fe43d61-7fe43d78 90->93 94 7fe43d7a-7fe43d8a call 7fe462d9 call 7fe42736 93->94 99 7fe43d90-7fe43dac call 7fe462d9 94->99 100 7fe43d8c-7fe43d8e 94->100 102 7fe43dad-7fe43dae 99->102 100->102 102->94 104 7fe43db0-7fe43db6 102->104 104->93 105 7fe43db8-7fe43dc2 call 7fe42736 104->105 108 7fe43dc4-7fe43dcc call 7fe4274a 105->108 109 7fe43dd1-7fe43e0a call 7fe42736 GetVolumeInformationA 105->109 108->109 113 7fe43e14-7fe43e1a 109->113 114 7fe43e0c-7fe43e12 109->114 115 7fe43e23-7fe43e30 113->115 116 7fe43e1c 113->116 114->115 117 7fe43e36-7fe43e5a call 7fe43e47 115->117 118 7fe43eb7 115->118 116->115 120 7fe43ec1 117->120 127 7fe43e5c-7fe43e62 117->127 118->120 121 7fe43ee1-7fe43f05 call 7fe43ef2 120->121 122 7fe43ec3-7fe43edb CreateThread CloseHandle 120->122 128 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 121->128 129 7fe43f0b call 7fe410c8 121->129 122->121 130 7fe43e64-7fe43e69 127->130 131 7fe43e8b-7fe43e9f 127->131 141 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 128->141 142 7fe44259-7fe4425b RtlExitUserThread 128->142 129->128 132 7fe43e92-7fe43e9f 130->132 133 7fe43e6b-7fe43e8a 130->133 135 7fe43ea6-7fe43eb0 131->135 132->135 133->131 135->118 137 7fe43eb2 call 7fe43397 135->137 137->118 143 7fe43f9d-7fe43fb5 call 7fe4378c 141->143 146 7fe43fb7-7fe43fba 143->146 147 7fe43fbc-7fe43fcf call 7fe43b22 143->147 146->147 148 7fe43fd7-7fe43fdf 146->148 155 7fe43fd5 147->155 156 7fe44207-7fe4420e 147->156 150 7fe43ff0-7fe43ff9 gethostbyname 148->150 151 7fe43fe1-7fe43fee lstrlen 148->151 153 7fe4424e-7fe44254 150->153 154 7fe43fff-7fe44006 150->154 151->150 151->151 153->143 157 7fe4400c-7fe4402b socket 154->157 155->157 156->142 158 7fe44210-7fe44217 156->158 157->156 159 7fe44031-7fe44044 connect 157->159 160 7fe44219-7fe44225 SetEvent 158->160 161 7fe4422b-7fe44249 Sleep ResetEvent 158->161 162 7fe44200-7fe44201 closesocket 159->162 163 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 159->163 160->161 161->143 162->156 178 7fe44125-7fe4413b CreateThread CloseHandle 163->178 179 7fe44141 163->179 178->179 180 7fe44147-7fe4415d 179->180 180->162 182 7fe44163-7fe44165 180->182 183 7fe44167-7fe4417f 182->183 184 7fe44184-7fe4418c 183->184 185 7fe44181 183->185 184->183 186 7fe4418e 184->186 185->184 187 7fe44194-7fe44198 186->187 188 7fe441aa-7fe441ac 187->188 189 7fe4419a-7fe441a1 call 7fe42f02 187->189 191 7fe441ae-7fe441b8 188->191 189->162 195 7fe441a3 189->195 193 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 191->193 193->180 200 7fe441d1-7fe441db Sleep 193->200 195->191 197 7fe441a5-7fe441a8 195->197 197->187 200->193 201 7fe441dd-7fe441ee GetTickCount 200->201 201->180 202 7fe441f4-7fe441fb 201->202 202->162 202->180
                                                        APIs
                                                        • GetWindowsDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 7FE43C33
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE43C66
                                                        • GetProcAddress.KERNEL32(00000000,7FE43CD3), ref: 7FE43CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43CF1
                                                        • GetTickCount.KERNEL32 ref: 7FE43D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46E32,00000000,00000000,00000000,00000000), ref: 7FE43DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3969011833-1880045089
                                                        • Opcode ID: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction ID: 34791333e5aab885647b90b50ff3a208d0390e59c64b67f01177905806f7ba61
                                                        • Opcode Fuzzy Hash: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction Fuzzy Hash: BEF1047151A348BEEB229F20DC5ABEA7BACEF41304F00551EFC494E081D6F06F459BA6
                                                        Function 7FE43C54 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 417libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 203 7fe43c54-7fe43c5c GetModuleHandleA 204 7fe43c72-7fe43d52 call 7fe43c82 GetSystemDirectoryA call 7fe43cb1 call 7fe43cc8 GetProcAddress LoadLibraryA call 7fe410c8 call 7fe401cb GetTickCount call 7fe43b08 203->204 205 7fe43c5e-7fe43c60 203->205 224 7fe43d54 204->224 225 7fe43d5a-7fe43d5f call 7fe43b08 204->225 207 7fe43c66-7fe43c6e GetProcAddress 205->207 208 7fe43c61 call 7fe426ce 205->208 207->204 209 7fe43c70 207->209 208->207 209->204 224->225 228 7fe43d61-7fe43d78 225->228 229 7fe43d7a-7fe43d8a call 7fe462d9 call 7fe42736 228->229 234 7fe43d90-7fe43dac call 7fe462d9 229->234 235 7fe43d8c-7fe43d8e 229->235 237 7fe43dad-7fe43dae 234->237 235->237 237->229 239 7fe43db0-7fe43db6 237->239 239->228 240 7fe43db8-7fe43dc2 call 7fe42736 239->240 243 7fe43dc4-7fe43dcc call 7fe4274a 240->243 244 7fe43dd1-7fe43e0a call 7fe42736 GetVolumeInformationA 240->244 243->244 248 7fe43e14-7fe43e1a 244->248 249 7fe43e0c-7fe43e12 244->249 250 7fe43e23-7fe43e30 248->250 251 7fe43e1c 248->251 249->250 252 7fe43e36-7fe43e5a call 7fe43e47 250->252 253 7fe43eb7 250->253 251->250 255 7fe43ec1 252->255 262 7fe43e5c-7fe43e62 252->262 253->255 256 7fe43ee1-7fe43f05 call 7fe43ef2 255->256 257 7fe43ec3-7fe43edb CreateThread CloseHandle 255->257 263 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 256->263 264 7fe43f0b call 7fe410c8 256->264 257->256 265 7fe43e64-7fe43e69 262->265 266 7fe43e8b-7fe43e9f 262->266 276 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 263->276 277 7fe44259-7fe4425b RtlExitUserThread 263->277 264->263 267 7fe43e92-7fe43e9f 265->267 268 7fe43e6b-7fe43e8a 265->268 270 7fe43ea6-7fe43eb0 266->270 267->270 268->266 270->253 272 7fe43eb2 call 7fe43397 270->272 272->253 278 7fe43f9d-7fe43fb5 call 7fe4378c 276->278 281 7fe43fb7-7fe43fba 278->281 282 7fe43fbc-7fe43fcf call 7fe43b22 278->282 281->282 283 7fe43fd7-7fe43fdf 281->283 290 7fe43fd5 282->290 291 7fe44207-7fe4420e 282->291 285 7fe43ff0-7fe43ff9 gethostbyname 283->285 286 7fe43fe1-7fe43fee lstrlen 283->286 288 7fe4424e-7fe44254 285->288 289 7fe43fff-7fe44006 285->289 286->285 286->286 288->278 292 7fe4400c-7fe4402b socket 289->292 290->292 291->277 293 7fe44210-7fe44217 291->293 292->291 294 7fe44031-7fe44044 connect 292->294 295 7fe44219-7fe44225 SetEvent 293->295 296 7fe4422b-7fe44249 Sleep ResetEvent 293->296 297 7fe44200-7fe44201 closesocket 294->297 298 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 294->298 295->296 296->278 297->291 313 7fe44125-7fe4413b CreateThread CloseHandle 298->313 314 7fe44141 298->314 313->314 315 7fe44147-7fe4415d 314->315 315->297 317 7fe44163-7fe44165 315->317 318 7fe44167-7fe4417f 317->318 319 7fe44184-7fe4418c 318->319 320 7fe44181 318->320 319->318 321 7fe4418e 319->321 320->319 322 7fe44194-7fe44198 321->322 323 7fe441aa-7fe441ac 322->323 324 7fe4419a-7fe441a1 call 7fe42f02 322->324 326 7fe441ae-7fe441b8 323->326 324->297 330 7fe441a3 324->330 328 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 326->328 328->315 335 7fe441d1-7fe441db Sleep 328->335 330->326 332 7fe441a5-7fe441a8 330->332 332->322 335->328 336 7fe441dd-7fe441ee GetTickCount 335->336 336->315 337 7fe441f4-7fe441fb 336->337 337->297 337->315
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(7FE43C4C), ref: 7FE43C54
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE43C66
                                                        • GetProcAddress.KERNEL32(00000000,7FE43CD3), ref: 7FE43CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43CF1
                                                        • GetTickCount.KERNEL32 ref: 7FE43D25
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE43CA8, 7FE44113, 7FE44152
                                                        • ADVAPI32.DLL, xrefs: 7FE43CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE44151
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2837544101-1880045089
                                                        • Opcode ID: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction ID: 8c2cc38e7e9a36c1c98af1d38a74e6c05b7cfe9b06f9bb9178c0b9ec4ec16d78
                                                        • Opcode Fuzzy Hash: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction Fuzzy Hash: 42E1F37151A345BEEB269F30DC5ABEA3BACEF41300F00151EFC498E081D6B06F459BA6
                                                        Function 7FE43C82 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 394COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 338 7fe43c82 GetModuleHandleA 339 7fe43c8d-7fe43d52 GetSystemDirectoryA call 7fe43cb1 call 7fe43cc8 GetProcAddress LoadLibraryA call 7fe410c8 call 7fe401cb GetTickCount call 7fe43b08 338->339 340 7fe43c88 call 7fe426ce 338->340 353 7fe43d54 339->353 354 7fe43d5a-7fe43d5f call 7fe43b08 339->354 340->339 353->354 357 7fe43d61-7fe43d78 354->357 358 7fe43d7a-7fe43d8a call 7fe462d9 call 7fe42736 357->358 363 7fe43d90-7fe43dac call 7fe462d9 358->363 364 7fe43d8c-7fe43d8e 358->364 366 7fe43dad-7fe43dae 363->366 364->366 366->358 368 7fe43db0-7fe43db6 366->368 368->357 369 7fe43db8-7fe43dc2 call 7fe42736 368->369 372 7fe43dc4-7fe43dcc call 7fe4274a 369->372 373 7fe43dd1-7fe43e0a call 7fe42736 GetVolumeInformationA 369->373 372->373 377 7fe43e14-7fe43e1a 373->377 378 7fe43e0c-7fe43e12 373->378 379 7fe43e23-7fe43e30 377->379 380 7fe43e1c 377->380 378->379 381 7fe43e36-7fe43e5a call 7fe43e47 379->381 382 7fe43eb7 379->382 380->379 384 7fe43ec1 381->384 391 7fe43e5c-7fe43e62 381->391 382->384 385 7fe43ee1-7fe43f05 call 7fe43ef2 384->385 386 7fe43ec3-7fe43edb CreateThread CloseHandle 384->386 392 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 385->392 393 7fe43f0b call 7fe410c8 385->393 386->385 394 7fe43e64-7fe43e69 391->394 395 7fe43e8b-7fe43e9f 391->395 405 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 392->405 406 7fe44259-7fe4425b RtlExitUserThread 392->406 393->392 396 7fe43e92-7fe43e9f 394->396 397 7fe43e6b-7fe43e8a 394->397 399 7fe43ea6-7fe43eb0 395->399 396->399 397->395 399->382 401 7fe43eb2 call 7fe43397 399->401 401->382 407 7fe43f9d-7fe43fb5 call 7fe4378c 405->407 410 7fe43fb7-7fe43fba 407->410 411 7fe43fbc-7fe43fcf call 7fe43b22 407->411 410->411 412 7fe43fd7-7fe43fdf 410->412 419 7fe43fd5 411->419 420 7fe44207-7fe4420e 411->420 414 7fe43ff0-7fe43ff9 gethostbyname 412->414 415 7fe43fe1-7fe43fee lstrlen 412->415 417 7fe4424e-7fe44254 414->417 418 7fe43fff-7fe44006 414->418 415->414 415->415 417->407 421 7fe4400c-7fe4402b socket 418->421 419->421 420->406 422 7fe44210-7fe44217 420->422 421->420 423 7fe44031-7fe44044 connect 421->423 424 7fe44219-7fe44225 SetEvent 422->424 425 7fe4422b-7fe44249 Sleep ResetEvent 422->425 426 7fe44200-7fe44201 closesocket 423->426 427 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 423->427 424->425 425->407 426->420 442 7fe44125-7fe4413b CreateThread CloseHandle 427->442 443 7fe44141 427->443 442->443 444 7fe44147-7fe4415d 443->444 444->426 446 7fe44163-7fe44165 444->446 447 7fe44167-7fe4417f 446->447 448 7fe44184-7fe4418c 447->448 449 7fe44181 447->449 448->447 450 7fe4418e 448->450 449->448 451 7fe44194-7fe44198 450->451 452 7fe441aa-7fe441ac 451->452 453 7fe4419a-7fe441a1 call 7fe42f02 451->453 455 7fe441ae-7fe441b8 452->455 453->426 459 7fe441a3 453->459 457 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 455->457 457->444 464 7fe441d1-7fe441db Sleep 457->464 459->455 461 7fe441a5-7fe441a8 459->461 461->451 464->457 465 7fe441dd-7fe441ee GetTickCount 464->465 465->444 466 7fe441f4-7fe441fb 465->466 466->426 466->444
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(7FE43C77), ref: 7FE43C82
                                                        • GetSystemDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 7FE43C99
                                                          • Part of subcall function 7FE43CB1: lstrcat.KERNEL32(020a00 . . :#997242831 +*,7FE43CA4), ref: 7FE43CB2
                                                          • Part of subcall function 7FE43CB1: GetProcAddress.KERNEL32(00000000,7FE43CD3), ref: 7FE43CDE
                                                          • Part of subcall function 7FE43CB1: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43CF1
                                                          • Part of subcall function 7FE43CB1: GetTickCount.KERNEL32 ref: 7FE43D25
                                                          • Part of subcall function 7FE43CB1: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46E32,00000000,00000000,00000000,00000000), ref: 7FE43DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 215653160-1880045089
                                                        • Opcode ID: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction ID: b4987ca1c97ac9b16166154478c172ac9280aea2705731e29c2cee2fb7922011
                                                        • Opcode Fuzzy Hash: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction Fuzzy Hash: B4D1E27151A359BEEB269F20DC5ABEA3B6CEF41300F00151EFC4A8E081D6F46F459BA5
                                                        Function 7FE43CB1 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 374stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 467 7fe43cb1-7fe43d52 lstrcat call 7fe43cc8 GetProcAddress LoadLibraryA call 7fe410c8 call 7fe401cb GetTickCount call 7fe43b08 478 7fe43d54 467->478 479 7fe43d5a-7fe43d5f call 7fe43b08 467->479 478->479 482 7fe43d61-7fe43d78 479->482 483 7fe43d7a-7fe43d8a call 7fe462d9 call 7fe42736 482->483 488 7fe43d90-7fe43dac call 7fe462d9 483->488 489 7fe43d8c-7fe43d8e 483->489 491 7fe43dad-7fe43dae 488->491 489->491 491->483 493 7fe43db0-7fe43db6 491->493 493->482 494 7fe43db8-7fe43dc2 call 7fe42736 493->494 497 7fe43dc4-7fe43dcc call 7fe4274a 494->497 498 7fe43dd1-7fe43e0a call 7fe42736 GetVolumeInformationA 494->498 497->498 502 7fe43e14-7fe43e1a 498->502 503 7fe43e0c-7fe43e12 498->503 504 7fe43e23-7fe43e30 502->504 505 7fe43e1c 502->505 503->504 506 7fe43e36-7fe43e5a call 7fe43e47 504->506 507 7fe43eb7 504->507 505->504 509 7fe43ec1 506->509 516 7fe43e5c-7fe43e62 506->516 507->509 510 7fe43ee1-7fe43f05 call 7fe43ef2 509->510 511 7fe43ec3-7fe43edb CreateThread CloseHandle 509->511 517 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 510->517 518 7fe43f0b call 7fe410c8 510->518 511->510 519 7fe43e64-7fe43e69 516->519 520 7fe43e8b-7fe43e9f 516->520 530 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 517->530 531 7fe44259-7fe4425b RtlExitUserThread 517->531 518->517 521 7fe43e92-7fe43e9f 519->521 522 7fe43e6b-7fe43e8a 519->522 524 7fe43ea6-7fe43eb0 520->524 521->524 522->520 524->507 526 7fe43eb2 call 7fe43397 524->526 526->507 532 7fe43f9d-7fe43fb5 call 7fe4378c 530->532 535 7fe43fb7-7fe43fba 532->535 536 7fe43fbc-7fe43fcf call 7fe43b22 532->536 535->536 537 7fe43fd7-7fe43fdf 535->537 544 7fe43fd5 536->544 545 7fe44207-7fe4420e 536->545 539 7fe43ff0-7fe43ff9 gethostbyname 537->539 540 7fe43fe1-7fe43fee lstrlen 537->540 542 7fe4424e-7fe44254 539->542 543 7fe43fff-7fe44006 539->543 540->539 540->540 542->532 546 7fe4400c-7fe4402b socket 543->546 544->546 545->531 547 7fe44210-7fe44217 545->547 546->545 548 7fe44031-7fe44044 connect 546->548 549 7fe44219-7fe44225 SetEvent 547->549 550 7fe4422b-7fe44249 Sleep ResetEvent 547->550 551 7fe44200-7fe44201 closesocket 548->551 552 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 548->552 549->550 550->532 551->545 567 7fe44125-7fe4413b CreateThread CloseHandle 552->567 568 7fe44141 552->568 567->568 569 7fe44147-7fe4415d 568->569 569->551 571 7fe44163-7fe44165 569->571 572 7fe44167-7fe4417f 571->572 573 7fe44184-7fe4418c 572->573 574 7fe44181 572->574 573->572 575 7fe4418e 573->575 574->573 576 7fe44194-7fe44198 575->576 577 7fe441aa-7fe441ac 576->577 578 7fe4419a-7fe441a1 call 7fe42f02 576->578 580 7fe441ae-7fe441b8 577->580 578->551 584 7fe441a3 578->584 582 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 580->582 582->569 589 7fe441d1-7fe441db Sleep 582->589 584->580 586 7fe441a5-7fe441a8 584->586 586->576 589->582 590 7fe441dd-7fe441ee GetTickCount 589->590 590->569 591 7fe441f4-7fe441fb 590->591 591->551 591->569
                                                        APIs
                                                        • lstrcat.KERNEL32(020a00 . . :#997242831 +*,7FE43CA4), ref: 7FE43CB2
                                                          • Part of subcall function 7FE43CC8: LoadLibraryA.KERNEL32(7FE43CBD), ref: 7FE43CC8
                                                          • Part of subcall function 7FE43CC8: GetProcAddress.KERNEL32(00000000,7FE43CD3), ref: 7FE43CDE
                                                          • Part of subcall function 7FE43CC8: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43CF1
                                                          • Part of subcall function 7FE43CC8: GetTickCount.KERNEL32 ref: 7FE43D25
