Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UBpReASuEC

Overview

General Information

Sample Name:UBpReASuEC (renamed file extension from none to dll)
Analysis ID:670724
MD5:66df13c96db53128fee1997dc75cd1b9
SHA1:96b538087dd52cdd71b753e25d3f208ad45efc1b
SHA256:3743363b9a2845554eed086c43ee5756bd8878867b4cb0a3c0ba6f096596aa5d
Tags:dllOpenCTIBRSandboxed
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Wannacry ransomware
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Found evasive API chain (may execute only at specific dates)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Tries to evade debugger and weak emulator (self modifying code)
Machine Learning detection for sample
Machine Learning detection for dropped file
Creates a thread in another existing process (thread injection)
Tries to resolve many domain names, but no domain seems valid
Drops executables to the windows directory (C:\Windows) and starts them
Queries random domain names (often used to prevent blacklisting and sinkholes)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Found evasive API chain (date check)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Entry point lies outside standard sections
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Drops PE files
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6876 cmdline: loaddll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6884 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6904 cmdline: rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • mssecsvc.exe (PID: 6944 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 2391E0DBB3A7862306913032CE72F302)
          • winlogon.exe (PID: 576 cmdline: winlogon.exe MD5: F9017F2DC455AD373DF036F5817A8870)
          • lsass.exe (PID: 624 cmdline: C:\Windows\system32\lsass.exe MD5: 317340CD278A374BCEF6A30194557227)
            • backgroundTaskHost.exe (PID: 1592 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
            • WMIADAP.exe (PID: 6908 cmdline: wmiadap.exe /F /T /R MD5: 9783D0765F31980950445DFD40DB15DA)
            • svchost.exe (PID: 6012 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • fontdrvhost.exe (PID: 728 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • fontdrvhost.exe (PID: 736 cmdline: fontdrvhost.exe MD5: 31113981180E69C2773BCADA4051738A)
          • svchost.exe (PID: 812 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
            • BackgroundTransferHost.exe (PID: 4320 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
            • BackgroundTransferHost.exe (PID: 3040 cmdline: "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 MD5: 02BA81746B929ECC9DB6665589B68335)
            • backgroundTaskHost.exe (PID: 6196 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXv783p9dqgsc3mek8m05c3tj95wa9p858.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
          • svchost.exe (PID: 904 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 372 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 256 cmdline: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 472 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 696 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1040 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1060 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1172 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1304 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1372 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s EventSystem MD5: 32569E403279B3FD2EDB7EBD036273FA)
          • svchost.exe (PID: 1388 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p -s Themes MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • rundll32.exe (PID: 6892 cmdline: rundll32.exe C:\Users\user\Desktop\UBpReASuEC.dll,PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6960 cmdline: rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",PlayGame MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • mssecsvc.exe (PID: 6976 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 2391E0DBB3A7862306913032CE72F302)
  • mssecsvc.exe (PID: 7092 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 2391E0DBB3A7862306913032CE72F302)
    • svchost.exe (PID: 744 cmdline: c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • svchost.exe (PID: 860 cmdline: c:\windows\system32\svchost.exe -k rpcss -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • dwm.exe (PID: 992 cmdline: dwm.exe MD5: 70073A05B2B43FFB7A625708BB29E7C7)
  • svchost.exe (PID: 5488 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6480 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6644 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
UBpReASuEC.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
  • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
  • 0x353d0:$x3: tasksche.exe
  • 0x455e0:$x3: tasksche.exe
  • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
  • 0x45634:$x5: WNcry@2ol7
  • 0x3028:$x7: mssecsvc.exe
  • 0x120ac:$x7: mssecsvc.exe
  • 0x1b3b4:$x7: mssecsvc.exe
  • 0x353a8:$x8: C:\%s\qeriuwjhrf
  • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
  • 0x3014:$s1: C:\%s\%s
  • 0x12098:$s1: C:\%s\%s
  • 0x1b39c:$s1: C:\%s\%s
  • 0x353bc:$s1: C:\%s\%s
  • 0x45534:$s3: cmd.exe /c "%s"
  • 0x77a88:$s4: msg/m_portuguese.wnry
  • 0x326f0:$s5: \\192.168.56.20\IPC$
  • 0x1fae5:$s6: \\172.16.99.5\IPC$
  • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
  • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
  • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
UBpReASuEC.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    UBpReASuEC.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0xf4d8:$x3: tasksche.exe
    • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0xf52c:$x5: WNcry@2ol7
    • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xf42c:$s3: cmd.exe /c "%s"
    • 0x41980:$s4: msg/m_portuguese.wnry
    C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
    C:\Windows\mssecsvc.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x3136c:$x3: tasksche.exe
    • 0x4157c:$x3: tasksche.exe
    • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x415d0:$x5: WNcry@2ol7
    • 0xe048:$x7: mssecsvc.exe
    • 0x17350:$x7: mssecsvc.exe
    • 0x31344:$x8: C:\%s\qeriuwjhrf
    • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0xe034:$s1: C:\%s\%s
    • 0x17338:$s1: C:\%s\%s
    • 0x31358:$s1: C:\%s\%s
    • 0x414d0:$s3: cmd.exe /c "%s"
    • 0x73a24:$s4: msg/m_portuguese.wnry
    • 0x2e68c:$s5: \\192.168.56.20\IPC$
    • 0x1ba81:$s6: \\172.16.99.5\IPC$
    • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    C:\Windows\mssecsvc.exeWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
    • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
    • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
    • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
    • 0x1d439:$s1: __TREEID__PLACEHOLDER__
    • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
    • 0x1f508:$s1: __TREEID__PLACEHOLDER__
    • 0x20570:$s1: __TREEID__PLACEHOLDER__
    • 0x215d8:$s1: __TREEID__PLACEHOLDER__
    • 0x22640:$s1: __TREEID__PLACEHOLDER__
    • 0x236a8:$s1: __TREEID__PLACEHOLDER__
    • 0x24710:$s1: __TREEID__PLACEHOLDER__
    • 0x25778:$s1: __TREEID__PLACEHOLDER__
    • 0x267e0:$s1: __TREEID__PLACEHOLDER__
    • 0x27848:$s1: __TREEID__PLACEHOLDER__
    • 0x288b0:$s1: __TREEID__PLACEHOLDER__
    • 0x29918:$s1: __TREEID__PLACEHOLDER__
    • 0x2a980:$s1: __TREEID__PLACEHOLDER__
    • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
    • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
    • 0x2e340:$s1: __TREEID__PLACEHOLDER__
    C:\Windows\mssecsvc.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      Click to see the 1 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000004.00000000.390692739.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000006.00000000.395643051.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          00000004.00000002.712940908.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            00000006.00000000.400396194.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              00000006.00000000.398897193.0000000000710000.00000080.00000001.01000000.00000004.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.2.mssecsvc.exe.7100a4.1.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xf4d8:$x3: tasksche.exe
              • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xf52c:$x5: WNcry@2ol7
              • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xf42c:$s3: cmd.exe /c "%s"
              • 0x41980:$s4: msg/m_portuguese.wnry
              6.2.mssecsvc.exe.7100a4.1.raw.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              9.2.mssecsvc.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xe8d8:$x3: tasksche.exe
              • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xe92c:$x5: WNcry@2ol7
              • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xe82c:$s3: cmd.exe /c "%s"
              9.2.mssecsvc.exe.7100a4.1.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              4.0.mssecsvc.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xe8d8:$x3: tasksche.exe
              • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xe92c:$x5: WNcry@2ol7
              • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xe82c:$s3: cmd.exe /c "%s"
              Click to see the 91 entries