                                                          • Part of subcall function 7FE43CC8: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46E32,00000000,00000000,00000000,00000000), ref: 7FE43DF7
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE43CB1, 7FE44113, 7FE44152
                                                        • ADVAPI32.DLL, xrefs: 7FE43CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE44151
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2038497427-1880045089
                                                        • Opcode ID: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction ID: 3f95d80088da1bf58606829bf204db78a9750a4786f28291fd468e16f09491fc
                                                        • Opcode Fuzzy Hash: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction Fuzzy Hash: 36D1D27151A359BEDB269F20DC5ABEA3B6CEF41300F00151EFC498E081D6F46F459BA9
                                                        Function 7FE43CC8 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 364libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 592 7fe43cc8-7fe43d52 LoadLibraryA call 7fe43cdd GetProcAddress LoadLibraryA call 7fe410c8 call 7fe401cb GetTickCount call 7fe43b08 603 7fe43d54 592->603 604 7fe43d5a-7fe43d5f call 7fe43b08 592->604 603->604 607 7fe43d61-7fe43d78 604->607 608 7fe43d7a-7fe43d8a call 7fe462d9 call 7fe42736 607->608 613 7fe43d90-7fe43dac call 7fe462d9 608->613 614 7fe43d8c-7fe43d8e 608->614 616 7fe43dad-7fe43dae 613->616 614->616 616->608 618 7fe43db0-7fe43db6 616->618 618->607 619 7fe43db8-7fe43dc2 call 7fe42736 618->619 622 7fe43dc4-7fe43dcc call 7fe4274a 619->622 623 7fe43dd1-7fe43e0a call 7fe42736 GetVolumeInformationA 619->623 622->623 627 7fe43e14-7fe43e1a 623->627 628 7fe43e0c-7fe43e12 623->628 629 7fe43e23-7fe43e30 627->629 630 7fe43e1c 627->630 628->629 631 7fe43e36-7fe43e5a call 7fe43e47 629->631 632 7fe43eb7 629->632 630->629 634 7fe43ec1 631->634 641 7fe43e5c-7fe43e62 631->641 632->634 635 7fe43ee1-7fe43f05 call 7fe43ef2 634->635 636 7fe43ec3-7fe43edb CreateThread CloseHandle 634->636 642 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 635->642 643 7fe43f0b call 7fe410c8 635->643 636->635 644 7fe43e64-7fe43e69 641->644 645 7fe43e8b-7fe43e9f 641->645 655 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 642->655 656 7fe44259-7fe4425b RtlExitUserThread 642->656 643->642 646 7fe43e92-7fe43e9f 644->646 647 7fe43e6b-7fe43e8a 644->647 649 7fe43ea6-7fe43eb0 645->649 646->649 647->645 649->632 651 7fe43eb2 call 7fe43397 649->651 651->632 657 7fe43f9d-7fe43fb5 call 7fe4378c 655->657 660 7fe43fb7-7fe43fba 657->660 661 7fe43fbc-7fe43fcf call 7fe43b22 657->661 660->661 662 7fe43fd7-7fe43fdf 660->662 669 7fe43fd5 661->669 670 7fe44207-7fe4420e 661->670 664 7fe43ff0-7fe43ff9 gethostbyname 662->664 665 7fe43fe1-7fe43fee lstrlen 662->665 667 7fe4424e-7fe44254 664->667 668 7fe43fff-7fe44006 664->668 665->664 665->665 667->657 671 7fe4400c-7fe4402b socket 668->671 669->671 670->656 672 7fe44210-7fe44217 670->672 671->670 673 7fe44031-7fe44044 connect 671->673 674 7fe44219-7fe44225 SetEvent 672->674 675 7fe4422b-7fe44249 Sleep ResetEvent 672->675 676 7fe44200-7fe44201 closesocket 673->676 677 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 673->677 674->675 675->657 676->670 692 7fe44125-7fe4413b CreateThread CloseHandle 677->692 693 7fe44141 677->693 692->693 694 7fe44147-7fe4415d 693->694 694->676 696 7fe44163-7fe44165 694->696 697 7fe44167-7fe4417f 696->697 698 7fe44184-7fe4418c 697->698 699 7fe44181 697->699 698->697 700 7fe4418e 698->700 699->698 701 7fe44194-7fe44198 700->701 702 7fe441aa-7fe441ac 701->702 703 7fe4419a-7fe441a1 call 7fe42f02 701->703 705 7fe441ae-7fe441b8 702->705 703->676 709 7fe441a3 703->709 707 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 705->707 707->694 714 7fe441d1-7fe441db Sleep 707->714 709->705 711 7fe441a5-7fe441a8 709->711 711->701 714->707 715 7fe441dd-7fe441ee GetTickCount 714->715 715->694 716 7fe441f4-7fe441fb 715->716 716->676 716->694
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE43CBD), ref: 7FE43CC8
                                                          • Part of subcall function 7FE43CDD: GetProcAddress.KERNEL32(00000000,7FE43CD3), ref: 7FE43CDE
                                                          • Part of subcall function 7FE43CDD: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43CF1
                                                          • Part of subcall function 7FE43CDD: GetTickCount.KERNEL32 ref: 7FE43D25
                                                          • Part of subcall function 7FE43CDD: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46E32,00000000,00000000,00000000,00000000), ref: 7FE43DF7
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE44113, 7FE44152
                                                        • ADVAPI32.DLL, xrefs: 7FE43CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE44151
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3734769084-1880045089
                                                        • Opcode ID: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction ID: 6cd6cc149720acb04f8105a5586c406a145f82a753b0e056002a9cfea268715d
                                                        • Opcode Fuzzy Hash: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction Fuzzy Hash: 10C1D47151A345BEDB269F20DC5ABEA7BACEF41300F00151EFC4A8E081D6F46F459BA9
                                                        Function 7FE43F21 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205networkthreadlibraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 717 7fe43f21-7fe43f29 LoadLibraryA 718 7fe43f2f-7fe43f3c 717->718 719 7fe44259-7fe4425b RtlExitUserThread 717->719 720 7fe43f47-7fe43f4e 718->720 721 7fe43f42 call 7fe410c8 718->721 720->719 722 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 720->722 721->720 723 7fe43f9d-7fe43fb5 call 7fe4378c 722->723 726 7fe43fb7-7fe43fba 723->726 727 7fe43fbc-7fe43fcf call 7fe43b22 723->727 726->727 728 7fe43fd7-7fe43fdf 726->728 735 7fe43fd5 727->735 736 7fe44207-7fe4420e 727->736 730 7fe43ff0-7fe43ff9 gethostbyname 728->730 731 7fe43fe1-7fe43fee lstrlen 728->731 733 7fe4424e-7fe44254 730->733 734 7fe43fff-7fe44006 730->734 731->730 731->731 733->723 737 7fe4400c-7fe4402b socket 734->737 735->737 736->719 738 7fe44210-7fe44217 736->738 737->736 739 7fe44031-7fe44044 connect 737->739 740 7fe44219-7fe44225 SetEvent 738->740 741 7fe4422b-7fe44249 Sleep ResetEvent 738->741 742 7fe44200-7fe44201 closesocket 739->742 743 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 739->743 740->741 741->723 742->736 758 7fe44125-7fe4413b CreateThread CloseHandle 743->758 759 7fe44141 743->759 758->759 760 7fe44147-7fe4415d 759->760 760->742 762 7fe44163-7fe44165 760->762 763 7fe44167-7fe4417f 762->763 764 7fe44184-7fe4418c 763->764 765 7fe44181 763->765 764->763 766 7fe4418e 764->766 765->764 767 7fe44194-7fe44198 766->767 768 7fe441aa-7fe441ac 767->768 769 7fe4419a-7fe441a1 call 7fe42f02 767->769 771 7fe441ae-7fe441b8 768->771 769->742 775 7fe441a3 769->775 773 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 771->773 773->760 780 7fe441d1-7fe441db Sleep 773->780 775->771 777 7fe441a5-7fe441a8 775->777 777->767 780->773 781 7fe441dd-7fe441ee GetTickCount 780->781 781->760 782 7fe441f4-7fe441fb 781->782 782->742 782->760
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE43F15), ref: 7FE43F21
                                                        • WSAStartup.WS2_32(00000101), ref: 7FE43F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE43F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE43F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43F91
                                                        • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE43FE2
                                                        • gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE43FF1
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE44022
                                                        • connect.WS2_32(6F6C6902,7FE43A9B,00000010), ref: 7FE4403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE44086
                                                        • wsprintfA.USER32 ref: 7FE44104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 7FE44132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,7FE46E32,00000099,6F6C6902,6F6C6902,7FE43AE4,00000014,00000000), ref: 7FE4413B
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 7FE4425B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$CloseHandle$EventExitLibraryLoadStartupUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
                                                        • API String ID: 3947895852-2481640231
                                                        • Opcode ID: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction ID: 45765451f9d2aa79ebfd81ee21483d3f93162ac6486d4d1eaf848b4972219331
                                                        • Opcode Fuzzy Hash: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction Fuzzy Hash: 0A81D271609349FEEB229F30D819BEA7BADEF41304F001609FC5A5E191D6F0AB45CB69
                                                        Function 7FE43CDD Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 371networklibrarythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 783 7fe43cdd-7fe43d04 GetProcAddress LoadLibraryA 784 7fe43d0f-7fe43d52 call 7fe401cb GetTickCount call 7fe43b08 783->784 785 7fe43d0a call 7fe410c8 783->785 790 7fe43d54 784->790 791 7fe43d5a-7fe43d5f call 7fe43b08 784->791 785->784 790->791 794 7fe43d61-7fe43d78 791->794 795 7fe43d7a-7fe43d8a call 7fe462d9 call 7fe42736 794->795 800 7fe43d90-7fe43dac call 7fe462d9 795->800 801 7fe43d8c-7fe43d8e 795->801 803 7fe43dad-7fe43dae 800->803 801->803 803->795 805 7fe43db0-7fe43db6 803->805 805->794 806 7fe43db8-7fe43dc2 call 7fe42736 805->806 809 7fe43dc4-7fe43dcc call 7fe4274a 806->809 810 7fe43dd1-7fe43e0a call 7fe42736 GetVolumeInformationA 806->810 809->810 814 7fe43e14-7fe43e1a 810->814 815 7fe43e0c-7fe43e12 810->815 816 7fe43e23-7fe43e30 814->816 817 7fe43e1c 814->817 815->816 818 7fe43e36-7fe43e5a call 7fe43e47 816->818 819 7fe43eb7 816->819 817->816 821 7fe43ec1 818->821 828 7fe43e5c-7fe43e62 818->828 819->821 822 7fe43ee1-7fe43f05 call 7fe43ef2 821->822 823 7fe43ec3-7fe43edb CreateThread CloseHandle 821->823 829 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 822->829 830 7fe43f0b call 7fe410c8 822->830 823->822 831 7fe43e64-7fe43e69 828->831 832 7fe43e8b-7fe43e9f 828->832 842 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 829->842 843 7fe44259-7fe4425b RtlExitUserThread 829->843 830->829 833 7fe43e92-7fe43e9f 831->833 834 7fe43e6b-7fe43e8a 831->834 836 7fe43ea6-7fe43eb0 832->836 833->836 834->832 836->819 838 7fe43eb2 call 7fe43397 836->838 838->819 844 7fe43f9d-7fe43fb5 call 7fe4378c 842->844 847 7fe43fb7-7fe43fba 844->847 848 7fe43fbc-7fe43fcf call 7fe43b22 844->848 847->848 849 7fe43fd7-7fe43fdf 847->849 856 7fe43fd5 848->856 857 7fe44207-7fe4420e 848->857 851 7fe43ff0-7fe43ff9 gethostbyname 849->851 852 7fe43fe1-7fe43fee lstrlen 849->852 854 7fe4424e-7fe44254 851->854 855 7fe43fff-7fe44006 851->855 852->851 852->852 854->844 858 7fe4400c-7fe4402b socket 855->858 856->858 857->843 859 7fe44210-7fe44217 857->859 858->857 860 7fe44031-7fe44044 connect 858->860 861 7fe44219-7fe44225 SetEvent 859->861 862 7fe4422b-7fe44249 Sleep ResetEvent 859->862 863 7fe44200-7fe44201 closesocket 860->863 864 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 860->864 861->862 862->844 863->857 879 7fe44125-7fe4413b CreateThread CloseHandle 864->879 880 7fe44141 864->880 879->880 881 7fe44147-7fe4415d 880->881 881->863 883 7fe44163-7fe44165 881->883 884 7fe44167-7fe4417f 883->884 885 7fe44184-7fe4418c 884->885 886 7fe44181 884->886 885->884 887 7fe4418e 885->887 886->885 888 7fe44194-7fe44198 887->888 889 7fe441aa-7fe441ac 888->889 890 7fe4419a-7fe441a1 call 7fe42f02 888->890 892 7fe441ae-7fe441b8 889->892 890->863 896 7fe441a3 890->896 894 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 892->894 894->881 901 7fe441d1-7fe441db Sleep 894->901 896->892 898 7fe441a5-7fe441a8 896->898 898->888 901->894 902 7fe441dd-7fe441ee GetTickCount 901->902 902->881 903 7fe441f4-7fe441fb 902->903 903->863 903->881
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,7FE43CD3), ref: 7FE43CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43CF1
                                                        • GetTickCount.KERNEL32 ref: 7FE43D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46E32,00000000,00000000,00000000,00000000), ref: 7FE43DF7
                                                        • CreateThread.KERNEL32(00000000,00000000,7FE43623,00000000,00000000), ref: 7FE43ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 7FE43EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 7FE43F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE43F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE43F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE44022
                                                        • connect.WS2_32(6F6C6902,7FE43A9B,00000010), ref: 7FE4403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE44086
                                                        • wsprintfA.USER32 ref: 7FE44104
                                                        • SetEvent.KERNEL32(00000644,?,00000000), ref: 7FE4421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 7FE44230
                                                        • ResetEvent.KERNEL32(00000644,?,00000000), ref: 7FE44243
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE44113, 7FE44152
                                                        • ADVAPI32.DLL, xrefs: 7FE43CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE44151
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepStartupTickVersionVolumeconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 927156256-1880045089
                                                        • Opcode ID: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction ID: d3cb77e7930f2a5d85bb5d088d7c40499dddb3f7c04a354fa9ba254fa8722360
                                                        • Opcode Fuzzy Hash: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction Fuzzy Hash: FFD1E47151A358BEDB269F20DC5ABEA3BACEF41300F00151EFC498E081D6F46F459BA5
                                                        Function 7FE43E5E Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 246threadlibraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 981 7fe43e5e-7fe43eb0 GetProcAddress GetModuleFileNameA wsprintfA 984 7fe43eb7-7fe43ec1 981->984 985 7fe43eb2 call 7fe43397 981->985 988 7fe43ee1-7fe43f05 call 7fe43ef2 984->988 989 7fe43ec3-7fe43edb CreateThread CloseHandle 984->989 985->984 992 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 988->992 993 7fe43f0b call 7fe410c8 988->993 989->988 998 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 992->998 999 7fe44259-7fe4425b RtlExitUserThread 992->999 993->992 1000 7fe43f9d-7fe43fb5 call 7fe4378c 998->1000 1003 7fe43fb7-7fe43fba 1000->1003 1004 7fe43fbc-7fe43fcf call 7fe43b22 1000->1004 1003->1004 1005 7fe43fd7-7fe43fdf 1003->1005 1012 7fe43fd5 1004->1012 1013 7fe44207-7fe4420e 1004->1013 1007 7fe43ff0-7fe43ff9 gethostbyname 1005->1007 1008 7fe43fe1-7fe43fee lstrlen 1005->1008 1010 7fe4424e-7fe44254 1007->1010 1011 7fe43fff-7fe44006 1007->1011 1008->1007 1008->1008 1010->1000 1014 7fe4400c-7fe4402b socket 1011->1014 1012->1014 1013->999 1015 7fe44210-7fe44217 1013->1015 1014->1013 1016 7fe44031-7fe44044 connect 1014->1016 1017 7fe44219-7fe44225 SetEvent 1015->1017 1018 7fe4422b-7fe44249 Sleep ResetEvent 1015->1018 1019 7fe44200-7fe44201 closesocket 1016->1019 1020 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 1016->1020 1017->1018 1018->1000 1019->1013 1035 7fe44125-7fe4413b CreateThread CloseHandle 1020->1035 1036 7fe44141 1020->1036 1035->1036 1037 7fe44147-7fe4415d 1036->1037 1037->1019 1039 7fe44163-7fe44165 1037->1039 1040 7fe44167-7fe4417f 1039->1040 1041 7fe44184-7fe4418c 1040->1041 1042 7fe44181 1040->1042 1041->1040 1043 7fe4418e 1041->1043 1042->1041 1044 7fe44194-7fe44198 1043->1044 1045 7fe441aa-7fe441ac 1044->1045 1046 7fe4419a-7fe441a1 call 7fe42f02 1044->1046 1048 7fe441ae-7fe441b8 1045->1048 1046->1019 1052 7fe441a3 1046->1052 1050 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 1048->1050 1050->1037 1057 7fe441d1-7fe441db Sleep 1050->1057 1052->1048 1054 7fe441a5-7fe441a8 1052->1054 1054->1044 1057->1050 1058 7fe441dd-7fe441ee GetTickCount 1057->1058 1058->1037 1059 7fe441f4-7fe441fb 1058->1059 1059->1019 1059->1037
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,7FE43E52), ref: 7FE43E5F
                                                        • GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 7FE43E74
                                                        • wsprintfA.USER32 ref: 7FE43E89
                                                        • CreateThread.KERNEL32(00000000,00000000,7FE43623,00000000,00000000), ref: 7FE43ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 7FE43EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 7FE43F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE43F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE43F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43F91
                                                          • Part of subcall function 7FE43397: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE433DC
                                                          • Part of subcall function 7FE43397: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE433FB
                                                          • Part of subcall function 7FE43397: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43425
                                                          • Part of subcall function 7FE43397: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE43432
                                                          • Part of subcall function 7FE43397: UnmapViewOfFile.KERNEL32(?), ref: 7FE4344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionStartupSystemUnmapwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$C:,$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3630706530-3937138646
                                                        • Opcode ID: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction ID: b496e5684aadc1015c349d78354231b133038d9e79336126b4f1a11543d7919a
                                                        • Opcode Fuzzy Hash: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction Fuzzy Hash: 8D91B17150A349BEEB219F30DC5ABEA7B6CEF41304F00561AF8595F081D6F06F458BAA
                                                        Function 7FE43E47 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262networklibrarythreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1110 7fe43e47-7fe43e5a LoadLibraryA call 7fe43e5e 1114 7fe43ec1 1110->1114 1115 7fe43e5c-7fe43e62 1110->1115 1116 7fe43ee1-7fe43f05 call 7fe43ef2 1114->1116 1117 7fe43ec3-7fe43edb CreateThread CloseHandle 1114->1117 1118 7fe43e64-7fe43e69 1115->1118 1119 7fe43e8b-7fe43e9f 1115->1119 1125 7fe43f10-7fe43f4e call 7fe43f21 call 7fe410c8 1116->1125 1126 7fe43f0b call 7fe410c8 1116->1126 1117->1116 1121 7fe43e92-7fe43e9f 1118->1121 1122 7fe43e6b-7fe43e8a 1118->1122 1124 7fe43ea6-7fe43eb0 1119->1124 1121->1124 1122->1119 1127 7fe43eb7 1124->1127 1128 7fe43eb2 call 7fe43397 1124->1128 1134 7fe43f54-7fe43f97 WSAStartup CreateThread CloseHandle CreateEventA 1125->1134 1135 7fe44259-7fe4425b RtlExitUserThread 1125->1135 1126->1125 1127->1114 1128->1127 1136 7fe43f9d-7fe43fb5 call 7fe4378c 1134->1136 1139 7fe43fb7-7fe43fba 1136->1139 1140 7fe43fbc-7fe43fcf call 7fe43b22 1136->1140 1139->1140 1141 7fe43fd7-7fe43fdf 1139->1141 1148 7fe43fd5 1140->1148 1149 7fe44207-7fe4420e 1140->1149 1143 7fe43ff0-7fe43ff9 gethostbyname 1141->1143 1144 7fe43fe1-7fe43fee lstrlen 1141->1144 1146 7fe4424e-7fe44254 1143->1146 1147 7fe43fff-7fe44006 1143->1147 1144->1143 1144->1144 1146->1136 1150 7fe4400c-7fe4402b socket 1147->1150 1148->1150 1149->1135 1151 7fe44210-7fe44217 1149->1151 1150->1149 1152 7fe44031-7fe44044 connect 1150->1152 1153 7fe44219-7fe44225 SetEvent 1151->1153 1154 7fe4422b-7fe44249 Sleep ResetEvent 1151->1154 1155 7fe44200-7fe44201 closesocket 1152->1155 1156 7fe4404a-7fe44123 call 7fe42736 call 7fe4274a GetVersionExA call 7fe4274a call 7fe432ea call 7fe44103 wsprintfA call 7fe432ea 1152->1156 1153->1154 1154->1136 1155->1149 1171 7fe44125-7fe4413b CreateThread CloseHandle 1156->1171 1172 7fe44141 1156->1172 1171->1172 1173 7fe44147-7fe4415d 1172->1173 1173->1155 1175 7fe44163-7fe44165 1173->1175 1176 7fe44167-7fe4417f 1175->1176 1177 7fe44184-7fe4418c 1176->1177 1178 7fe44181 1176->1178 1177->1176 1179 7fe4418e 1177->1179 1178->1177 1180 7fe44194-7fe44198 1179->1180 1181 7fe441aa-7fe441ac 1180->1181 1182 7fe4419a-7fe441a1 call 7fe42f02 1180->1182 1184 7fe441ae-7fe441b8 1181->1184 1182->1155 1188 7fe441a3 1182->1188 1186 7fe441bd-7fe441cb call 7fe4647a call 7fe46494 1184->1186 1186->1173 1193 7fe441d1-7fe441db Sleep 1186->1193 1188->1184 1190 7fe441a5-7fe441a8 1188->1190 1190->1180 1193->1186 1194 7fe441dd-7fe441ee GetTickCount 1193->1194 1194->1173 1195 7fe441f4-7fe441fb 1194->1195 1195->1155 1195->1173
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE43E3B), ref: 7FE43E47
                                                          • Part of subcall function 7FE43E5E: GetProcAddress.KERNEL32(00000000,7FE43E52), ref: 7FE43E5F
                                                          • Part of subcall function 7FE43E5E: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 7FE43E74
                                                          • Part of subcall function 7FE43E5E: wsprintfA.USER32 ref: 7FE43E89
                                                          • Part of subcall function 7FE43E5E: CreateThread.KERNEL32(00000000,00000000,7FE43623,00000000,00000000), ref: 7FE43ED2
                                                          • Part of subcall function 7FE43E5E: CloseHandle.KERNEL32(?,8CAEFD3D), ref: 7FE43EDB
                                                          • Part of subcall function 7FE43E5E: WSAStartup.WS2_32(00000101), ref: 7FE43F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE43F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 7FE43F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE44022
                                                        • connect.WS2_32(6F6C6902,7FE43A9B,00000010), ref: 7FE4403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE44086
                                                        • wsprintfA.USER32 ref: 7FE44104
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 7FE44113, 7FE44152
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 7FE44151
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcStartupVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2507355515-4156410515
                                                        • Opcode ID: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction ID: 1282cdb7a57d0ece0525ed28aa667079966fefc0cfcbbf953286eca4285c7354
                                                        • Opcode Fuzzy Hash: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction Fuzzy Hash: B991E77151A345BEDB229F30DC5ABEA7B6CEF41304F00551EF85A4E081D6F06B458BAA
                                                        Function 7FE44103 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 178sleepnetworkthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE44022
                                                        • connect.WS2_32(6F6C6902,7FE43A9B,00000010), ref: 7FE4403C
                                                        • wsprintfA.USER32 ref: 7FE44104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 7FE44132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,7FE46E32,00000099,6F6C6902,6F6C6902,7FE43AE4,00000014,00000000), ref: 7FE4413B
                                                        • Sleep.KERNEL32(00000064,?,?,?,Function_000037AB,6F6C6902,?,?,00000023,7FE46E32,00000099,6F6C6902,6F6C6902,7FE43AE4,00000014,00000000), ref: 7FE441D4
                                                        • GetTickCount.KERNEL32 ref: 7FE441DD
                                                        • closesocket.WS2_32(6F6C6902), ref: 7FE44201
                                                        • SetEvent.KERNEL32(00000644,?,00000000), ref: 7FE4421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 7FE44230
                                                        • ResetEvent.KERNEL32(00000644,?,00000000), ref: 7FE44243
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventSleep$CloseCountCreateHandleResetThreadTickclosesocketconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2506426657-2210051122
                                                        • Opcode ID: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction ID: 06ed279b157b96b9d3e989f266a78d68f540145da5e5aa18ea02552df2915a95
                                                        • Opcode Fuzzy Hash: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction Fuzzy Hash: F461E371609349BAEB269F34D819BEE7BADEF41304F00150DFC5A5E181D6F0AB44CB99
                                                        Function 7FE43EF2 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(7FE43EE6), ref: 7FE43EF2
                                                          • Part of subcall function 7FE43F21: LoadLibraryA.KERNEL32(7FE43F15), ref: 7FE43F21
                                                          • Part of subcall function 7FE43F21: WSAStartup.WS2_32(00000101), ref: 7FE43F60
                                                          • Part of subcall function 7FE43F21: CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 7FE43F7B
                                                          • Part of subcall function 7FE43F21: CloseHandle.KERNEL32(?,00000000), ref: 7FE43F84
                                                          • Part of subcall function 7FE43F21: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43F91
                                                          • Part of subcall function 7FE43F21: socket.WS2_32(00000002,00000001,00000000), ref: 7FE44022
                                                          • Part of subcall function 7FE43F21: connect.WS2_32(6F6C6902,7FE43A9B,00000010), ref: 7FE4403C
                                                          • Part of subcall function 7FE43F21: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE44086
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateLibraryLoad$CloseEventHandleStartupThreadVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3793714048-2210051122
                                                        • Opcode ID: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction ID: b2522aa503f7a816f7a31dedb7dd5c21d040cf262544476420dae91e985dd7cf
                                                        • Opcode Fuzzy Hash: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction Fuzzy Hash: 6D61D57150A345BEEB215F34DC1ABEA7BACEF41314F001619F8595F081D6F06B458BAA
                                                        Function 7FE43820 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(7FE474C0), ref: 7FE43831
                                                        • Sleep.KERNEL32(0000EA60), ref: 7FE438A3
                                                        • InternetGetConnectedState.WININET(?,00000000), ref: 7FE438BC
                                                        • gethostbyname.WS2_32(0D278061), ref: 7FE438FE
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 7FE43913
                                                        • ioctlsocket.WS2_32(?,8004667E), ref: 7FE4392C
                                                        • connect.WS2_32(?,?,00000010), ref: 7FE43945
                                                        • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FE43953
                                                        • closesocket.WS2_32 ref: 7FE439B2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                        • String ID: toexkd.com
                                                        • API String ID: 159131500-233167519
                                                        • Opcode ID: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction ID: f945e06239b55d7f4b4a8428cefa29c9362f4d4b515cc77c946582e731e720d7
                                                        • Opcode Fuzzy Hash: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction Fuzzy Hash: 7541D131605349BEEB215E20AC4DBEABB6EFF89754F00501DF95ADE0C0D6F59B40A628
                                                        Function 7FE407A6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 7FE41444: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE41454
                                                          • Part of subcall function 7FE41444: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE41464
                                                        • CloseHandle.KERNEL32(?), ref: 7FE405AD
                                                        • FreeLibrary.KERNEL32(75070000,?,7FE40795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE407B2
                                                        • CloseHandle.KERNEL32(?,?,7FE40795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE407B9
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE407C3
                                                        • Process32First.KERNEL32 ref: 7FE407D6
                                                        • Process32Next.KERNEL32 ref: 7FE407E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE407FF
                                                        • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 7FE4083C
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 7FE40857
                                                        • CloseHandle.KERNEL32 ref: 7FE40866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                        • String ID: csrs
                                                        • API String ID: 3908997113-2321902090
                                                        • Opcode ID: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction ID: b5172aac4e6e61db880b5a56548a9fb8e8607609d5ab63128151cd81f22da427
                                                        • Opcode Fuzzy Hash: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction Fuzzy Hash: F5118231106304FBEB212F21DD49BBF3A6DEF44751F00102DFA4A9A091DBB49B0196AA
                                                        Function 7FE42762 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathA.KERNEL32(00000104), ref: 7FE42786
                                                          • Part of subcall function 7FE427A1: GetTempFileNameA.KERNEL32(?,7FE4279D,00000000,?), ref: 7FE427A2
                                                          • Part of subcall function 7FE427A1: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE4279D,00000000,?), ref: 7FE427BD
                                                          • Part of subcall function 7FE427A1: InternetReadFile.WININET(?,?,00000104), ref: 7FE427D7
                                                          • Part of subcall function 7FE427A1: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE4279D,00000000,?), ref: 7FE427ED
                                                          • Part of subcall function 7FE427A1: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE4279D,00000000,?), ref: 7FE427F9
                                                          • Part of subcall function 7FE427A1: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE4279D), ref: 7FE4281D
                                                          • Part of subcall function 7FE427A1: InternetCloseHandle.WININET(?), ref: 7FE4282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 7FE42834
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                        • String ID:
                                                        • API String ID: 1995088466-0
                                                        • Opcode ID: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction ID: c7209044cc28c9bac3961458f608d1462eb56ad0fef50d8b4581cc80125cbe19
                                                        • Opcode Fuzzy Hash: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction Fuzzy Hash: AE21D2B1146306BFE7211B20DC8DFFF7A6CEF95B00F004119FA0989081D7B1AA4186BA
                                                        Function 7FE427A1 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempFileNameA.KERNEL32(?,7FE4279D,00000000,?), ref: 7FE427A2
                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE4279D,00000000,?), ref: 7FE427BD
                                                        • InternetReadFile.WININET(?,?,00000104), ref: 7FE427D7
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE4279D,00000000,?), ref: 7FE427ED
                                                        • CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE4279D,00000000,?), ref: 7FE427F9
                                                        • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE4279D), ref: 7FE4281D