              Sigma Signatures

              No Sigma rule has matched

              Snort Signatures

              Timestamp:8.8.8.8192.168.2.653620792811577 07/21/22-05:05:02.361266
              SID:2811577
              Source Port:53
              Destination Port:62079
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:8.8.8.8192.168.2.653642892811577 07/21/22-05:03:37.145468
              SID:2811577
              Source Port:53
              Destination Port:64289
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:8.8.8.8192.168.2.653492872811577 07/21/22-05:03:59.403745
              SID:2811577
              Source Port:53
              Destination Port:49287
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:8.8.8.8192.168.2.653584682811577 07/21/22-05:04:20.247307
              SID:2811577
              Source Port:53
              Destination Port:58468
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.68.8.8.851748532830018 07/21/22-05:00:40.717318
              SID:2830018
              Source Port:51748
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected
              Timestamp:192.168.2.68.8.8.852225532830018 07/21/22-05:03:02.787279
              SID:2830018
              Source Port:52225
              Destination Port:53
              Protocol:UDP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for submitted file
              Source: UBpReASuEC.dllMetadefender: Detection: 74%Perma Link
              Source: UBpReASuEC.dllReversingLabs: Detection: 92%
              Antivirus / Scanner detection for submitted sample
              Source: UBpReASuEC.dllAvira: detected
              Antivirus detection for URL or domain
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/NAvira URL Cloud: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/oAvira URL Cloud: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comURL Reputation: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%Avira URL Cloud: Label: malware
              Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/URL Reputation: Label: malware
              Antivirus detection for dropped file
              Source: C:\Windows\mssecsvc.exeAvira: detection malicious, Label: W32/Virut.Gen
              Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/AD.WannaCry.gpbbt
              Multi AV Scanner detection for dropped file
              Source: C:\Windows\tasksche.exeMetadefender: Detection: 75%Perma Link
              Source: C:\Windows\tasksche.exeReversingLabs: Detection: 100%
              Machine Learning detection for sample
              Source: UBpReASuEC.dllJoe Sandbox ML: detected
              Machine Learning detection for dropped file
              Source: C:\Windows\mssecsvc.exeJoe Sandbox ML: detected
              Source: C:\Windows\tasksche.exeJoe Sandbox ML: detected
              Source: 4.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
              Source: 4.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 6.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
              Source: 4.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
              Source: 6.0.mssecsvc.exe.400000.2.unpackAvira: Label: W32/Virut.Gen
              Source: 9.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 9.2.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 6.0.mssecsvc.exe.400000.0.unpackAvira: Label: W32/Virut.Gen
              Source: 6.0.mssecsvc.exe.400000.4.unpackAvira: Label: W32/Virut.Gen
              Source: 6.0.mssecsvc.exe.400000.6.unpackAvira: Label: W32/Virut.Gen
              Source: UBpReASuEC.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2830018 ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) 192.168.2.6:51748 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2830018 ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) 192.168.2.6:52225 -> 8.8.8.8:53
              Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.6:64289
              Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.6:49287
              Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.6:58468
              Source: TrafficSnort IDS: 2811577 ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com) 8.8.8.8:53 -> 192.168.2.6:62079
              Tries to resolve many domain names, but no domain seems valid
              Source: unknownDNS traffic detected: query: euxngi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kymlxf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: haqipv.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: akelqu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: skpqjl.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: knajpk.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oevgnn.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oyadis.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mlsjzu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ovalzq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: auyazv.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mbbaux.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dhmqvm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: odivfj.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mjdvvw.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yfgraf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: edbeos.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: lnn.maft.at replaycode: Server failure (2)
              Source: unknownDNS traffic detected: query: wofqss.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pfdpty.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: aueolp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: flpuej.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oivayb.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qrmrxa.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: akufuf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: nrwwej.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: eixjei.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oletfa.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: auowel.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ylyguq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iooaai.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bhhhpq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ihfjtf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yfobli.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: vaaoff.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yldizc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yexisu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: cjebbx.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: unuyas.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: agrwiq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uwyrsy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: weuanq.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kto.gind.at replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: src.gide.at replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pfntvw.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: shyykl.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: lntyhe.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: yxdidf.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: easecy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: vqzvfi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: nkewuc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: hoqayg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: tpoxvi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mwhmpz.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: gvkzcm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: guseek.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mlgjto.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: jueuby.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: usecvu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iietwy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bswdic.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: iqzvcy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ovlicu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: voirue.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: zeufbm.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: vvwxii.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qfsper.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: kqmkgp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: jyruxe.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: zwstuy.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ww.ziten.ru replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pgmuok.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oirlzx.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: dzwrvg.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: rmdyox.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: wkedxi.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oqiqee.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: muyuou.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qxuyel.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: anyqaz.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: uptrqo.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ufmuub.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: vusvyj.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: eetebu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: jkjztp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: edmwpe.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: mjrztu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ytyepn.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qsuuox.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: raniod.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: bnylmd.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: qsyrmp.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pxzoao.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: pniyeh.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: ohqasc.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: oyebru.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: nuejea.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: julanu.com replaycode: Name error (3)
              Source: unknownDNS traffic detected: query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com replaycode: Server failure (2)
              Source: unknownDNS traffic detected: query: akiypc.com replaycode: Name error (3)
              Queries random domain names (often used to prevent blacklisting and sinkholes)
              Source: unknownDNS traffic detected: English language letter frequency does not match the domain names
              Source: unknownNetwork traffic detected: DNS query count 30
              Source: svchost.exe, 0000001B.00000000.526150966.0000029A9B0C8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.925987981.0000029A9B0C8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: (@http://www.facebook.com equals www.facebook.com (Facebook)
              Source: svchost.exe, 00000025.00000002.934439454.00000266A5486000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
              Source: svchost.exe, 00000012.00000002.937199804.0000023260AB7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.434915689.0000023260AB7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.434450989.0000023260AB7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cdn.content.prod.cms.msn.com/singletile/summary/alias/experiencebyname/today?market=en-US&sou
              Source: lsass.exe, 0000000A.00000000.406688208.0000020A0F800000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.928389853.0000020A0F800000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.655733813.000001968955C000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.684675611.000002062AD00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: svchost.exe, 00000028.00000002.684675611.000002062AD00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