                                                        • InternetCloseHandle.WININET(?), ref: 7FE4282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 7FE42834
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                        • String ID:
                                                        • API String ID: 3452404049-0
                                                        • Opcode ID: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction ID: 967edc6c3228d8dc80771701bd1f44234d191827375817d138cb09e09eb8a148
                                                        • Opcode Fuzzy Hash: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction Fuzzy Hash: 611161B1142606BFEB250B20DC4DFFF7A7DEF85B11F004518FA068D081D7B46A5086B9
                                                        Function 7FE410C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(039CFF54), ref: 7FE41137
                                                        • GetProcAddress.KERNEL32(00000000,7FE411D0), ref: 7FE41142
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000010.00000002.2370403769.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_16_2_7fe40000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: .DLL
                                                        • API String ID: 1646373207-899428287
                                                        • Opcode ID: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction ID: f43a311243e44b3550b7c25c1157359c57101c0d9cf16b19304a3b9cc7bbc5cd
                                                        • Opcode Fuzzy Hash: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction Fuzzy Hash: 1B010834100205AADF578F28E845AFE37B9EB05266F10211EF41A8B645C6789B40CF95

                                                        Execution Graph

                                                        Execution Coverage:5.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:345
                                                        Total number of Limit Nodes:1
                                                        execution_graph 2654 bf265f 2656 bf2665 CreateThread CloseHandle 2654->2656 2657 bf3bca 2656->2657 2659 bf3bcf 2657->2659 2660 bf3c3b 2659->2660 2663 bf3bed GetWindowsDirectoryA 2659->2663 2712 bf2529 NtOpenSection 2660->2712 2662 bf3c40 2665 bf3c8d GetSystemDirectoryA 2662->2665 2713 bf3c54 GetModuleHandleA 2662->2713 2666 bf3cb8 2663->2666 2758 bf3cb1 lstrcat 2665->2758 2798 bf3cc8 LoadLibraryA 2666->2798 2712->2662 2714 bf3c5e 2713->2714 2715 bf3c70 2713->2715 2716 bf3c66 GetProcAddress 2714->2716 2837 bf3c82 GetModuleHandleA 2715->2837 2716->2715 2759 bf3cb8 2758->2759 2760 bf3cc8 144 API calls 2759->2760 2761 bf3cbd GetProcAddress LoadLibraryA 2760->2761 2763 bf10c8 2 API calls 2761->2763 2764 bf3d0f 2763->2764 2765 bf3d24 GetTickCount 2764->2765 2766 bf3d3c 2765->2766 2767 bf3dd9 GetVolumeInformationA 2766->2767 2768 bf3e0c 2767->2768 2769 bf3eb7 2768->2769 2770 bf3e47 93 API calls 2768->2770 2771 bf3ec3 CreateThread CloseHandle 2769->2771 2772 bf3ee1 2769->2772 2776 bf3e3b 2770->2776 2771->2772 2773 bf3ef2 42 API calls 2772->2773 2774 bf3ee6 2773->2774 2775 bf10c8 2 API calls 2774->2775 2777 bf3f10 2775->2777 2776->2769 2781 bf3397 5 API calls 2776->2781 2778 bf3f21 22 API calls 2777->2778 2779 bf3f15 2778->2779 2780 bf10c8 2 API calls 2779->2780 2782 bf3f47 2780->2782 2781->2769 2783 bf4259 RtlExitUserThread 2782->2783 2784 bf3f54 WSAStartup CreateThread CloseHandle CreateEventA 2782->2784 2795 bf3f9d 2784->2795 2785 bf3fe1 lstrlen 2785->2785 2786 bf3ff0 gethostbyname 2785->2786 2786->2795 2787 bf400c socket 2790 bf4031 connect 2787->2790 2787->2795 2788 bf422b Sleep ResetEvent 2788->2795 2789 bf4219 SetEvent 2789->2788 2791 bf4200 closesocket 2790->2791 2790->2795 2791->2795 2792 bf407a GetVersionExA 2792->2795 2793 bf40fd wsprintfA 2793->2795 2794 bf4125 CreateThread CloseHandle 2794->2795 2795->2783 2795->2785 2795->2786 2795->2787 2795->2788 2795->2789 2795->2791 2795->2792 2795->2793 2795->2794 2796 bf41d1 Sleep 2795->2796 2796->2795 2797 bf41dd GetTickCount 2796->2797 2797->2795 2988 bf3cdd GetProcAddress LoadLibraryA 2798->2988 2878 bf26ce 2837->2878 2840 bf3cb1 170 API calls 2841 bf3ca4 GetProcAddress LoadLibraryA 2840->2841 2843 bf10c8 2 API calls 2841->2843 2844 bf3d0f 2843->2844 2845 bf3d24 GetTickCount 2844->2845 2846 bf3d3c 2845->2846 2847 bf3dd9 GetVolumeInformationA 2846->2847 2848 bf3e0c 2847->2848 2849 bf3eb7 2848->2849 2880 bf3e47 LoadLibraryA 2848->2880 2851 bf3ec3 CreateThread CloseHandle 2849->2851 2852 bf3ee1 2849->2852 2851->2852 2910 bf3ef2 LoadLibraryA 2852->2910 2879 bf26c2 GetSystemDirectoryA 2878->2879 2879->2840 2932 bf3e5e GetProcAddress GetModuleFileNameA wsprintfA 2880->2932 2911 bf3f10 2910->2911 2912 bf10c8 2 API calls 2910->2912 2913 bf3f21 22 API calls 2911->2913 2912->2911 2914 bf3f15 2913->2914 2915 bf10c8 2 API calls 2914->2915 2916 bf3f47 2915->2916 2917 bf4259 RtlExitUserThread 2916->2917 2918 bf3f54 WSAStartup CreateThread CloseHandle CreateEventA 2916->2918 2929 bf3f9d 2918->2929 2919 bf3fe1 lstrlen 2919->2919 2920 bf3ff0 gethostbyname 2919->2920 2920->2929 2921 bf400c socket 2924 bf4031 connect 2921->2924 2921->2929 2922 bf422b Sleep ResetEvent 2922->2929 2923 bf4219 SetEvent 2923->2922 2925 bf4200 closesocket 2924->2925 2924->2929 2925->2929 2926 bf407a GetVersionExA 2926->2929 2927 bf40fd wsprintfA 2927->2929 2928 bf4125 CreateThread CloseHandle 2928->2929 2929->2917 2929->2919 2929->2920 2929->2921 2929->2922 2929->2923 2929->2925 2929->2926 2929->2927 2929->2928 2930 bf41d1 Sleep 2929->2930 2930->2929 2931 bf41dd GetTickCount 2930->2931 2931->2929 2933 bf3e92 2932->2933 2934 bf3eb7 2933->2934 2961 bf3397 2933->2961 2936 bf3ec3 CreateThread CloseHandle 2934->2936 2937 bf3ee1 2934->2937 2936->2937 2938 bf3ef2 42 API calls 2937->2938 2939 bf3ee6 2938->2939 2940 bf10c8 2 API calls 2939->2940 2941 bf3f10 2940->2941 2969 bf3f21 LoadLibraryA 2941->2969 2962 bf33cd 2961->2962 2962->2962 2963 bf33d2 NtOpenSection 2962->2963 2964 bf33f1 NtQuerySystemInformation 2963->2964 2968 bf3585 2963->2968 2965 bf3401 MapViewOfFile CloseHandle 2964->2965 2967 bf3442 2965->2967 2965->2968 2966 bf3449 UnmapViewOfFile 2966->2968 2967->2966 2967->2968 2968->2934 2970 bf3f2f 2969->2970 2971 bf4259 RtlExitUserThread 2969->2971 2972 bf3f47 2970->2972 2973 bf10c8 2 API calls 2970->2973 2972->2971 2974 bf3f54 WSAStartup CreateThread CloseHandle CreateEventA 2972->2974 2973->2972 2985 bf3f9d 2974->2985 2975 bf3fe1 lstrlen 2975->2975 2976 bf3ff0 gethostbyname 2975->2976 2976->2985 2977 bf400c socket 2980 bf4031 connect 2977->2980 2977->2985 2978 bf422b Sleep ResetEvent 2978->2985 2979 bf4219 SetEvent 2979->2978 2981 bf4200 closesocket 2980->2981 2980->2985 2981->2985 2982 bf407a GetVersionExA 2982->2985 2983 bf40fd wsprintfA 2983->2985 2984 bf4125 CreateThread CloseHandle 2984->2985 2985->2971 2985->2975 2985->2976 2985->2977 2985->2978 2985->2979 2985->2981 2985->2982 2985->2983 2985->2984 2986 bf41d1 Sleep 2985->2986 2986->2985 2987 bf41dd GetTickCount 2986->2987 2987->2985 2989 bf3d0f 2988->2989 2990 bf10c8 2 API calls 2988->2990 2991 bf3d24 GetTickCount 2989->2991 2990->2989 2992 bf3d3c 2991->2992 2993 bf3dd9 GetVolumeInformationA 2992->2993 2994 bf3e0c 2993->2994 2995 bf3eb7 2994->2995 2996 bf3e47 93 API calls 2994->2996 2997 bf3ec3 CreateThread CloseHandle 2995->2997 2998 bf3ee1 2995->2998 2999 bf3e3b 2996->2999 2997->2998 3000 bf3ef2 42 API calls 2998->3000 2999->2995 3007 bf3397 5 API calls 2999->3007 3001 bf3ee6 3000->3001 3002 bf10c8 2 API calls 3001->3002 3003 bf3f10 3002->3003 3004 bf3f21 22 API calls 3003->3004 3005 bf3f15 3004->3005 3006 bf10c8 2 API calls 3005->3006 3008 bf3f47 3006->3008 3007->2995 3009 bf4259 RtlExitUserThread 3008->3009 3010 bf3f54 WSAStartup CreateThread CloseHandle CreateEventA 3008->3010 3021 bf3f9d 3010->3021 3011 bf3fe1 lstrlen 3011->3011 3012 bf3ff0 gethostbyname 3011->3012 3012->3021 3013 bf400c socket 3016 bf4031 connect 3013->3016 3013->3021 3014 bf422b Sleep ResetEvent 3014->3021 3015 bf4219 SetEvent 3015->3014 3017 bf4200 closesocket 3016->3017 3016->3021 3017->3021 3018 bf407a GetVersionExA 3018->3021 3019 bf40fd wsprintfA 3019->3021 3020 bf4125 CreateThread CloseHandle 3020->3021 3021->3009 3021->3011 3021->3012 3021->3013 3021->3014 3021->3015 3021->3017 3021->3018 3021->3019 3021->3020 3022 bf41d1 Sleep 3021->3022 3022->3021 3023 bf41dd GetTickCount 3022->3023 3023->3021 2508 bf02fe 2509 bf0415 2508->2509 2511 bf042d 2509->2511 2542 bf10c8 2511->2542 2513 bf048f 2514 bf04dd 2513->2514 2515 bf04b0 GetModuleHandleA 2513->2515 2516 bf04f8 GetVersion 2514->2516 2515->2514 2517 bf050f VirtualAlloc 2516->2517 2518 bf05ca 2516->2518 2519 bf05a9 CloseHandle 2517->2519 2524 bf0532 2517->2524 2518->2519 2520 bf05d3 SetProcessAffinityMask 2518->2520 2522 bf05f2 GetModuleHandleA 2519->2522 2549 bf05f2 GetModuleHandleA 2520->2549 2523 bf10c8 2 API calls 2522->2523 2540 bf05ec 2523->2540 2524->2519 2546 bf05ba 2524->2546 2525 bf06fc lstrcpyW 2568 bf24a8 lstrcpyW lstrlenW 2525->2568 2527 bf0717 GetPEB lstrcpyW lstrcatW 2529 bf24a8 3 API calls 2527->2529 2528 bf0746 NtMapViewOfSection 2528->2519 2528->2540 2529->2540 2531 bf077a NtOpenProcessToken 2532 bf07bf CreateToolhelp32Snapshot Process32First 2531->2532 2531->2540 2533 bf07e5 Process32Next 2532->2533 2534 bf085f CloseHandle 2533->2534 2533->2540 2534->2519 2536 bf07f7 OpenProcess 2536->2533 2536->2540 2538 bf0856 CloseHandle 2538->2533 2539 bf082e CreateRemoteThread 2539->2538 2539->2540 2540->2519 2540->2525 2540->2527 2540->2528 2540->2531 2540->2532 2540->2533 2540->2536 2540->2538 2540->2539 2541 bf05ba Sleep 2540->2541 2571 bf07a6 2540->2571 2593 bf256e 2540->2593 2541->2538 2545 bf10d5 2542->2545 2543 bf1156 2543->2513 2544 bf112d GetModuleHandleA GetProcAddress 2544->2545 2545->2542 2545->2543 2545->2544 2547 bf05bf Sleep 2546->2547 2548 bf05c9 2546->2548 2547->2546 2548->2519 2550 bf10c8 2 API calls 2549->2550 2566 bf060e 2550->2566 2551 bf05a9 CloseHandle 2551->2549 2552 bf06fc lstrcpyW 2553 bf24a8 3 API calls 2552->2553 2553->2566 2554 bf0717 GetPEB lstrcpyW lstrcatW 2556 bf24a8 3 API calls 2554->2556 2555 bf0746 NtMapViewOfSection 2555->2551 2555->2566 2556->2566 2557 bf077a NtOpenProcessToken 2558 bf07bf CreateToolhelp32Snapshot Process32First 2557->2558 2557->2566 2559 bf07e5 Process32Next 2558->2559 2560 bf085f CloseHandle 2559->2560 2559->2566 2560->2551 2561 bf07a6 30 API calls 2561->2566 2562 bf07f7 OpenProcess 2562->2559 2562->2566 2563 bf256e 5 API calls 2563->2566 2564 bf0856 CloseHandle 2564->2559 2565 bf082e CreateRemoteThread 2565->2564 2565->2566 2566->2551 2566->2552 2566->2554 2566->2555 2566->2557 2566->2558 2566->2559 2566->2561 2566->2562 2566->2563 2566->2564 2566->2565 2567 bf05ba Sleep 2566->2567 2567->2564 2612 bf029d 2568->2612 2570 bf24e4 NtCreateSection 2570->2540 2614 bf1444 LookupPrivilegeValueA NtAdjustPrivilegesToken 2571->2614 2573 bf07ac FreeLibrary CloseHandle 2574 bf07bf CreateToolhelp32Snapshot Process32First 2573->2574 2575 bf07e5 Process32Next 2574->2575 2576 bf085f CloseHandle 2575->2576 2591 bf060e 2575->2591 2577 bf05a9 CloseHandle 2576->2577 2579 bf05f2 GetModuleHandleA 2577->2579 2578 bf07f7 OpenProcess 2578->2575 2578->2591 2581 bf10c8 2 API calls 2579->2581 2580 bf256e 5 API calls 2580->2591 2581->2591 2582 bf0856 CloseHandle 2582->2575 2583 bf082e CreateRemoteThread 2583->2582 2583->2591 2584 bf05ba Sleep 2584->2582 2585 bf06fc lstrcpyW 2586 bf24a8 3 API calls 2585->2586 2586->2591 2587 bf0717 GetPEB lstrcpyW lstrcatW 2589 bf24a8 3 API calls 2587->2589 2588 bf0746 NtMapViewOfSection 2588->2577 2588->2591 2589->2591 2590 bf077a NtOpenProcessToken 2590->2574 2590->2591 2591->2574 2591->2575 2591->2577 2591->2578 2591->2580 2591->2582 2591->2583 2591->2584 2591->2585 2591->2587 2591->2588 2591->2590 2592 bf07a6 13 API calls 2591->2592 2592->2591 2615 bf2529 NtOpenSection 2593->2615 2595 bf2576 2596 bf257c NtMapViewOfSection CloseHandle 2595->2596 2597 bf265b 2595->2597 2596->2597 2599 bf25b4 2596->2599 2597->2540 2598 bf25e9 2617 bf2471 NtProtectVirtualMemory NtWriteVirtualMemory 2598->2617 2599->2598 2616 bf2471 NtProtectVirtualMemory NtWriteVirtualMemory 2599->2616 2602 bf25fa 2618 bf2471 NtProtectVirtualMemory NtWriteVirtualMemory 2602->2618 2604 bf260b 2619 bf2471 NtProtectVirtualMemory NtWriteVirtualMemory 2604->2619 2606 bf261c 2607 bf2631 2606->2607 2620 bf2471 NtProtectVirtualMemory NtWriteVirtualMemory 2606->2620 2609 bf2646 2607->2609 2621 bf2471 NtProtectVirtualMemory NtWriteVirtualMemory 2607->2621 2609->2597 2622 bf2471 NtProtectVirtualMemory NtWriteVirtualMemory 2609->2622 2613 bf02a0 2612->2613 2613->2570 2614->2573 2615->2595 2616->2598 2617->2602 2618->2604 2619->2606 2620->2607 2621->2609 2622->2597 2485 bf141c 2486 bf1429 LookupPrivilegeValueA NtAdjustPrivilegesToken 2485->2486 3024 bf275c 3026 bf2762 3024->3026 3027 bf277a GetTempPathA 3026->3027 3028 bf2833 InternetCloseHandle 3026->3028 3036 bf27a1 GetTempFileNameA CreateFileA 3027->3036 3030 bf279d CreateFileA 3031 bf27c8 InternetReadFile 3030->3031 3032 bf2823 InternetCloseHandle 3030->3032 3033 bf27f8 CloseHandle CreateProcessA 3031->3033 3034 bf27e2 3031->3034 3032->3028 3033->3032 3034->3033 3035 bf27e4 WriteFile 3034->3035 3035->3031 3035->3033 3037 bf27c8 InternetReadFile 3036->3037 3038 bf2823 InternetCloseHandle 3036->3038 3039 bf27f8 CloseHandle CreateProcessA 3037->3039 3040 bf27e2 3037->3040 3041 bf2833 InternetCloseHandle 3038->3041 3039->3038 3040->3039 3042 bf27e4 WriteFile 3040->3042 3041->3030 3042->3037 3042->3039 2487 bf381a 2489 bf3820 GetSystemTime 2487->2489 2496 bf3864 2489->2496 2490 bf389e Sleep 2490->2496 2491 bf38b6 InternetGetConnectedState 2491->2496 2492 bf39c4 2493 bf38e6 gethostbyname 2494 bf390c socket 2493->2494 2493->2496 2495 bf3922 ioctlsocket connect Sleep 2494->2495 2494->2496 2495->2496 2496->2490 2496->2491 2496->2492 2496->2493 2497 bf39b1 closesocket 2496->2497 2497->2496 3043 bf6559 3044 bf6580 5 API calls 3043->3044 3045 bf6563 3044->3045 2458 a7978c 2459 a79790 2458->2459 2460 a798ce 2459->2460 2462 a7302f 2459->2462 2466 a730c5 2462->2466 2465 a73045 2467 a73039 GetPEB 2466->2467 2467->2465 2468 bf13b4 2470 bf1379 2468->2470 2469 bf1429 LookupPrivilegeValueA NtAdjustPrivilegesToken 2470->2469 2471 bf13fd 2470->2471 2472 bf4334 2475 bf1444 LookupPrivilegeValueA NtAdjustPrivilegesToken 2472->2475 2474 bf433a 2475->2474 2627 bf6573 2630 bf6580 2627->2630 2631 bf658b 2630->2631 2632 bf657d 2630->2632 2631->2632 2634 bf6591 2631->2634 2635 bf256e 5 API calls 2634->2635 2636 bf65a3 2635->2636 2636->2632 2637 bf3372 2638 bf3377 2637->2638 2639 bf3401 MapViewOfFile CloseHandle 2638->2639 2641 bf33d2 NtOpenSection 2638->2641 2643 bf3442 2639->2643 2644 bf3585 2639->2644 2640 bf3449 UnmapViewOfFile 2640->2644 2642 bf33f1 NtQuerySystemInformation 2641->2642 2641->2644 2642->2639 2643->2640 2643->2644 2476 bf37ab 2478 bf37b1 WaitForSingleObject 2476->2478 2479 bf37cd closesocket 2478->2479 2480 bf37d7 2478->2480 2479->2480 2481 bf332b 2483 bf3334 2481->2483 2484 bf333b Sleep 2483->2484 2484->2484 2645 bf1169 LoadLibraryA 2650 bf1190 GetProcAddress 2645->2650 2647 bf117a 2648 bf121a 2647->2648 2649 bf1429 LookupPrivilegeValueA NtAdjustPrivilegesToken 2647->2649 2650->2647 3046 bf10c5 3047 bf10c8 3046->3047 3048 bf1156 3047->3048 3049 bf112d GetModuleHandleA GetProcAddress 3047->3049 3049->3047 2498 bf0000 2499 bf0004 2498->2499 2500 bf00a1 2499->2500 2502 bf025e 2499->2502 2506 bf0105 2502->2506 2505 bf0278 2505->2500 2507 bf0116 GetPEB 2506->2507 2507->2505

                                                        Executed Functions

                                                        Function 00BF042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 287memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 0 bf042d-bf04a4 call bf10c8 3 bf04dd 0->3 4 bf04a6-bf04db call bf2736 GetModuleHandleA 0->4 6 bf04e4-bf0509 call bf274a GetVersion 3->6 4->6 10 bf050f-bf0530 VirtualAlloc 6->10 11 bf05ca-bf05d1 6->11 12 bf05a9-bf0615 CloseHandle GetModuleHandleA call bf10c8 10->12 13 bf0532-bf0562 call bf0305 10->13 11->12 14 bf05d3-bf05fc SetProcessAffinityMask call bf05f2 11->14 29 bf0617-bf0630 12->29 13->12 28 bf0564-bf057b 13->28 20 bf05fe-bf061c 14->20 21 bf0621-bf0630 14->21 20->21 24 bf0639-bf0652 21->24 25 bf0632 21->25 24->12 27 bf0658-bf0671 24->27 25->24 27->12 30 bf0677-bf0690 27->30 28->12 35 bf057d-bf05a4 28->35 29->24 29->25 30->12 31 bf0696-bf069c 30->31 33 bf069e-bf06b1 31->33 34 bf06d8-bf06de 31->34 33->12 36 bf06b7-bf06bd 33->36 37 bf06fc-bf0715 lstrcpyW call bf24a8 34->37 38 bf06e0-bf06f3 34->38 35->12 49 bf05a4 call bf05ba 35->49 36->34 39 bf06bf-bf06d2 36->39 44 bf0717-bf0740 GetPEB lstrcpyW lstrcatW call bf24a8 37->44 45 bf0746-bf076f NtMapViewOfSection 37->45 38->37 40 bf06f5 38->40 39->12 39->34 40->37 44->12 44->45 45->12 47 bf0775-bf0789 call bf0305 NtOpenProcessToken 45->47 53 bf07bf-bf07de CreateToolhelp32Snapshot Process32First 47->53 54 bf078b-bf079d call bf1157 call bf07a6 47->54 49->12 56 bf07e5-bf07ef Process32Next 53->56 65 bf079f 54->65 66 bf0808-bf0809 54->66 58 bf085f-bf086c CloseHandle 56->58 59 bf07f1-bf07f5 56->59 58->12 59->56 61 bf07f7-bf0807 OpenProcess 59->61 61->56 62 bf0809 61->62 64 bf080a-bf0812 call bf256e 62->64 71 bf0856-bf085d CloseHandle 64->71 72 bf0814-bf081a 64->72 65->64 68 bf07a1-bf07be 65->68 66->64 68->53 71->56 72->71 73 bf081c-bf082c 72->73 73->71 74 bf082e-bf0845 CreateRemoteThread 73->74 74->71 75 bf0847-bf0851 call bf05ba 74->75 75->71
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 00BF04BE
                                                        • GetVersion.KERNEL32 ref: 00BF0500
                                                        • VirtualAlloc.KERNEL32(00000000,000076FC,08001000,00000040), ref: 00BF0528
                                                        • CloseHandle.KERNELBASE(?), ref: 00BF05AD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$AllocCloseModuleVersionVirtual
                                                        • String ID: \BaseNamedObjects\yietVt$\BaseNamedObjects\yietVt$csrs
                                                        • API String ID: 3017432202-3480717028
                                                        • Opcode ID: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction ID: 01aba0653bd74cec3c1ab731f1e5c0cd6d8e5d1c941fc67e4f52de5c6d6898bd
                                                        • Opcode Fuzzy Hash: 9e52509f19518ea33461c38642fb0176f60e4b6bf5e6ae2128eb7483cd3a28e5
                                                        • Instruction Fuzzy Hash: 1FB18C71525249FFEB21AF20C849BAA3BE8EF45311F004069EE099F1A2D7F09F49DB55
                                                        Function 00BF05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 192stringnativeprocessCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 77 bf05f2-bf0615 GetModuleHandleA call bf10c8 80 bf05a9-bf05b3 CloseHandle 77->80 81 bf0617-bf0630 77->81 80->77 82 bf0639-bf0652 81->82 83 bf0632 81->83 82->80 84 bf0658-bf0671 82->84 83->82 84->80 85 bf0677-bf0690 84->85 85->80 86 bf0696-bf069c 85->86 87 bf069e-bf06b1 86->87 88 bf06d8-bf06de 86->88 87->80 89 bf06b7-bf06bd 87->89 90 bf06fc-bf0715 lstrcpyW call bf24a8 88->90 91 bf06e0-bf06f3 88->91 89->88 92 bf06bf-bf06d2 89->92 96 bf0717-bf0740 GetPEB lstrcpyW lstrcatW call bf24a8 90->96 97 bf0746-bf076f NtMapViewOfSection 90->97 91->90 93 bf06f5 91->93 92->80 92->88 93->90 96->80 96->97 97->80 98 bf0775-bf0789 call bf0305 NtOpenProcessToken 97->98 103 bf07bf-bf07de CreateToolhelp32Snapshot Process32First 98->103 104 bf078b-bf079d call bf1157 call bf07a6 98->104 106 bf07e5-bf07ef Process32Next 103->106 115 bf079f 104->115 116 bf0808-bf0809 104->116 108 bf085f-bf086c CloseHandle 106->108 109 bf07f1-bf07f5 106->109 108->80 109->106 111 bf07f7-bf0807 OpenProcess 109->111 111->106 112 bf0809 111->112 114 bf080a-bf0812 call bf256e 112->114 121 bf0856-bf085d CloseHandle 114->121 122 bf0814-bf081a 114->122 115->114 118 bf07a1-bf07be 115->118 116->114 118->103 121->106 122->121 123 bf081c-bf082c 122->123 123->121 124 bf082e-bf0845 CreateRemoteThread 123->124 124->121 125 bf0847-bf0851 call bf05ba 124->125 125->121
                                                        APIs
                                                        • CloseHandle.KERNELBASE(?), ref: 00BF05AD
                                                        • GetModuleHandleA.KERNEL32(00BF05EC), ref: 00BF05F2
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\yietVt,\BaseNamedObjects\yietVt,?,?,?,?), ref: 00BF070A
                                                        • lstrcpyW.KERNEL32(\BaseNamedObjects\yietVt,?), ref: 00BF0727
                                                        • lstrcatW.KERNEL32(\BaseNamedObjects\yietVt,\yietVt), ref: 00BF0735
                                                        • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000076FC,00000000,?,00000002,00000000,00000040), ref: 00BF0765
                                                        • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00BF0780
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF07C3
                                                        • Process32First.KERNEL32 ref: 00BF07D6
                                                        • Process32Next.KERNEL32 ref: 00BF07E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF07FF
                                                        • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 00BF083C
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF0857
                                                        • CloseHandle.KERNEL32 ref: 00BF0866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                        • String ID: \BaseNamedObjects\yietVt$\BaseNamedObjects\yietVt$csrs
                                                        • API String ID: 1545766225-3480717028
                                                        • Opcode ID: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction ID: b8e6cd7ea591cdcb5a82f6fcdedd6c1d5b6b0192a329e17bea99af0cb352b994
                                                        • Opcode Fuzzy Hash: 3efdda5cb34b8549ff192c0c77a2c1be46cedb893c6e90d2a818372e31aeead3
                                                        • Instruction Fuzzy Hash: 4B718C31511209FFEB216F10C889ABE3BADEF54711F0400A9FE099F1A2D7B19F499B59
                                                        Function 00BF1169 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 326libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 180 bf1169-bf1181 LoadLibraryA call bf1190 183 bf11ec 180->183 184 bf1183 180->184 185 bf11ee-bf11f2 183->185 184->185 186 bf1185-bf118c 184->186 187 bf11f3-bf1209 185->187 186->187 188 bf118e-bf1194 186->188 191 bf120b-bf120f 187->191 192 bf11e9 187->192 189 bf11bd 188->189 190 bf1196-bf11b3 188->190 194 bf11be-bf11d2 189->194 200 bf11b5-bf11bc 190->200 197 bf1279-bf1280 191->197 198 bf1210-bf1218 191->198 195 bf11eb 192->195 196 bf1259-bf1264 192->196 194->200 205 bf11d4-bf11d6 194->205 195->183 199 bf1265-bf1271 196->199 202 bf1281-bf1298 197->202 203 bf11da-bf11e6 198->203 204 bf121a-bf1243 198->204 200->189 200->194 209 bf1299-bf129e 202->209 203->192 210 bf1250-bf1256 204->210 205->203 211 bf12a1-bf12ab 209->211 210->196 212 bf131d-bf131f 211->212 213 bf12ad-bf12b3 211->213 214 bf1351-bf1353 212->214 215 bf1321-bf1323 212->215 216 bf1315 213->216 217 bf12b5-bf12b7 213->217 218 bf13a5-bf13aa 214->218 219 bf1355-bf1357 214->219 221 bf1375-bf1377 215->221 222 bf1325-bf132b 215->222 220 bf1319-bf131b 216->220 223 bf12f9-bf12fb 217->223 224 bf12b9-bf12bd 217->224 225 bf13b5-bf13bf 218->225 227 bf13c9-bf13cb 219->227 228 bf1359-bf135b 219->228 220->212 229 bf137d-bf1389 220->229 232 bf1379-bf137c 221->232 233 bf13e7 221->233 230 bf12fd-bf12ff 222->230 231 bf132d-bf1333 222->231 223->230 223->231 224->210 235 bf12bf 224->235 236 bf13a1 225->236 237 bf13c1-bf13c7 225->237 240 bf13fd-bf1404 227->240 241 bf13cd-bf13cf 227->241 238 bf134d 228->238 239 bf135d-bf1361 228->239 245 bf138d-bf1390 229->245 230->202 234 bf1301-bf1307 230->234 242 bf1365-bf136b 231->242 243 bf1335-bf1337 231->243 232->229 233->232 244 bf13e9-bf13ef 233->244 234->209 246 bf1309-bf130b 234->246 235->211 247 bf12c1-bf12c3 235->247 236->218 237->227 258 bf1429-bf146e LookupPrivilegeValueA NtAdjustPrivilegesToken 237->258 238->214 239->242 250 bf13e1-bf13e6 241->250 251 bf13d1-bf13df 241->251 242->231 252 bf136d-bf136f 242->252 243->220 253 bf1339-bf133b 243->253 255 bf1391-bf139b 244->255 263 bf13f1-bf13fb 244->263 245->255 246->230 256 bf130d-bf1313 246->256 247->222 257 bf12c5 247->257 250->233 251->250 251->263 260 bf1341-bf1343 252->260 261 bf1371 252->261 253->245 262 bf133d 253->262 264 bf139d-bf13a0 255->264 256->216 256->217 265 bf12c9-bf12cb 257->265 260->225 269 bf1345-bf134b 260->269 261->221 266 bf133f 262->266 267 bf12d0-bf12d3 262->267 263->240 263->264 264->236 265->230 270 bf12cd 265->270 266->234 266->260 267->199 271 bf12d5-bf12db 267->271 269->238 269->270 270->267 272 bf12ed-bf12ef 271->272 273 bf12dd-bf12e3 271->273 272->234 275 bf12f1-bf12f3 272->275 273->219 274 bf12e5-bf12e7 273->274 274->265 276 bf12e9 274->276 275->219 277 bf12f5-bf12f7 275->277 276->272 277->197 277->223
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00BF115C,00BF0790,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF1169
                                                          • Part of subcall function 00BF1190: GetProcAddress.KERNEL32(00000000,00BF117A), ref: 00BF1191
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: \yietVt
                                                        • API String ID: 2574300362-631217602
                                                        • Opcode ID: ddceb8ed017c91943d9a448d444f19c06bcc501119d2ca4c973b0aca51092c02
                                                        • Instruction ID: 96ca634e04085753114363e3212aa535bfd8ffe8b2dd1fadfeef5214c47701ce
                                                        • Opcode Fuzzy Hash: ddceb8ed017c91943d9a448d444f19c06bcc501119d2ca4c973b0aca51092c02
                                                        • Instruction Fuzzy Hash: 44A18A6591829BEBCB22DA7D88894F9BFE1EB333647484DD9D240DF443D222990FC790
                                                        Function 00BF2529 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 278 bf2529-bf256d NtOpenSection
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,0000000E), ref: 00BF2558
                                                        Strings
                                                        • \BaseNamedObjects\yietVt, xrefs: 00BF2545
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: OpenSection
                                                        • String ID: \BaseNamedObjects\yietVt
                                                        • API String ID: 1950954290-129974550
                                                        • Opcode ID: c6b8e9e32f6dcba079ef7aea98ec054ed3ce8beadf41c2fd00718ee6712a4e74
                                                        • Instruction ID: b3aacc91b347d59d7f115e11f4200a74d00a3252589c1a9605fbc5584bb4d301
                                                        • Opcode Fuzzy Hash: c6b8e9e32f6dcba079ef7aea98ec054ed3ce8beadf41c2fd00718ee6712a4e74
                                                        • Instruction Fuzzy Hash: C2E0D8F17401063EFB185719CC07FF7218DDB80601F048508F914DA080E5F4DF1182B8
                                                        Function 00BF256E Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 279 bf256e-bf2576 call bf2529 282 bf257c-bf25ae NtMapViewOfSection CloseHandle 279->282 283 bf265b-bf265e 279->283 282->283 284 bf25b4-bf25ba 282->284 285 bf25bc-bf25c5 284->285 286 bf25c8-bf25d2 284->286 285->286 287 bf25e9-bf2624 call bf2471 * 3 286->287 288 bf25d4-bf25dc 286->288 297 bf2626-bf262c call bf2471 287->297 298 bf2631-bf2639 287->298 288->287 289 bf25de-bf25e4 call bf2471 288->289 289->287 297->298 300 bf263b-bf2641 call bf2471 298->300 301 bf2646-bf264e 298->301 300->301 301->283 302 bf2650-bf2656 call bf2471 301->302 302->283
                                                        APIs
                                                          • Part of subcall function 00BF2529: NtOpenSection.NTDLL(?,0000000E), ref: 00BF2558
                                                        • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B6FC,00000000,?,00000002,00100000,00000040), ref: 00BF259E
                                                        • CloseHandle.KERNELBASE(00000000,0000B6FC,00000000,?,00000002,00100000,00000040,00000000,0000B6FC,00000000,?,00BF080F), ref: 00BF25A6
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Section$CloseHandleOpenView
                                                        • String ID:
                                                        • API String ID: 2731707328-0
                                                        • Opcode ID: 021b1acb1bf40c706123403cc397f8585b61a767fc7f0a33a1c3ace3a91a31f2
                                                        • Instruction ID: 3f44de2789c11ec390aba75d2343c1db3a76a473d6fbba080d8c7414b2dd25c5
                                                        • Opcode Fuzzy Hash: 021b1acb1bf40c706123403cc397f8585b61a767fc7f0a33a1c3ace3a91a31f2
                                                        • Instruction Fuzzy Hash: 5C21307030050ABADB24DF25CC66BB973A9EF50740F000198FB198F2D4DBB1AF598B54
                                                        Function 00BF141C Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 305 bf141c-bf146e LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                        APIs
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00BF1454
                                                        • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00BF1464
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                        • String ID:
                                                        • API String ID: 3615134276-0
                                                        • Opcode ID: 7157bc59c0e3de482e8bd6b2610b223013a43f583be5db88b94377e31208a128
                                                        • Instruction ID: 01f7e7575b44af39e84b9ee94f66a89c6d22cfdb503e39dbcfd023e7ab42d64d
                                                        • Opcode Fuzzy Hash: 7157bc59c0e3de482e8bd6b2610b223013a43f583be5db88b94377e31208a128
                                                        • Instruction Fuzzy Hash: 9FF08236542520BBD6206F56CC8EED77E28EF533A0F144956F4484E156C2A28BA5D3E4
                                                        Function 00BF2471 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 307 bf2471-bf24a7 NtProtectVirtualMemory NtWriteVirtualMemory
                                                        APIs
                                                        • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00BF2495
                                                        • NtWriteVirtualMemory.NTDLL ref: 00BF249E
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MemoryVirtual$ProtectWrite
                                                        • String ID:
                                                        • API String ID: 151266762-0
                                                        • Opcode ID: 17dce67c487cc0ef90ba526871884689c6391e914ce978ece8a073020b9af88e
                                                        • Instruction ID: bec36d184e0d76b253c82774af185ce515cf0d17d059aebebe1b98a4915fad90
                                                        • Opcode Fuzzy Hash: 17dce67c487cc0ef90ba526871884689c6391e914ce978ece8a073020b9af88e
                                                        • Instruction Fuzzy Hash: 7AE0ECA06502007FF5185B159C5BF7B391DDB41A45F410108FA0A98184F9A15E14467A
                                                        Function 00BF1444 Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 308 bf1444-bf146e LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                        APIs
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00BF1454
                                                        • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00BF1464
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                        • String ID:
                                                        • API String ID: 3615134276-0
                                                        • Opcode ID: 98fd101a259c938ae854db39385a2a060802fe35a78288dc9bd6859ea4aae5d1
                                                        • Instruction ID: 0db5ea05f469a6ff49ad20a45e501a6d4802517c6c4e4fc049ea7a79551dc49b
                                                        • Opcode Fuzzy Hash: 98fd101a259c938ae854db39385a2a060802fe35a78288dc9bd6859ea4aae5d1
                                                        • Instruction Fuzzy Hash: 06D05E31603030BBD6302E0A8C0EED73D1DEF537B0F004400F80C8A191C1A28EA1C6F5
                                                        Function 00A7302F Relevance: .1, Instructions: 54COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 312 a7302f-a73043 call a730c5 GetPEB 315 a73045-a73068 call a730c5 call a730c1 312->315 316 a73071-a798fa call a73008 312->316 322 a7306d-a73070 315->322 325 a79932-a79946 call a798f1 316->325 326 a798fc-a79904 316->326 322->316 326->325 327 a79906-a79931 326->327 327->325