              Source: lsass.exe, 0000000A.00000000.409059915.0000020A0F073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.919189853.0000020A0F03F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.406137063.0000020A0F03F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.408867824.0000020A0F03F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.932218591.0000020A0F8BD000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.470812037.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.488128927.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.517446302.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.469185004.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.518610082.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.478629962.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.474237810.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.507053493.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.502767921.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.512953733.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.501838544.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.652525230.0000019687A00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.929953130.0000020A0F823000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: lsass.exe, 0000000A.00000000.406450907.0000020A0F0B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.925211663.0000020A0F0B1000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409297757.0000020A0F0B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: svchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://help.disneyplus.com.
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: lsass.exe, 0000000A.00000000.409059915.0000020A0F073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.919189853.0000020A0F03F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.406137063.0000020A0F03F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.408867824.0000020A0F03F000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.932218591.0000020A0F8BD000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.470812037.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.488128927.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.517446302.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.469185004.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.518610082.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.478629962.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.474237810.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.507053493.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.502767921.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.512953733.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.501838544.0000019687A00000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.652525230.0000019687A00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0H
              Source: lsass.exe, 0000000A.00000000.409059915.0000020A0F073000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.935116062.0000020A0F994000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410060899.0000020A0F993000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.406710935.0000020A0F815000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.932218591.0000020A0F8BD000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.470812037.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.488128927.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.518610082.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.507053493.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.502767921.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.512953733.0000019689517000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.655072175.0000019689513000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.msocsp.com0
              Source: backgroundTaskHost.exe, 00000018.00000002.653443453.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.482934202.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.502128636.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.512021088.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.478934256.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.517793482.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.469844015.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.492450987.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.506335861.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.497685292.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.474651684.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.487364117.0000019687A9C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schema.org/reminder
              Source: svchost.exe, 00000028.00000002.685289382.000002062AD3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microft8
              Source: svchost.exe, 0000001E.00000000.544447681.00000184771DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.msoft
              Source: lsass.exe, 0000000A.00000000.406730577.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.409621751.0000020A0F823000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.410034517.0000020A0F95F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0~
              Source: svchost.exe, 0000001B.00000000.526150966.0000029A9B0C8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.925987981.0000029A9B0C8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
              Source: mssecsvc.exe.2.drString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: mssecsvc.exe, 00000006.00000002.473354431.0000000000D44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
              Source: mssecsvc.exe, 00000004.00000002.715152073.0000000000DC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%
              Source: mssecsvc.exe, 00000004.00000002.715373222.0000000000DF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/N
              Source: mssecsvc.exe, 00000006.00000002.473354431.0000000000D44000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/o
              Source: mssecsvc.exe, 00000004.00000002.712659508.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
              Source: svchost.exe, 00000012.00000002.937199804.0000023260AB7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.434915689.0000023260AB7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.434450989.0000023260AB7000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://candycrush.king.com/mobile/windows/TileTemplate.xml
              Source: svchost.exe, 00000012.00000000.435829049.0000023260B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000002.940173415.0000023260B50000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.435512851.0000023260B50000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.onenote.net/livetile/?Language=en-US
              Source: svchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disneyplus.com/legal.
              Source: 60f12053-d245-44a6-bc56-ad6e6ab7a7c9.f2d7e325-8812-419f-93c5-393f1d8412fe.down_meta.25.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4IhjW?ver=1f70Last-Mo
              Source: 359095cb-bf2b-41bf-8103-13a2a8012235.a3ca69e3-e705-4f64-a747-3b1b77a563b2.down_meta.25.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Ivzu?ver=4f7dContent
              Source: aa32b058-0d4a-4dd4-a681-a185709cfe4c.c81d4019-1330-4010-8ca2-301e518d770c.down_meta.25.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4PlTB?ver=2a94Content
              Source: 6faba965-83b0-4727-9cf6-f717a8d19482.up_meta.25.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Pwej?ver=cbf0
              Source: 6faba965-83b0-4727-9cf6-f717a8d19482.593aeaca-14dd-4f73-a505-b9177043fbb4.down_meta.25.dr, 7d74c1c9-e7b4-43ae-af85-d91ef9a0b3dd.593aeaca-14dd-4f73-a505-b9177043fbb4.down_meta.25.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Pwej?ver=cbf0Content
              Source: 883a00d1-26f9-46de-b0d6-299b64c5e1d5.8072ed17-626f-4b05-8d4e-e1f8c9d17eb3.down_meta.25.dr, 328613bb-d9fd-464d-8e18-36a56bfcd660.8072ed17-626f-4b05-8d4e-e1f8c9d17eb3.down_meta.25.drString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RWHdvF?ver=db75Content-
              Source: backgroundTaskHost.exe, 00000018.00000000.517659898.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.492172317.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.497564176.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.474469001.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.501989041.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.482751547.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.653090452.0000019687A59000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.478770028.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.511817816.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.469612248.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.487190551.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.506188205.0000019687A43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://pf.directory.live.com/profile/profile.asmx
              Source: svchost.exe, 00000025.00000002.953014239.00000266A5C1B000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.586857196.00000266A5C1B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://site-cdn.onenote.net/161182431559_Images/LiveTileImages/MediumAndLarge/Image1.png
              Source: svchost.exe, 00000028.00000003.651043924.000002062AD9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.650880528.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651148131.000002062ADAD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651394135.000002062B202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.hotspotshield.com/
              Source: backgroundTaskHost.exe, 00000018.00000000.479135816.0000019687B02000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.654120987.0000019687B02000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.bing.c
              Source: svchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
              Source: svchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
              Source: svchost.exe, 00000028.00000003.651043924.000002062AD9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.650880528.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651148131.000002062ADAD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651394135.000002062B202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
              Source: svchost.exe, 00000028.00000003.651043924.000002062AD9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.650880528.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651148131.000002062ADAD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651394135.000002062B202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pango.co/privacy
              Source: svchost.exe, 00000028.00000003.661304130.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.660891846.000002062ADBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.661072190.000002062ADBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.661121292.000002062ADA6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
              Source: unknownDNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD27A7 GetTempFileNameA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,CreateProcessA,InternetCloseHandle,InternetCloseHandle,4_2_00BD27A7
              Source: mssecsvc.exe, 00000004.00000002.714937974.0000000000DAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected Wannacry ransomware
              Source: Yara matchFile source: UBpReASuEC.dll, type: SAMPLE