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980597130.0000000000A73000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000011.00000002.2979611009.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2979662708.0000000000401000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2979723193.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2979783876.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2979783876.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2979906966.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2979957411.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2980011475.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                        • Associated: 00000011.00000002.2980161347.0000000000710000.00000080.00000001.01000000.00000004.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_400000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4656093ae1c7bbb04d21488f95fe7bddf1a9615c02ec3ad5a29a1aa1a73d1730
                                                        • Instruction ID: 423065dfefecc7dea162951949b78e36b3c1b093d43354c81d1a365680741e01
                                                        • Opcode Fuzzy Hash: 4656093ae1c7bbb04d21488f95fe7bddf1a9615c02ec3ad5a29a1aa1a73d1730
                                                        • Instruction Fuzzy Hash: 28118C737042519BEB119E2CCD81EAE7762EFC4324F10C31AA5085F182CA3296439681
                                                        Function 00BF07A6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 127 bf07a6-bf07b9 call bf1444 FreeLibrary CloseHandle 130 bf07bf-bf07de CreateToolhelp32Snapshot Process32First 127->130 131 bf07e5-bf07ef Process32Next 130->131 132 bf085f-bf086c CloseHandle 131->132 133 bf07f1-bf07f5 131->133 134 bf05a9-bf0615 CloseHandle GetModuleHandleA call bf10c8 132->134 133->131 135 bf07f7-bf0807 OpenProcess 133->135 145 bf0617-bf0630 134->145 135->131 136 bf0809 135->136 137 bf080a-bf0812 call bf256e 136->137 143 bf0856-bf085d CloseHandle 137->143 144 bf0814-bf081a 137->144 143->131 144->143 146 bf081c-bf082c 144->146 147 bf0639-bf0652 145->147 148 bf0632 145->148 146->143 150 bf082e-bf0845 CreateRemoteThread 146->150 147->134 149 bf0658-bf0671 147->149 148->147 149->134 151 bf0677-bf0690 149->151 150->143 152 bf0847-bf0851 call bf05ba 150->152 151->134 153 bf0696-bf069c 151->153 152->143 155 bf069e-bf06b1 153->155 156 bf06d8-bf06de 153->156 155->134 157 bf06b7-bf06bd 155->157 158 bf06fc-bf0715 lstrcpyW call bf24a8 156->158 159 bf06e0-bf06f3 156->159 157->156 160 bf06bf-bf06d2 157->160 164 bf0717-bf0740 GetPEB lstrcpyW lstrcatW call bf24a8 158->164 165 bf0746-bf076f NtMapViewOfSection 158->165 159->158 161 bf06f5 159->161 160->134 160->156 161->158 164->134 164->165 165->134 166 bf0775-bf0789 call bf0305 NtOpenProcessToken 165->166 166->130 171 bf078b-bf079d call bf1157 call bf07a6 166->171 176 bf079f 171->176 177 bf0808-bf0809 171->177 176->137 178 bf07a1-bf07be 176->178 177->137 178->130
                                                        APIs
                                                          • Part of subcall function 00BF1444: LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00BF1454
                                                          • Part of subcall function 00BF1444: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00BF1464
                                                        • CloseHandle.KERNELBASE(?), ref: 00BF05AD
                                                        • FreeLibrary.KERNEL32(75070000,?,00BF0795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF07B2
                                                        • CloseHandle.KERNELBASE(?,?,00BF0795,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF07B9
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000076FC,00000000,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF07C3
                                                        • Process32First.KERNEL32 ref: 00BF07D6
                                                        • Process32Next.KERNEL32 ref: 00BF07E7
                                                        • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF07FF
                                                        • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BCA,00000002,00000000), ref: 00BF083C
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000076FC), ref: 00BF0857
                                                        • CloseHandle.KERNEL32 ref: 00BF0866
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                        • String ID: csrs
                                                        • API String ID: 3908997113-2321902090
                                                        • Opcode ID: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction ID: 2d766dc662f3e415031afddd8625f08544b2be62c1c586dc76c9fc47a744db59
                                                        • Opcode Fuzzy Hash: d0fb684184325cf97b1a179c9ca4efc16d1a2b2f3f24e28a7afb2982f5ecefec
                                                        • Instruction Fuzzy Hash: 08119831115208FBEB253F21CD49BBF3AADEF50751F00105DFA499B062DBB09F05965A
                                                        Function 00BF05BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 309 bf05ba-bf05bd 310 bf05bf-bf05c7 Sleep 309->310 311 bf05c9 309->311 310->309
                                                        APIs
                                                        • Sleep.KERNELBASE(0000000A,00BF0856,?,00000000,00000000,-00003BCA,00000002,00000000,?,00000000), ref: 00BF05C1
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID:
                                                        • API String ID: 3472027048-0
                                                        • Opcode ID: cbe9f769ebb1c608110980d8cf827f438a34bc7706bd5e9152dadd0aa2487085
                                                        • Instruction ID: bd8a4a21cf57d4045ddb282fd7b8a05e7e59f81700d8a898af258ee242bbd7b8
                                                        • Opcode Fuzzy Hash: cbe9f769ebb1c608110980d8cf827f438a34bc7706bd5e9152dadd0aa2487085
                                                        • Instruction Fuzzy Hash: CCB0122825030CD5DA142960448FB241654BF10B11FE000D4F7060E0D107E006041909

                                                        Non-executed Functions

                                                        Function 00BF3372 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00BF33DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00BF33FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00BF3425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00BF3432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 00BF344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$\Device\PhysicalMemory
                                                        • API String ID: 2985292042-1440550476
                                                        • Opcode ID: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction ID: 3d872a564602d755c77484a67914685165c2b322e46a9d5f3d3ee75d514b7063
                                                        • Opcode Fuzzy Hash: 88666e3b46497b17619ef40150271629320bc9c847141e1187092b1263c5d190
                                                        • Instruction Fuzzy Hash: 3F81AC71500208FFEB249F14CC8AEBA37ACEF44B15F504558FE199B291D7B0AF598BA4
                                                        Function 00BF3397 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00BF33DC
                                                        • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00BF33FB
                                                        • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00BF3425
                                                        • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00BF3432
                                                        • UnmapViewOfFile.KERNEL32(?), ref: 00BF344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                        • String ID: C:,$ysic
                                                        • API String ID: 2985292042-2852681185
                                                        • Opcode ID: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction ID: 423460ec10922d9c87e12e2a761f71176cf22ed65986e8c032f042d512e8d309
                                                        • Opcode Fuzzy Hash: e633d6c5ab51ed86d86d53715f6dc8a24a37967d393fbf738cca962c486e9fab
                                                        • Instruction Fuzzy Hash: C2116D70140609FBEB249F10CC5AFAB36ACEF88B04F544558FB199B290D7B46F288664
                                                        Function 00BF24A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrcpyW.KERNEL32(?,\BaseNamedObjects\yietVt), ref: 00BF24B4
                                                        • lstrlenW.KERNEL32(?), ref: 00BF24BB
                                                        • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00BF2510
                                                        Strings
                                                        • \BaseNamedObjects\yietVt, xrefs: 00BF24B2
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateSectionlstrcpylstrlen
                                                        • String ID: \BaseNamedObjects\yietVt
                                                        • API String ID: 2597515329-129974550
                                                        • Opcode ID: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction ID: 4e480e46cc5d295efe0c4aa0f28b49e3d6d8f6e015631aa8c9961a07f8bcf732
                                                        • Opcode Fuzzy Hash: 623229618a505599dd33b9e661a9492f940f1de7310a73129c9794aaeac70742
                                                        • Instruction Fuzzy Hash: CE01A4B07803057AF7305B79CC8FF5A7A68DF81B50F508558F718AE1C4DAB89A0483A9
                                                        Function 00BF3BCF Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 472libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 330 bf3bcf-bf3beb 331 bf3bed-bf3bf5 330->331 332 bf3c3b-bf3c45 call bf2529 330->332 334 bf3bf6-bf3bf9 331->334 340 bf3c8d-bf3cd5 GetSystemDirectoryA call bf3cb1 332->340 341 bf3c47-bf3c6e call bf3c54 call bf26ce GetProcAddress 332->341 335 bf3bfb-bf3c00 334->335 336 bf3c25 334->336 335->336 338 bf3c02-bf3c23 335->338 336->334 339 bf3c27-bf3cd5 GetWindowsDirectoryA call bf3cc8 336->339 338->336 350 bf3cd7-bf3d52 GetProcAddress LoadLibraryA call bf10c8 call bf01cb GetTickCount call bf3b08 339->350 340->350 354 bf3c72-bf3c8c call bf3c82 341->354 355 bf3c70 341->355 362 bf3d5a-bf3d5f call bf3b08 350->362 363 bf3d54 350->363 354->340 355->354 366 bf3d61-bf3d78 362->366 363->362 367 bf3d7a-bf3d8a call bf62d9 call bf2736 366->367 372 bf3d8c-bf3d8e 367->372 373 bf3d90-bf3dac call bf62d9 367->373 375 bf3dad-bf3dae 372->375 373->375 375->367 377 bf3db0-bf3db6 375->377 377->366 378 bf3db8-bf3dc2 call bf2736 377->378 381 bf3dc4-bf3dcc call bf274a 378->381 382 bf3dd1-bf3e0a call bf2736 GetVolumeInformationA 378->382 381->382 386 bf3e0c-bf3e12 382->386 387 bf3e14-bf3e1a 382->387 388 bf3e23-bf3e30 386->388 387->388 389 bf3e1c 387->389 390 bf3eb7 388->390 391 bf3e36-bf3e5a call bf3e47 388->391 389->388 392 bf3ec1 390->392 391->392 400 bf3e5c-bf3e62 391->400 394 bf3ec3-bf3edb CreateThread CloseHandle 392->394 395 bf3ee1-bf3f4e call bf3ef2 call bf10c8 call bf3f21 call bf10c8 392->395 394->395 414 bf4259-bf425b RtlExitUserThread 395->414 415 bf3f54-bf3f97 WSAStartup CreateThread CloseHandle CreateEventA 395->415 402 bf3e8b-bf3e9f 400->402 403 bf3e64-bf3e69 400->403 407 bf3ea6-bf3eb0 402->407 405 bf3e6b-bf3e8a 403->405 406 bf3e92-bf3e9f 403->406 405->402 406->407 407->390 410 bf3eb2 call bf3397 407->410 410->390 416 bf3f9d-bf3fb5 call bf378c 415->416 419 bf3fbc-bf3fcf call bf3b22 416->419 420 bf3fb7-bf3fba 416->420 426 bf4207-bf420e 419->426 427 bf3fd5 419->427 420->419 421 bf3fd7-bf3fdf 420->421 424 bf3fe1-bf3fee lstrlen 421->424 425 bf3ff0-bf3ff9 gethostbyname 421->425 424->424 424->425 428 bf3fff-bf4006 425->428 429 bf424e-bf4254 425->429 426->414 430 bf4210-bf4217 426->430 431 bf400c-bf402b socket 427->431 428->431 429->416 432 bf422b-bf4249 Sleep ResetEvent 430->432 433 bf4219-bf4225 SetEvent 430->433 431->426 434 bf4031-bf4044 connect 431->434 432->416 433->432 435 bf404a-bf4123 call bf2736 call bf274a GetVersionExA call bf274a call bf32ea call bf4103 wsprintfA call bf32ea 434->435 436 bf4200-bf4201 closesocket 434->436 451 bf4125-bf413b CreateThread CloseHandle 435->451 452 bf4141 435->452 436->426 451->452 453 bf4147-bf415d 452->453 453->436 455 bf4163-bf4165 453->455 456 bf4167-bf417f 455->456 457 bf4184-bf418c 456->457 458 bf4181 456->458 457->456 459 bf418e 457->459 458->457 460 bf4194-bf4198 459->460 461 bf41aa-bf41ac 460->461 462 bf419a-bf41a1 call bf2f02 460->462 464 bf41ae-bf41b8 461->464 462->436 467 bf41a3 462->467 466 bf41bd-bf41cb call bf647a call bf6494 464->466 466->453 473 bf41d1-bf41db Sleep 466->473 467->464 469 bf41a5-bf41a8 467->469 469->460 473->466 474 bf41dd-bf41ee GetTickCount 473->474 474->453 475 bf41f4-bf41fb 474->475 475->436 475->453
                                                        APIs
                                                        • GetWindowsDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 00BF3C33
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 00BF3C66
                                                        • GetProcAddress.KERNEL32(00000000,00BF3CD3), ref: 00BF3CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BF3CF1
                                                        • GetTickCount.KERNEL32 ref: 00BF3D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BF6E32,00000000,00000000,00000000,00000000), ref: 00BF3DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3969011833-1880045089
                                                        • Opcode ID: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction ID: 538afad1baf5ec263dcb1454f5ab3005b07dad66d1e2dc2f7ca960758472897b
                                                        • Opcode Fuzzy Hash: 641fa007076ed996f10b61fe47295b7606b1f940137153faec4deecef9317252
                                                        • Instruction Fuzzy Hash: 99F1167151924CBEDB25AF24CC5ABFA7BECEF01700F00459AEA495F082D6F05F4986A6
                                                        Function 00BF3C54 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 417libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 476 bf3c54-bf3c5c GetModuleHandleA 477 bf3c5e-bf3c60 476->477 478 bf3c72-bf3d52 call bf3c82 GetSystemDirectoryA call bf3cb1 GetProcAddress LoadLibraryA call bf10c8 call bf01cb GetTickCount call bf3b08 476->478 479 bf3c66-bf3c6e GetProcAddress 477->479 480 bf3c61 call bf26ce 477->480 494 bf3d5a-bf3d5f call bf3b08 478->494 495 bf3d54 478->495 479->478 483 bf3c70 479->483 480->479 483->478 498 bf3d61-bf3d78 494->498 495->494 499 bf3d7a-bf3d8a call bf62d9 call bf2736 498->499 504 bf3d8c-bf3d8e 499->504 505 bf3d90-bf3dac call bf62d9 499->505 507 bf3dad-bf3dae 504->507 505->507 507->499 509 bf3db0-bf3db6 507->509 509->498 510 bf3db8-bf3dc2 call bf2736 509->510 513 bf3dc4-bf3dcc call bf274a 510->513 514 bf3dd1-bf3e0a call bf2736 GetVolumeInformationA 510->514 513->514 518 bf3e0c-bf3e12 514->518 519 bf3e14-bf3e1a 514->519 520 bf3e23-bf3e30 518->520 519->520 521 bf3e1c 519->521 522 bf3eb7 520->522 523 bf3e36-bf3e5a call bf3e47 520->523 521->520 524 bf3ec1 522->524 523->524 532 bf3e5c-bf3e62 523->532 526 bf3ec3-bf3edb CreateThread CloseHandle 524->526 527 bf3ee1-bf3f4e call bf3ef2 call bf10c8 call bf3f21 call bf10c8 524->527 526->527 546 bf4259-bf425b RtlExitUserThread 527->546 547 bf3f54-bf3f97 WSAStartup CreateThread CloseHandle CreateEventA 527->547 534 bf3e8b-bf3e9f 532->534 535 bf3e64-bf3e69 532->535 539 bf3ea6-bf3eb0 534->539 537 bf3e6b-bf3e8a 535->537 538 bf3e92-bf3e9f 535->538 537->534 538->539 539->522 542 bf3eb2 call bf3397 539->542 542->522 548 bf3f9d-bf3fb5 call bf378c 547->548 551 bf3fbc-bf3fcf call bf3b22 548->551 552 bf3fb7-bf3fba 548->552 558 bf4207-bf420e 551->558 559 bf3fd5 551->559 552->551 553 bf3fd7-bf3fdf 552->553 556 bf3fe1-bf3fee lstrlen 553->556 557 bf3ff0-bf3ff9 gethostbyname 553->557 556->556 556->557 560 bf3fff-bf4006 557->560 561 bf424e-bf4254 557->561 558->546 562 bf4210-bf4217 558->562 563 bf400c-bf402b socket 559->563 560->563 561->548 564 bf422b-bf4249 Sleep ResetEvent 562->564 565 bf4219-bf4225 SetEvent 562->565 563->558 566 bf4031-bf4044 connect 563->566 564->548 565->564 567 bf404a-bf4123 call bf2736 call bf274a GetVersionExA call bf274a call bf32ea call bf4103 wsprintfA call bf32ea 566->567 568 bf4200-bf4201 closesocket 566->568 583 bf4125-bf413b CreateThread CloseHandle 567->583 584 bf4141 567->584 568->558 583->584 585 bf4147-bf415d 584->585 585->568 587 bf4163-bf4165 585->587 588 bf4167-bf417f 587->588 589 bf4184-bf418c 588->589 590 bf4181 588->590 589->588 591 bf418e 589->591 590->589 592 bf4194-bf4198 591->592 593 bf41aa-bf41ac 592->593 594 bf419a-bf41a1 call bf2f02 592->594 596 bf41ae-bf41b8 593->596 594->568 599 bf41a3 594->599 598 bf41bd-bf41cb call bf647a call bf6494 596->598 598->585 605 bf41d1-bf41db Sleep 598->605 599->596 601 bf41a5-bf41a8 599->601 601->592 605->598 606 bf41dd-bf41ee GetTickCount 605->606 606->585 607 bf41f4-bf41fb 606->607 607->568 607->585