              Source: Yara matchFile source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000000.390692739.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.395643051.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.712940908.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.400396194.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.517302066.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.392189177.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.398730935.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.396523616.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000000.395038973.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.397443595.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.470437987.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000000.403788291.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6944, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 6976, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvc.exe PID: 7092, type: MEMORYSTR
              Source: Yara matchFile source: C:\Windows\mssecsvc.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: UBpReASuEC.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: UBpReASuEC.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.398897193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.397658913.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000009.00000000.403899564.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.390830304.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.395187719.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.400479545.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.395761146.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000009.00000002.517693947.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.392372689.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000002.713109877.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000002.470687764.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000004.00000000.396673500.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: UBpReASuEC.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
              Source: UBpReASuEC.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: UBpReASuEC.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.5.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 9.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.5.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.7100a4.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.7100a4.7.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 9.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 4.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.398897193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.397658913.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000009.00000000.403899564.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.390830304.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.395187719.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.400479545.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.395761146.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000009.00000002.517693947.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.392372689.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000002.713109877.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000002.470687764.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000004.00000000.396673500.0000000000710000.00000080.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: C:\Windows\mssecsvc.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\System32\wbem\WMIADAP.exeFile deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.hJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3CB74_2_00BD3CB7
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3C884_2_00BD3C88
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3CE34_2_00BD3CE3
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3BD54_2_00BD3BD5
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3CCE4_2_00BD3CCE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD28C84_2_00BD28C8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3C5A4_2_00BD3C5A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CE34_2_7FEA3CE3
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA28C84_2_7FEA28C8
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CCE4_2_7FEA3CCE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA4BDD4_2_7FEA4BDD
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3BD54_2_7FEA3BD5
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3CB74_2_7FEA3CB7
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3C884_2_7FEA3C88
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3C5A4_2_7FEA3C5A
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B93CB79_2_00B93CB7
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B93C889_2_00B93C88
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B93CE39_2_00B93CE3
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B93BD59_2_00B93BD5
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B928C89_2_00B928C8
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B93CCE9_2_00B93CCE
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B93C5A9_2_00B93C5A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD05F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00BD05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00BD042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD252F NtOpenSection,4_2_00BD252F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD2574 NtMapViewOfSection,FindCloseChangeNotification,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_00BD2574
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_00BD2477
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD116F LoadLibraryA,GetModuleHandleA,NtCreateProcessEx,NtMapViewOfSection,NtQueryInformationToken,NtAdjustPrivilegesToken,4_2_00BD116F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00BD144A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD24AE lstrcpyW,lstrlenW,NtCreateSection,4_2_00BD24AE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD339D NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00BD339D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_00BD1422
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3378 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_00BD3378
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,4_2_7FEA05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA24AE lstrcpyW,lstrlenW,NtCreateSection,4_2_7FEA24AE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA339D NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA339D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA3378 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,4_2_7FEA3378
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,4_2_7FEA2477
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA2574 NtMapViewOfSection,CloseHandle,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,4_2_7FEA2574
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA144A
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA252F NtOpenSection,4_2_7FEA252F
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,4_2_7FEA042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA1422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,4_2_7FEA1422
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B905F2 CloseHandle,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,CloseHandle,9_2_00B905F2
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B9252F NtOpenSection,9_2_00B9252F
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B92574 NtMapViewOfSection,FindCloseChangeNotification,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,9_2_00B92574
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B92477 NtCreateFile,NtCreateFile,NtCreateFile,NtProtectVirtualMemory,NtWriteVirtualMemory,9_2_00B92477
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B9116F LoadLibraryA,GetModuleHandleA,NtCreateProcessEx,NtMapViewOfSection,NtQueryInformationToken,NtAdjustPrivilegesToken,9_2_00B9116F
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B9144A LookupPrivilegeValueA,NtAdjustPrivilegesToken,9_2_00B9144A
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B924AE lstrcpyW,lstrlenW,NtCreateSection,9_2_00B924AE
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B9339D NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,9_2_00B9339D
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B9042D GetModuleHandleA,GetVersion,VirtualAlloc,CloseHandle,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,CloseHandle,9_2_00B9042D
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B91422 LookupPrivilegeValueA,NtAdjustPrivilegesToken,9_2_00B91422
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B93378 NtOpenSection,NtQuerySystemInformation,MapViewOfFile,CloseHandle,UnmapViewOfFile,9_2_00B93378
              Source: mssecsvc.exe.2.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
              Source: tasksche.exe.6.drStatic PE information: No import functions for PE file found
              Source: Joe Sandbox ViewDropped File: C:\Windows\tasksche.exe 96D7B2D83E30FED4EEC2CBF2E1FBE426DAD705F918AE8ABBDA0DB4B4AFB82865
              Source: tasksche.exe.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: tasksche.exe.6.drStatic PE information: Section: .rdata ZLIB complexity 1.0007621951219512
              Source: tasksche.exe.6.drStatic PE information: Section: .data ZLIB complexity 1.001953125
              Source: tasksche.exe.6.drStatic PE information: Section: .rsrc ZLIB complexity 1.0007408405172413
              Source: UBpReASuEC.dllMetadefender: Detection: 74%
              Source: UBpReASuEC.dllReversingLabs: Detection: 92%
              Source: UBpReASuEC.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UBpReASuEC.dll,PlayGame
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",PlayGame
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
              Source: unknownProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
              Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXv783p9dqgsc3mek8m05c3tj95wa9p858.mca
              Source: C:\Windows\System32\lsass.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UBpReASuEC.dll,PlayGameJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",PlayGameJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\mssecsvc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Windows\System32\BackgroundTransferHost.exeFile created: C:\Users\user\AppData\Local\Packages\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\AC\BackgroundTransferApi\6071454c-93cc-4d3c-88ff-dcf9b8a683e4.down_dataJump to behavior
              Source: classification engineClassification label: mal100.rans.troj.evad.winDLL@24/28@31/1
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD05F2 FindCloseChangeNotification,GetModuleHandleA,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,FindCloseChangeNotification,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,FindCloseChangeNotification,4_2_00BD05F2
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UBpReASuEC.dll,PlayGame
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
              Source: C:\Windows\System32\wbem\WMIADAP.exeMutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
              Source: UBpReASuEC.dll, mssecsvc.exe.2.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\mssecsvc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\BackgroundTransferHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\BackgroundTransferHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: UBpReASuEC.dllStatic file information: File size 5267459 > 1048576
              Source: UBpReASuEC.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
              Source: mssecsvc.exe.2.drStatic PE information: section name: lkuhvek
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3CCE LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,CreateThread,CloseHandle,WSAStartup,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,4_2_00BD3CCE
              Source: initial sampleStatic PE information: section where entry point is pointing to: .rsrc
              Source: initial sampleStatic PE information: section name: .text entropy: 7.663042758896975