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00BF3C4C), ref: 00BF3C54
                                                        • GetProcAddress.KERNEL32(00000000,00000002), ref: 00BF3C66
                                                        • GetProcAddress.KERNEL32(00000000,00BF3CD3), ref: 00BF3CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BF3CF1
                                                        • GetTickCount.KERNEL32 ref: 00BF3D25
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 00BF3CA8, 00BF4113, 00BF4152
                                                        • ADVAPI32.DLL, xrefs: 00BF3CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BF3E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 00BF4151
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2837544101-1880045089
                                                        • Opcode ID: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction ID: 47a94a2c8182a239b2a61f30024b3022499d00d70b52de942a64ea090f82d4fd
                                                        • Opcode Fuzzy Hash: 2f4aa13993f0f468c7ca012f01f3d1d79fdb6f63357e5a53078e4f22ecad62f5
                                                        • Instruction Fuzzy Hash: 2BE1277151924DBEEB25AF34CC5ABFA7BECEF01700F00059AE9499F082D6F05F4986A5
                                                        Function 00BF3C82 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 394COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 608 bf3c82-bf3d52 GetModuleHandleA call bf26ce GetSystemDirectoryA call bf3cb1 GetProcAddress LoadLibraryA call bf10c8 call bf01cb GetTickCount call bf3b08 620 bf3d5a-bf3d5f call bf3b08 608->620 621 bf3d54 608->621 624 bf3d61-bf3d78 620->624 621->620 625 bf3d7a-bf3d8a call bf62d9 call bf2736 624->625 630 bf3d8c-bf3d8e 625->630 631 bf3d90-bf3dac call bf62d9 625->631 633 bf3dad-bf3dae 630->633 631->633 633->625 635 bf3db0-bf3db6 633->635 635->624 636 bf3db8-bf3dc2 call bf2736 635->636 639 bf3dc4-bf3dcc call bf274a 636->639 640 bf3dd1-bf3e0a call bf2736 GetVolumeInformationA 636->640 639->640 644 bf3e0c-bf3e12 640->644 645 bf3e14-bf3e1a 640->645 646 bf3e23-bf3e30 644->646 645->646 647 bf3e1c 645->647 648 bf3eb7 646->648 649 bf3e36-bf3e5a call bf3e47 646->649 647->646 650 bf3ec1 648->650 649->650 658 bf3e5c-bf3e62 649->658 652 bf3ec3-bf3edb CreateThread CloseHandle 650->652 653 bf3ee1-bf3f4e call bf3ef2 call bf10c8 call bf3f21 call bf10c8 650->653 652->653 672 bf4259-bf425b RtlExitUserThread 653->672 673 bf3f54-bf3f97 WSAStartup CreateThread CloseHandle CreateEventA 653->673 660 bf3e8b-bf3e9f 658->660 661 bf3e64-bf3e69 658->661 665 bf3ea6-bf3eb0 660->665 663 bf3e6b-bf3e8a 661->663 664 bf3e92-bf3e9f 661->664 663->660 664->665 665->648 668 bf3eb2 call bf3397 665->668 668->648 674 bf3f9d-bf3fb5 call bf378c 673->674 677 bf3fbc-bf3fcf call bf3b22 674->677 678 bf3fb7-bf3fba 674->678 684 bf4207-bf420e 677->684 685 bf3fd5 677->685 678->677 679 bf3fd7-bf3fdf 678->679 682 bf3fe1-bf3fee lstrlen 679->682 683 bf3ff0-bf3ff9 gethostbyname 679->683 682->682 682->683 686 bf3fff-bf4006 683->686 687 bf424e-bf4254 683->687 684->672 688 bf4210-bf4217 684->688 689 bf400c-bf402b socket 685->689 686->689 687->674 690 bf422b-bf4249 Sleep ResetEvent 688->690 691 bf4219-bf4225 SetEvent 688->691 689->684 692 bf4031-bf4044 connect 689->692 690->674 691->690 693 bf404a-bf4123 call bf2736 call bf274a GetVersionExA call bf274a call bf32ea call bf4103 wsprintfA call bf32ea 692->693 694 bf4200-bf4201 closesocket 692->694 709 bf4125-bf413b CreateThread CloseHandle 693->709 710 bf4141 693->710 694->684 709->710 711 bf4147-bf415d 710->711 711->694 713 bf4163-bf4165 711->713 714 bf4167-bf417f 713->714 715 bf4184-bf418c 714->715 716 bf4181 714->716 715->714 717 bf418e 715->717 716->715 718 bf4194-bf4198 717->718 719 bf41aa-bf41ac 718->719 720 bf419a-bf41a1 call bf2f02 718->720 722 bf41ae-bf41b8 719->722 720->694 725 bf41a3 720->725 724 bf41bd-bf41cb call bf647a call bf6494 722->724 724->711 731 bf41d1-bf41db Sleep 724->731 725->722 727 bf41a5-bf41a8 725->727 727->718 731->724 732 bf41dd-bf41ee GetTickCount 731->732 732->711 733 bf41f4-bf41fb 732->733 733->694 733->711
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00BF3C77), ref: 00BF3C82
                                                        • GetSystemDirectoryA.KERNEL32(020a00 . . :#997242831 +*,00000104), ref: 00BF3C99
                                                          • Part of subcall function 00BF3CB1: lstrcat.KERNEL32(020a00 . . :#997242831 +*,00BF3CA4), ref: 00BF3CB2
                                                          • Part of subcall function 00BF3CB1: GetProcAddress.KERNEL32(00000000,00BF3CD3), ref: 00BF3CDE
                                                          • Part of subcall function 00BF3CB1: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BF3CF1
                                                          • Part of subcall function 00BF3CB1: GetTickCount.KERNEL32 ref: 00BF3D25
                                                          • Part of subcall function 00BF3CB1: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BF6E32,00000000,00000000,00000000,00000000), ref: 00BF3DF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 215653160-1880045089
                                                        • Opcode ID: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction ID: ce839d2fdc0fa26246e138f1a1e18a7241b45c43ad3a9b417805bfea8d153ebf
                                                        • Opcode Fuzzy Hash: cff6bdfd01fc09df8e5715957179302f7cc569bb164cb7895778d7b2181f048e
                                                        • Instruction Fuzzy Hash: 2BD1047151524DBEEB25AF34CC5ABFA3BECEF01700F000599EA499F082D6F45F498AA5
                                                        Function 00BF3CB1 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 374stringCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 734 bf3cb1-bf3d52 lstrcat call bf3cc8 GetProcAddress LoadLibraryA call bf10c8 call bf01cb GetTickCount call bf3b08 745 bf3d5a-bf3d5f call bf3b08 734->745 746 bf3d54 734->746 749 bf3d61-bf3d78 745->749 746->745 750 bf3d7a-bf3d8a call bf62d9 call bf2736 749->750 755 bf3d8c-bf3d8e 750->755 756 bf3d90-bf3dac call bf62d9 750->756 758 bf3dad-bf3dae 755->758 756->758 758->750 760 bf3db0-bf3db6 758->760 760->749 761 bf3db8-bf3dc2 call bf2736 760->761 764 bf3dc4-bf3dcc call bf274a 761->764 765 bf3dd1-bf3e0a call bf2736 GetVolumeInformationA 761->765 764->765 769 bf3e0c-bf3e12 765->769 770 bf3e14-bf3e1a 765->770 771 bf3e23-bf3e30 769->771 770->771 772 bf3e1c 770->772 773 bf3eb7 771->773 774 bf3e36-bf3e5a call bf3e47 771->774 772->771 775 bf3ec1 773->775 774->775 783 bf3e5c-bf3e62 774->783 777 bf3ec3-bf3edb CreateThread CloseHandle 775->777 778 bf3ee1-bf3f4e call bf3ef2 call bf10c8 call bf3f21 call bf10c8 775->778 777->778 797 bf4259-bf425b RtlExitUserThread 778->797 798 bf3f54-bf3f97 WSAStartup CreateThread CloseHandle CreateEventA 778->798 785 bf3e8b-bf3e9f 783->785 786 bf3e64-bf3e69 783->786 790 bf3ea6-bf3eb0 785->790 788 bf3e6b-bf3e8a 786->788 789 bf3e92-bf3e9f 786->789 788->785 789->790 790->773 793 bf3eb2 call bf3397 790->793 793->773 799 bf3f9d-bf3fb5 call bf378c 798->799 802 bf3fbc-bf3fcf call bf3b22 799->802 803 bf3fb7-bf3fba 799->803 809 bf4207-bf420e 802->809 810 bf3fd5 802->810 803->802 804 bf3fd7-bf3fdf 803->804 807 bf3fe1-bf3fee lstrlen 804->807 808 bf3ff0-bf3ff9 gethostbyname 804->808 807->807 807->808 811 bf3fff-bf4006 808->811 812 bf424e-bf4254 808->812 809->797 813 bf4210-bf4217 809->813 814 bf400c-bf402b socket 810->814 811->814 812->799 815 bf422b-bf4249 Sleep ResetEvent 813->815 816 bf4219-bf4225 SetEvent 813->816 814->809 817 bf4031-bf4044 connect 814->817 815->799 816->815 818 bf404a-bf4123 call bf2736 call bf274a GetVersionExA call bf274a call bf32ea call bf4103 wsprintfA call bf32ea 817->818 819 bf4200-bf4201 closesocket 817->819 834 bf4125-bf413b CreateThread CloseHandle 818->834 835 bf4141 818->835 819->809 834->835 836 bf4147-bf415d 835->836 836->819 838 bf4163-bf4165 836->838 839 bf4167-bf417f 838->839 840 bf4184-bf418c 839->840 841 bf4181 839->841 840->839 842 bf418e 840->842 841->840 843 bf4194-bf4198 842->843 844 bf41aa-bf41ac 843->844 845 bf419a-bf41a1 call bf2f02 843->845 847 bf41ae-bf41b8 844->847 845->819 850 bf41a3 845->850 849 bf41bd-bf41cb call bf647a call bf6494 847->849 849->836 856 bf41d1-bf41db Sleep 849->856 850->847 852 bf41a5-bf41a8 850->852 852->843 856->849 857 bf41dd-bf41ee GetTickCount 856->857 857->836 858 bf41f4-bf41fb 857->858 858->819 858->836
                                                        APIs
                                                        • lstrcat.KERNEL32(020a00 . . :#997242831 +*,00BF3CA4), ref: 00BF3CB2
                                                          • Part of subcall function 00BF3CC8: LoadLibraryA.KERNEL32(00BF3CBD), ref: 00BF3CC8
                                                          • Part of subcall function 00BF3CC8: GetProcAddress.KERNEL32(00000000,00BF3CD3), ref: 00BF3CDE
                                                          • Part of subcall function 00BF3CC8: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BF3CF1
                                                          • Part of subcall function 00BF3CC8: GetTickCount.KERNEL32 ref: 00BF3D25
                                                          • Part of subcall function 00BF3CC8: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BF6E32,00000000,00000000,00000000,00000000), ref: 00BF3DF7
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 00BF3CB1, 00BF4113, 00BF4152
                                                        • ADVAPI32.DLL, xrefs: 00BF3CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BF3E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 00BF4151
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2038497427-1880045089
                                                        • Opcode ID: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction ID: e476fb480c94bd445115ed9e5722aed1926d376dc6b95a2016b05cd260c42cc1
                                                        • Opcode Fuzzy Hash: fe784a5d30081a8608250ab493a61ba96e24a697c9d128d37ca0d94169597329
                                                        • Instruction Fuzzy Hash: 0DD1037151524DBEEB25AF34CC5ABFA3BECEF01700F000599EA499F082D6F45F498AA5
                                                        Function 00BF3CC8 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 364libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00BF3CBD), ref: 00BF3CC8
                                                          • Part of subcall function 00BF3CDD: GetProcAddress.KERNEL32(00000000,00BF3CD3), ref: 00BF3CDE
                                                          • Part of subcall function 00BF3CDD: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BF3CF1
                                                          • Part of subcall function 00BF3CDD: GetTickCount.KERNEL32 ref: 00BF3D25
                                                          • Part of subcall function 00BF3CDD: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BF6E32,00000000,00000000,00000000,00000000), ref: 00BF3DF7
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 00BF4113, 00BF4152
                                                        • ADVAPI32.DLL, xrefs: 00BF3CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BF3E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 00BF4151
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3734769084-1880045089
                                                        • Opcode ID: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction ID: e99ab563f9408cb2e22bfd9e04a32ca76112121d46dfe1e90c9d7425d10858cc
                                                        • Opcode Fuzzy Hash: 2fed5560ce7e534775cf0c761ab666ca4e2e35c67c29b2e67a8a697d2de1a857
                                                        • Instruction Fuzzy Hash: 80C1F37151524DBEEB25AF34CC5ABFA7BECEF01700F000599EA499F082D6F05F498AA5
                                                        Function 00BF3F21 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205networkthreadlibraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00BF3F15), ref: 00BF3F21
                                                        • WSAStartup.WS2_32(00000101), ref: 00BF3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00BF3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00BF3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BF3F91
                                                        • lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00BF3FE2
                                                        • gethostbyname.WS2_32(ilo.brenz.pl), ref: 00BF3FF1
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00BF4022
                                                        • connect.WS2_32(6F6C6902,00BF3A9B,00000010), ref: 00BF403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 00BF4086
                                                        • wsprintfA.USER32 ref: 00BF4104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 00BF4132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,00BF6E32,00000099,6F6C6902,6F6C6902,00BF3AE4,00000014,00000000), ref: 00BF413B
                                                        • RtlExitUserThread.NTDLL(00000000), ref: 00BF425B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$CloseHandle$EventExitLibraryLoadStartupUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
                                                        • API String ID: 3947895852-2481640231
                                                        • Opcode ID: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction ID: d61a6da81932d9317f458582f87ff8d4107751efd3920310c46f4d2b42b5c9a4
                                                        • Opcode Fuzzy Hash: 819da190264878c6b5ce7bf1f9587eecce4c5cbbef942841dd0e8de03adaa998
                                                        • Instruction Fuzzy Hash: 0181DF71505249BEEB359F24C85ABEA7BECEF41300F040598F9595F091C7F09F498769
                                                        Function 00BF3CDD Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 371networklibrarythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,00BF3CD3), ref: 00BF3CDE
                                                        • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BF3CF1
                                                        • GetTickCount.KERNEL32 ref: 00BF3D25
                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BF6E32,00000000,00000000,00000000,00000000), ref: 00BF3DF7
                                                        • CreateThread.KERNEL32(00000000,00000000,00BF3623,00000000,00000000), ref: 00BF3ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 00BF3EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 00BF3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00BF3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00BF3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BF3F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00BF4022
                                                        • connect.WS2_32(6F6C6902,00BF3A9B,00000010), ref: 00BF403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 00BF4086
                                                        • wsprintfA.USER32 ref: 00BF4104
                                                        • SetEvent.KERNEL32(00000644,?,00000000), ref: 00BF421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 00BF4230
                                                        • ResetEvent.KERNEL32(00000644,?,00000000), ref: 00BF4243
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 00BF4113, 00BF4152
                                                        • ADVAPI32.DLL, xrefs: 00BF3CF0
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BF3E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 00BF4151