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvc.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvc.exeJump to dropped file
              Source: C:\Windows\mssecsvc.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\BackgroundTransferHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\BackgroundTransferHost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Found evasive API chain (may execute only at specific dates)
              Source: C:\Windows\mssecsvc.exeEvasive API call chain: GetSystemTime,DecisionNodes,Sleepgraph_9-2467
              Tries to evade debugger and weak emulator (self modifying code)
              Source: C:\Windows\mssecsvc.exeSpecial instruction interceptor: First address: 0000000000A6B605 instructions caused by: Self-modifying code
              Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6904Thread sleep count: 2696 > 30Jump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 6904Thread sleep count: 2699 > 30Jump to behavior
              Source: C:\Windows\System32\svchost.exe TID: 6872Thread sleep time: -150000s >= -30000sJump to behavior
              Source: C:\Windows\mssecsvc.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_9-2467
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD042D rdtsc 4_2_00BD042D
              Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2696Jump to behavior
              Source: C:\Windows\System32\wbem\WMIADAP.exeWindow / User API: threadDelayed 2699Jump to behavior
              Source: C:\Windows\mssecsvc.exeAPI coverage: 6.3 %
              Source: C:\Windows\mssecsvc.exeAPI coverage: 8.2 %
              Source: C:\Windows\mssecsvc.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat
              Source: svchost.exe, 0000001B.00000000.530406338.0000029A9CAB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow inbound TCP port 636 traffic for vmicheartbeatLMEMp
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: c-Licen"@vmicheartbeat-block-out
              Source: svchost.exe, 00000025.00000000.586250079.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>X
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@vmicvss-block-out
              Source: svchost.exe, 0000001B.00000000.530406338.0000029A9CAB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow outbound TCP traffic for vmicheartbeatLMEM`
              Source: svchost.exe, 00000013.00000000.441750757.0000013E23228000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000000.442234393.0000013E23228000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.923809237.0000013E23228000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.513098530.0000019689539000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.655370947.0000019689539000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.683534614.000002062A484000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.684248942.000002062A4EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Block any other inbound traffic for vmicheartbeat
              Source: svchost.exe, 00000025.00000002.952494580.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect><
              Source: dwm.exe, 00000015.00000002.937197080.0000024126E20000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
              Source: svchost.exe, 0000001B.00000000.530406338.0000029A9CAB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@Allow inbound TCP port 389 traffic for vmicheartbeatLMEMp
              Source: svchost.exe, 00000025.00000002.927632282.00000266A4FC0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>
              Source: svchost.exe, 00000014.00000002.915352448.000001E26D828000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
              Source: svchost.exe, 00000025.00000002.919102052.00000266A4843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.570612328.00000266A4843000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Microsoft-Windows-Hyper-V-Hypervisor
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@vmicheartbeat
              Source: svchost.exe, 0000001E.00000002.925647945.0000018476029000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: zSCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000_0r
              Source: svchost.exe, 00000012.00000002.935997567.0000023260A52000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicshutdown
              Source: dwm.exe, 00000015.00000002.937197080.0000024126E20000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000/
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@vmicheartbeat-allow-in-1
              Source: svchost.exe, 00000012.00000000.432317240.000002325FE96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000@a
              Source: svchost.exe, 0000001B.00000002.932879008.0000029A9C400000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Block any outbound traffic for vmicshutdown
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@vmicshutdown
              Source: svchost.exe, 00000012.00000000.433024630.0000023260236000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicvss
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@Allow inbound TCP port 389 traffic for vmicheartbeat
              Source: svchost.exe, 00000012.00000000.433024630.0000023260236000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicshutdown
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@Allow inbound TCP port 636 traffic for vmicheartbeat
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicvss
              Source: svchost.exe, 00000025.00000000.583806432.00000266A5A00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware
              Source: svchost.exe, 00000025.00000000.586250079.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>oso
              Source: svchost.exe, 00000014.00000002.916878109.000001E26D849000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
              Source: svchost.exe, 00000025.00000002.952494580.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect></conn
              Source: svchost.exe, 0000001B.00000002.932879008.0000029A9C400000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@Allow outbound TCP traffic for vmicheartbeat
              Source: svchost.exe, 00000025.00000000.586250079.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>c><lci
              Source: svchost.exe, 00000012.00000000.432317240.000002325FE96000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@vmicvss-block-in
              Source: svchost.exe, 00000025.00000002.952494580.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>WNS 1
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ,@vmicshutdown-block-out
              Source: lsass.exe, 0000000A.00000000.406267729.0000020A0F082000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicvssNT SERVICE
              Source: backgroundTaskHost.exe, 00000018.00000002.655566709.0000019689548000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWpm
              Source: svchost.exe, 00000025.00000000.586250079.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>c><lc
              Source: backgroundTaskHost.exe, 00000018.00000000.488298108.0000019689548000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.470958836.0000019689548000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMSAFD Tcpip [RAW/IPv6]
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "&@Block any other outbound traffic for vmicheartbeat
              Source: svchost.exe, 0000001B.00000000.530406338.0000029A9CAB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Allow outbound TCP traffic for vmicheartbeatLMEM`
              Source: svchost.exe, 00000012.00000000.432885126.0000023260213000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicshutdown
              Source: svchost.exe, 00000025.00000000.575535498.00000266A5400000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.0NULLSCSI0PCI\VEN_1000&DEV_0054&SUBSYS_197615AD&REV_01\4&2509f6e&0&00A8
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: "@Block any outbound traffic for vmicvss
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@vmicheartbeat-allow-in-2
              Source: mssecsvc.exe, 00000004.00000002.715152073.0000000000DC9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.473354431.0000000000D44000.00000004.00000020.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.405855460.0000020A0F013000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000002.916543919.0000020A0F013000.00000004.00000001.00020000.00000000.sdmp, lsass.exe, 0000000A.00000000.408786696.0000020A0F013000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000017.00000002.914678495.000002EB37828000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.925395220.0000029A9B0B5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.526064728.0000029A9B0B5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000000.536167383.000001B5A282D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001C.00000002.915131423.000001B5A282D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001E.00000002.926192564.000001847603D000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: lsass.exe, 0000000A.00000000.406267729.0000020A0F082000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicshutdownNT SERVICE
              Source: svchost.exe, 00000012.00000000.433024630.0000023260236000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicshutdowne
              Source: svchost.exe, 00000025.00000000.586250079.00000266A5B7E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.17134</osVer><proc>x64</proc><lcid>en-US</lcid><geoId>244</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware7,1</deviceName></agent></connect>cat
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@vmicshutdown
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@vmicshutdown-block-in
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@vmicheartbeat
              Source: svchost.exe, 0000001B.00000002.932879008.0000029A9C400000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@Block any inbound traffic for vmicshutdown
              Source: svchost.exe, 00000025.00000002.919102052.00000266A4843000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000025.00000000.570612328.00000266A4843000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $Microsoft-Windows-Hyper-V-Hypervisor
              Source: svchost.exe, 00000017.00000002.912583826.000002EB37802000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
              Source: lsass.exe, 0000000A.00000000.406267729.0000020A0F082000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: pvmicheartbeatNT SERVICE
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@vmicheartbeat-allow-out
              Source: svchost.exe, 0000001B.00000000.530406338.0000029A9CAB5000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @Allow inbound TCP port 389 traffic for vmicheartbeatLMEMp
              Source: backgroundTaskHost.exe, 00000018.00000002.653443453.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.482934202.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.502128636.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.512021088.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.478934256.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.517793482.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.469844015.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.492450987.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.506335861.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.497685292.0000019687A9C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat-block-in
              Source: svchost.exe, 00000025.00000000.583806432.00000266A5A00000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: nonicVMware Virtual disk 2.0 NULL
              Source: svchost.exe, 00000012.00000000.433024630.0000023260236000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @vmicheartbeat
              Source: svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: &@Block any inbound traffic for vmicvss
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3CCE LoadLibraryA,GetProcAddress,LoadLibraryA,GetTickCount,GetVolumeInformationA,CreateThread,CloseHandle,WSAStartup,CreateThread,CloseHandle,CreateEventA,socket,connect,GetVersionExA,wsprintfA,CreateThread,CloseHandle,4_2_00BD3CCE
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD042D rdtsc 4_2_00BD042D
              Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\mssecsvc.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD05F2 mov eax, dword ptr fs:[00000030h]4_2_00BD05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD042D mov eax, dword ptr fs:[00000030h]4_2_00BD042D
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD025E mov edx, dword ptr fs:[00000030h]4_2_00BD025E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA05F2 mov eax, dword ptr fs:[00000030h]4_2_7FEA05F2
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA025E mov edx, dword ptr fs:[00000030h]4_2_7FEA025E
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_7FEA042D mov eax, dword ptr fs:[00000030h]4_2_7FEA042D
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B905F2 mov eax, dword ptr fs:[00000030h]9_2_00B905F2
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B9042D mov eax, dword ptr fs:[00000030h]9_2_00B9042D
              Source: C:\Windows\mssecsvc.exeCode function: 9_2_00B9025E mov edx, dword ptr fs:[00000030h]9_2_00B9025E
              Source: C:\Windows\mssecsvc.exeProcess queried: DebugPortJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\rgltVt target: unknown protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\winlogon.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\lsass.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\fontdrvhost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeSection loaded: \BaseNamedObjects\whptVt target: C:\Windows\System32\dwm.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\backgroundTaskHost.exe base: 19689AC0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\svchost.exe base: 2062B1A0000Jump to behavior
              Source: C:\Windows\System32\lsass.exeMemory written: C:\Windows\System32\wbem\WMIADAP.exe base: 1BAB0D90000Jump to behavior
              Changes memory attributes in foreign processes to executable or writable
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9A50 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9830 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA040 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F99D0 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772FA120 protect: page execute and read and writeJump to behavior
              Source: C:\Windows\mssecsvc.exeMemory protected: unknown base: 772F9670 protect: page execute and read and writeJump to behavior
              Creates a thread in another existing process (thread injection)
              Source: C:\Windows\mssecsvc.exeThread created: unknown EIP: 7FFF3BD0Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1Jump to behavior
              Source: dwm.exe, 00000015.00000000.484558802.0000024129C21000.00000004.00000001.00020000.00000000.sdmp, dwm.exe, 00000015.00000002.957348978.0000024129C21000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: winlogon.exe, 00000007.00000000.406951072.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.402480383.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.931503022.0000021287470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: winlogon.exe, 00000007.00000000.406951072.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.402480383.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.931503022.0000021287470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
              Source: winlogon.exe, 00000007.00000000.406951072.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.402480383.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.931503022.0000021287470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
              Source: winlogon.exe, 00000007.00000000.406951072.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000000.402480383.0000021287470000.00000002.00000001.00040000.00000000.sdmp, winlogon.exe, 00000007.00000002.931503022.0000021287470000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD3826 GetSystemTime,Sleep,InternetGetConnectedState,gethostbyname,socket,ioctlsocket,connect,Sleep,closesocket,4_2_00BD3826
              Source: C:\Windows\mssecsvc.exeCode function: 4_2_00BD042D GetModuleHandleA,GetVersion,VirtualAlloc,FindCloseChangeNotification,SetProcessAffinityMask,NtCreateFile,NtOpenFile,NtCreateProcess,NtCreateProcessEx,NtCreateUserProcess,NtQueryInformationProcess,lstrcpyW,lstrcpyW,lstrcatW,NtMapViewOfSection,NtOpenProcessToken,CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,CreateRemoteThread,FindCloseChangeNotification,4_2_00BD042D
              Source: svchost.exe, 0000001B.00000002.947165387.0000029A9CD20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.940859027.0000029A9CAB5000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.940537206.0000029A9CA8E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@\device\harddiskvolume4\program files\windows defender\msmpeng.exe
              Source: svchost.exe, 0000001B.00000002.940537206.0000029A9CA8E000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.530331622.0000029A9CA8E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @\device\harddiskvolume4\program files\windows defender\msmpeng.exe
              Source: svchost.exe, 0000001B.00000002.936538879.0000029A9C552000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.528784421.0000029A9C552000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: (@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 0000001B.00000002.933407744.0000029A9C426000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: .@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 0000001B.00000002.933407744.0000029A9C426000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: @C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 0000001B.00000002.936538879.0000029A9C552000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.528784421.0000029A9C552000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: *@C:\Program Files\Windows Defender\MsMpEng.exe
              Source: svchost.exe, 0000001B.00000002.933407744.0000029A9C426000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000000.527634222.0000029A9C426000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: $@C:\Program Files\Windows Defender\MsMpEng.exe

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts12
              Native API              		Path Interception412
              Process Injection              		121
              Masquerading              		1
              Input Capture              		11
              System Time Discovery              		Remote Services1
              Input Capture              		Exfiltration Over Other Network Medium1
              Encrypted Channel              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts21
              Virtualization/Sandbox Evasion              		LSASS Memory231
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Exfiltration Over Bluetooth1
              Ingress Tool Transfer              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)412
              Process Injection              		Security Account Manager21
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
              Obfuscated Files or Information              		NTDS3
              Process Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer1
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Rundll32              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common4
              Software Packing              		Cached Domain Credentials1
              Remote System Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              File Deletion              		DCSync13
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 670724 Sample: UBpReASuEC Startdate: 21/07/2022 Architecture: WINDOWS Score: 100 70 zwstuy.com 2->70 72 yuyuol.com 2->72 74 31 other IPs or domains 2->74 82 Snort IDS alert for network traffic 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 Antivirus detection for URL or domain 2->86 90 8 other signatures 2->90 11 loaddll32.exe 1 2->11         started        13 mssecsvc.exe 2->13         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 signatures3 88 Tries to resolve many domain names, but no domain seems valid 72->88 process4 signatures5 20 cmd.exe 1 11->20         started        22 rundll32.exe 11->22         started        25 rundll32.exe 1 11->25         started        104 Maps a DLL or memory area into another process 13->104 28 svchost.exe 13->28 injected 30 svchost.exe 13->30 injected 32 dwm.exe 13->32 injected process6 file7 34 rundll32.exe 20->34         started        92 Drops executables to the windows directory (C:\Windows) and starts them 22->92 36 mssecsvc.exe 7 22->36         started        68 C:\Windows\mssecsvc.exe, PE32 25->68 dropped signatures8 process9 dnsIp10 40 mssecsvc.exe 7 34->40         started        76 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 36->76 66 C:\Windows\tasksche.exe, PE32 36->66 dropped file11 process12 dnsIp13 80 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 40->80 94 Antivirus detection for dropped file 40->94 96 Machine Learning detection for dropped file 40->96 98 Changes memory attributes in foreign processes to executable or writable 40->98 100 4 other signatures 40->100 44 lsass.exe 40->44 injected 47 svchost.exe 40->47 injected 49 winlogon.exe 40->49 injected 51 13 other processes 40->51 signatures14 process15 signatures16 102 Writes to foreign memory regions 44->102 53 svchost.exe 1 44->53         started        56 WMIADAP.exe 4 44->56         started        58 backgroundTaskHost.exe 44->58 injected 60 BackgroundTransferHost.exe 49 47->60         started        62 BackgroundTransferHost.exe 13 47->62         started        64 backgroundTaskHost.exe 47->64         started        process17 dnsIp18 78 192.168.2.1 unknown unknown 53->78