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepStartupTickVersionVolumeconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 927156256-1880045089
                                                        • Opcode ID: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction ID: a2fefe356ae5a491ee84b11b6bcbb4e1c5255509c078a7fe0a0c801841385755
                                                        • Opcode Fuzzy Hash: 7e61413b3314eb8696fa62f42cb2393cbd1ba069372bff40fe0d2448cd1eb18c
                                                        • Instruction Fuzzy Hash: 31D1F37151524CBEEB25AF24CC5ABFA3BECEF01700F00059AEA499F082D6F45F4986A5
                                                        Function 00BF3E5E Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 246threadlibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,00BF3E52), ref: 00BF3E5F
                                                        • GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 00BF3E74
                                                        • wsprintfA.USER32 ref: 00BF3E89
                                                        • CreateThread.KERNEL32(00000000,00000000,00BF3623,00000000,00000000), ref: 00BF3ED2
                                                        • CloseHandle.KERNEL32(?,8CAEFD3D), ref: 00BF3EDB
                                                        • WSAStartup.WS2_32(00000101), ref: 00BF3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00BF3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00BF3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BF3F91
                                                          • Part of subcall function 00BF3397: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00BF33DC
                                                          • Part of subcall function 00BF3397: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00BF33FB
                                                          • Part of subcall function 00BF3397: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00BF3425
                                                          • Part of subcall function 00BF3397: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00BF3432
                                                          • Part of subcall function 00BF3397: UnmapViewOfFile.KERNEL32(?), ref: 00BF344A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionStartupSystemUnmapwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$C:,$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3630706530-3937138646
                                                        • Opcode ID: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction ID: 73ca9ca211a9ed23522483ff933cb438bab18fc277aa441dde89ca93d7937a64
                                                        • Opcode Fuzzy Hash: bcc0a6a729d69826ff998b7f1a17d0c31890b2b6bc4dbb3ed85b4e754293eac6
                                                        • Instruction Fuzzy Hash: 9B91C171505249BEDB25AF24CC5ABFB7BACEF41300F004659F9495F081D6F06F498BA5
                                                        Function 00BF3E47 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262networklibrarythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00BF3E3B), ref: 00BF3E47
                                                          • Part of subcall function 00BF3E5E: GetProcAddress.KERNEL32(00000000,00BF3E52), ref: 00BF3E5F
                                                          • Part of subcall function 00BF3E5E: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#997242831 +*,000000C8), ref: 00BF3E74
                                                          • Part of subcall function 00BF3E5E: wsprintfA.USER32 ref: 00BF3E89
                                                          • Part of subcall function 00BF3E5E: CreateThread.KERNEL32(00000000,00000000,00BF3623,00000000,00000000), ref: 00BF3ED2
                                                          • Part of subcall function 00BF3E5E: CloseHandle.KERNEL32(?,8CAEFD3D), ref: 00BF3EDB
                                                          • Part of subcall function 00BF3E5E: WSAStartup.WS2_32(00000101), ref: 00BF3F60
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00BF3F7B
                                                        • CloseHandle.KERNEL32(?,00000000), ref: 00BF3F84
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BF3F91
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00BF4022
                                                        • connect.WS2_32(6F6C6902,00BF3A9B,00000010), ref: 00BF403C
                                                        • GetVersionExA.KERNEL32(?,?,00000000), ref: 00BF4086
                                                        • wsprintfA.USER32 ref: 00BF4104
                                                        Strings
                                                        • 020a00 . . :#997242831 +*, xrefs: 00BF4113, 00BF4152
                                                        • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BF3E9E
                                                        • \DEVICE\AFD\ENDPOINT, xrefs: 00BF4151
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcStartupVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2507355515-4156410515
                                                        • Opcode ID: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction ID: 2a8453572c4227a9b01c205ef04eec0dd8c6937664b6fddae06b8d72be373fc7
                                                        • Opcode Fuzzy Hash: 240653d7d38c95bf206f9e7da4c77085d18b642f4d9280700e54a33fda58d2dc
                                                        • Instruction Fuzzy Hash: 0091E171119249BEDB21AF24CC5ABFA7BECEF41300F004599E9495F082D6F09F4987A6
                                                        Function 00BF4103 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 178sleepnetworkthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00BF4022
                                                        • connect.WS2_32(6F6C6902,00BF3A9B,00000010), ref: 00BF403C
                                                        • wsprintfA.USER32 ref: 00BF4104
                                                        • CreateThread.KERNEL32(?,?,Function_000037AB,6F6C6902), ref: 00BF4132
                                                        • CloseHandle.KERNEL32(?,?,Function_000037AB,6F6C6902,?,?,00000023,00BF6E32,00000099,6F6C6902,6F6C6902,00BF3AE4,00000014,00000000), ref: 00BF413B
                                                        • Sleep.KERNEL32(00000064,?,?,?,Function_000037AB,6F6C6902,?,?,00000023,00BF6E32,00000099,6F6C6902,6F6C6902,00BF3AE4,00000014,00000000), ref: 00BF41D4
                                                        • GetTickCount.KERNEL32 ref: 00BF41DD
                                                        • closesocket.WS2_32(6F6C6902), ref: 00BF4201
                                                        • SetEvent.KERNEL32(00000644,?,00000000), ref: 00BF421F
                                                        • Sleep.KERNEL32(00007530,?,00000000), ref: 00BF4230
                                                        • ResetEvent.KERNEL32(00000644,?,00000000), ref: 00BF4243
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventSleep$CloseCountCreateHandleResetThreadTickclosesocketconnectsocketwsprintf
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 2506426657-2210051122
                                                        • Opcode ID: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction ID: 97788bfc05301819092a070cc7af7b9377c1a4f01de13c09e7c600eb76d8afc9
                                                        • Opcode Fuzzy Hash: 08f61cf80bf70871499e3b87280a87aff5d7df4c23187df421c79e908f4d7756
                                                        • Instruction Fuzzy Hash: C361E17110424DBAEB25AF28C85ABAE7FECEF51700F040584EA595F091C3F09F498769
                                                        Function 00BF3EF2 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192libraryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(00BF3EE6), ref: 00BF3EF2
                                                          • Part of subcall function 00BF3F21: LoadLibraryA.KERNEL32(00BF3F15), ref: 00BF3F21
                                                          • Part of subcall function 00BF3F21: WSAStartup.WS2_32(00000101), ref: 00BF3F60
                                                          • Part of subcall function 00BF3F21: CreateThread.KERNEL32(00000000,00000000,Function_0000381A,00000000,00000000), ref: 00BF3F7B
                                                          • Part of subcall function 00BF3F21: CloseHandle.KERNEL32(?,00000000), ref: 00BF3F84
                                                          • Part of subcall function 00BF3F21: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BF3F91
                                                          • Part of subcall function 00BF3F21: socket.WS2_32(00000002,00000001,00000000), ref: 00BF4022
                                                          • Part of subcall function 00BF3F21: connect.WS2_32(6F6C6902,00BF3A9B,00000010), ref: 00BF403C
                                                          • Part of subcall function 00BF3F21: GetVersionExA.KERNEL32(?,?,00000000), ref: 00BF4086
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateLibraryLoad$CloseEventHandleStartupThreadVersionconnectsocket
                                                        • String ID: 020a00 . . :#997242831 +*$\DEVICE\AFD\ENDPOINT
                                                        • API String ID: 3793714048-2210051122
                                                        • Opcode ID: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction ID: 0f6e6e3da0028535b384cf30d640769790cc12282cff64087ae8b1528b1b861b
                                                        • Opcode Fuzzy Hash: 814f2ea0463a0fac8cefa47818189bece0fb35e12e5e25b42336b536121c8728
                                                        • Instruction Fuzzy Hash: 9E61D371115249BEDB25AF34CC5ABEA7BECEF41300F000699EA595F081D7F05F4987A6
                                                        Function 00BF3820 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTime.KERNEL32(00BF74C0), ref: 00BF3831
                                                        • Sleep.KERNEL32(0000EA60), ref: 00BF38A3
                                                        • InternetGetConnectedState.WININET(?,00000000), ref: 00BF38BC
                                                        • gethostbyname.WS2_32(0D278061), ref: 00BF38FE
                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 00BF3913
                                                        • ioctlsocket.WS2_32(?,8004667E), ref: 00BF392C
                                                        • connect.WS2_32(?,?,00000010), ref: 00BF3945
                                                        • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00BF3953
                                                        • closesocket.WS2_32 ref: 00BF39B2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                        • String ID: toexkd.com
                                                        • API String ID: 159131500-233167519
                                                        • Opcode ID: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction ID: a11fc3a5196bce99ab472a5f8dc9bf4d5cf5ad92a3a1ce070f96f124dd506f33
                                                        • Opcode Fuzzy Hash: 8ccde648c3dd195465448be3fbb53ae26695fc3dcfe3de3b173b270b1aee00e3
                                                        • Instruction Fuzzy Hash: 7041BF7170524DBAEB315F248C59BAABADEEF85B10F144059FA099F0C1D6F98F488724
                                                        Function 00BF2762 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempPathA.KERNEL32(00000104), ref: 00BF2786
                                                          • Part of subcall function 00BF27A1: GetTempFileNameA.KERNEL32(?,00BF279D,00000000,?), ref: 00BF27A2
                                                          • Part of subcall function 00BF27A1: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00BF279D,00000000,?), ref: 00BF27BD
                                                          • Part of subcall function 00BF27A1: InternetReadFile.WININET(?,?,00000104), ref: 00BF27D7
                                                          • Part of subcall function 00BF27A1: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00BF279D,00000000,?), ref: 00BF27ED
                                                          • Part of subcall function 00BF27A1: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00BF279D,00000000,?), ref: 00BF27F9
                                                          • Part of subcall function 00BF27A1: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00BF279D), ref: 00BF281D
                                                          • Part of subcall function 00BF27A1: InternetCloseHandle.WININET(?), ref: 00BF282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 00BF2834
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                        • String ID:
                                                        • API String ID: 1995088466-0
                                                        • Opcode ID: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction ID: 72e5ba4776290d14940941242e5d4dbaa3b77113737c73df1a838bba5eb6396c
                                                        • Opcode Fuzzy Hash: 7bc4d0a379e192ec2e33a7f784194f8796b18de7c6074aa6a9c7008997176855
                                                        • Instruction Fuzzy Hash: 4321D5B114630ABFE7211B20CC8EFFB7A6CEF91B00F004119FA088A091D7B15E5586B6
                                                        Function 00BF27A1 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTempFileNameA.KERNEL32(?,00BF279D,00000000,?), ref: 00BF27A2
                                                        • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00BF279D,00000000,?), ref: 00BF27BD
                                                        • InternetReadFile.WININET(?,?,00000104), ref: 00BF27D7
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00BF279D,00000000,?), ref: 00BF27ED
                                                        • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00BF279D,00000000,?), ref: 00BF27F9
                                                        • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00BF279D), ref: 00BF281D
                                                        • InternetCloseHandle.WININET(?), ref: 00BF282D
                                                        • InternetCloseHandle.WININET(00000000), ref: 00BF2834
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                        • String ID:
                                                        • API String ID: 3452404049-0
                                                        • Opcode ID: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction ID: 2600759022edfe5139b28dd00a6417e89b1a8a88911a86fb3dbd40f2b912284d
                                                        • Opcode Fuzzy Hash: a6daa6137c14de444b7c473bdfe877fc090218d21c0b2d650c6d63247ae0bff6
                                                        • Instruction Fuzzy Hash: 891161B1141606BBEB251B20CC4DFFF7A6CEF85B11F004518FA0589081D7B45E5096B5
                                                        Function 00BF10C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(039CFF54), ref: 00BF1137
                                                        • GetProcAddress.KERNEL32(00000000,00BF11D0), ref: 00BF1142
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000011.00000002.2980950963.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BF0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_17_2_bf0000_mssecsvc.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: .DLL
                                                        • API String ID: 1646373207-899428287
                                                        • Opcode ID: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction ID: bbf412762f95239cca59b23abfd6a3459b6f3cf0c855253a61396c571e679f71
                                                        • Opcode Fuzzy Hash: 6d74e3db0ed8297824388177b8ff2c6877fe2d32ccf2c50d01fd0a933dc10288
                                                        • Instruction Fuzzy Hash: DD01963010020EFADB64DE2CC989AFA37E8EF05342F104D94DB1A9B455CA709F88DB95