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              UBpReASuEC.dll74%MetadefenderBrowse
              UBpReASuEC.dll93%ReversingLabsWin32.Ransomware.WannaCry
              UBpReASuEC.dll100%AviraW32/Virut.Gen
              UBpReASuEC.dll100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Windows\mssecsvc.exe100%AviraW32/Virut.Gen
              C:\Windows\tasksche.exe100%AviraTR/AD.WannaCry.gpbbt
              C:\Windows\mssecsvc.exe100%Joe Sandbox ML
              C:\Windows\tasksche.exe100%Joe Sandbox ML
              C:\Windows\tasksche.exe75%MetadefenderBrowse
              C:\Windows\tasksche.exe100%ReversingLabsWin32.Ransomware.WannaCry

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File
              4.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              6.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
              4.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
              6.0.mssecsvc.exe.400000.2.unpack100%AviraW32/Virut.GenDownload File
              9.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              9.2.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              6.0.mssecsvc.exe.400000.0.unpack100%AviraW32/Virut.GenDownload File
              6.0.mssecsvc.exe.400000.4.unpack100%AviraW32/Virut.GenDownload File
              6.0.mssecsvc.exe.400000.6.unpack100%AviraW32/Virut.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/N100%Avira URL Cloudmalware
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/o100%Avira URL Cloudmalware
              https://www.disneyplus.com/legal/your-california-privacy-rights0%URL Reputationsafe
              https://www.disneyplus.com/legal/privacy-policy0%URL Reputationsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com100%URL Reputationmalware
              https://www.bing.c0%Avira URL Cloudsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%100%Avira URL Cloudmalware
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/100%URL Reputationmalware
              https://www.pango.co/privacy0%URL Reputationsafe
              https://disneyplus.com/legal.0%URL Reputationsafe
              http://crl.ver)0%Avira URL Cloudsafe
              https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
              http://Passport.NET/tb0%Avira URL Cloudsafe
              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ0%URL Reputationsafe
              http://schemas.msoft0%Avira URL Cloudsafe
              http://help.disneyplus.com.0%URL Reputationsafe
              http://schemas.microft80%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              dual-a-0001.a-msedge.net
              		204.79.197.200
              		truefalse
                		unknown
                hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com
                		3.130.204.160
                		truefalse
                  		high
                  shyykl.com
                  		unknown
                  		unknowntrue
                    		unknown
                    auyazv.com
                    		unknown
                    		unknowntrue
                      		unknown
                      euxngi.com
                      		unknown
                      		unknowntrue
                        		unknown
                        oivayb.com
                        		unknown
                        		unknowntrue
                          		unknown
                          ytyepn.com
                          		unknown
                          		unknowntrue
                            		unknown
                            ovalzq.com
                            		unknown
                            		unknowntrue
                              		unknown
                              ufmuub.com
                              		unknown
                              		unknowntrue
                                		unknown
                                jkjztp.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  ylyguq.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    kymlxf.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      mlsjzu.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          hiapba.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            muyuou.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              qxuyel.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                jueuby.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  nuejea.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    pfdpty.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      iqzvcy.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        easecy.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          zwstuy.com
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            mlgjto.com
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              bswdic.com
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown
                                                                eetebu.com
                                                                		unknown
                                                                		unknowntrue
                                                                  		unknown
                                                                  iietwy.com
                                                                  		unknown
                                                                  		unknowntrue
                                                                    		unknown
                                                                    ihfjtf.com
                                                                    		unknown
                                                                    		unknowntrue
                                                                      		unknown
                                                                      rmdyox.com
                                                                      		unknown
                                                                      		unknowntrue
                                                                        		unknown
                                                                        jyruxe.com
                                                                        		unknown
                                                                        		unknowntrue
                                                                          		unknown
                                                                          oqiqee.com
                                                                          		unknown
                                                                          		unknowntrue
                                                                            		unknown
                                                                            yuyuol.com
                                                                            		unknown
                                                                            		unknowntrue
                                                                              		unknown

                                                                              URLs from Memory and Binaries

                                                                              NameSourceMaliciousAntivirus DetectionReputation
                                                                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Nmssecsvc.exe, 00000004.00000002.715373222.0000000000DF1000.00000004.00000020.00020000.00000000.sdmptrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/omssecsvc.exe, 00000006.00000002.473354431.0000000000D44000.00000004.00000020.00020000.00000000.sdmptrue
                                                                              • Avira URL Cloud: malware
                                                                              		unknown
                                                                              https://www.disneyplus.com/legal/your-california-privacy-rightssvchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://www.disneyplus.com/legal/privacy-policysvchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://candycrush.king.com/mobile/windows/TileTemplate.xmlsvchost.exe, 00000012.00000002.937199804.0000023260AB7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.434915689.0000023260AB7000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000012.00000000.434450989.0000023260AB7000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://pf.directory.live.com/profile/profile.asmxbackgroundTaskHost.exe, 00000018.00000000.517659898.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.492172317.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.497564176.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.474469001.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.501989041.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.482751547.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.653090452.0000019687A59000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.478770028.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.511817816.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.469612248.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.487190551.0000019687A43000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.506188205.0000019687A43000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.commssecsvc.exe.2.drtrue
                                                                                  • URL Reputation: malware
                                                                                  		unknown
                                                                                  https://www.bing.cbackgroundTaskHost.exe, 00000018.00000000.479135816.0000019687B02000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000002.654120987.0000019687B02000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/%mssecsvc.exe, 00000004.00000002.715152073.0000000000DC9000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                  • Avira URL Cloud: malware
                                                                                  		unknown
                                                                                  https://www.hotspotshield.com/terms/svchost.exe, 00000028.00000003.651043924.000002062AD9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.650880528.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651148131.000002062ADAD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651394135.000002062B202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/mssecsvc.exe, 00000006.00000002.473354431.0000000000D44000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                    • URL Reputation: malware
                                                                                    		unknown
                                                                                    https://www.pango.co/privacysvchost.exe, 00000028.00000003.651043924.000002062AD9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.650880528.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651148131.000002062ADAD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651394135.000002062B202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://disneyplus.com/legal.svchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://crl.ver)svchost.exe, 00000028.00000002.684675611.000002062AD00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		low
                                                                                    http://www.google.comsvchost.exe, 0000001B.00000000.526150966.0000029A9B0C8000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000001B.00000002.925987981.0000029A9B0C8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000028.00000003.661304130.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.660891846.000002062ADBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.661072190.000002062ADBC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.661121292.000002062ADA6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://Passport.NET/tbsvchost.exe, 00000025.00000002.934439454.00000266A5486000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJmssecsvc.exe, 00000004.00000002.712659508.000000000019C000.00000004.00000010.00020000.00000000.sdmptrue
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://schema.org/reminderbackgroundTaskHost.exe, 00000018.00000002.653443453.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.482934202.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.502128636.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.512021088.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.478934256.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.517793482.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.469844015.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.492450987.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.506335861.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.497685292.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.474651684.0000019687A9C000.00000004.00000001.00020000.00000000.sdmp, backgroundTaskHost.exe, 00000018.00000000.487364117.0000019687A9C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.msoftsvchost.exe, 0000001E.00000000.544447681.00000184771DD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://help.disneyplus.com.svchost.exe, 00000028.00000003.654901611.000002062ADA0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schemas.microft8svchost.exe, 00000028.00000002.685289382.000002062AD3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://support.hotspotshield.com/svchost.exe, 00000028.00000003.651043924.000002062AD9C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.650880528.000002062B202000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651148131.000002062ADAD000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000028.00000003.651394135.000002062B202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high

                                                                                          World Map of Contacted IPs

                                                                                          • No. of IPs < 25%
                                                                                          • 25% < No. of IPs < 50%
                                                                                          • 50% < No. of IPs < 75%
                                                                                          • 75% < No. of IPs

                                                                                          Public IPs

                                                                                          IPDomainCountryFlagASNASN NameMalicious

                                                                                          Private

                                                                                          IP
                                                                                          192.168.2.1

                                                                                          General Information

                                                                                          Joe Sandbox Version:35.0.0 Citrine
                                                                                          Analysis ID:670724
                                                                                          Start date and time: 21/07/202204:59:122022-07-21 04:59:12 +02:00
                                                                                          Joe Sandbox Product:CloudBasic
                                                                                          Overall analysis duration:0h 14m 32s
                                                                                          Hypervisor based Inspection enabled:false
                                                                                          Report type:full
                                                                                          Sample file name:UBpReASuEC (renamed file extension from none to dll)
                                                                                          Cookbook file name:default.jbs
                                                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                          Number of analysed new started processes analysed:22
                                                                                          Number of new started drivers analysed:0
                                                                                          Number of existing processes analysed:0
                                                                                          Number of existing drivers analysed:0
                                                                                          Number of injected processes analysed:20
                                                                                          Technologies:
                                                                                          • HCA enabled
                                                                                          • EGA enabled
                                                                                          • HDC enabled
                                                                                          • AMSI enabled
                                                                                          Analysis Mode:default
                                                                                          Analysis stop reason:Timeout
                                                                                          Detection:MAL
                                                                                          Classification:mal100.rans.troj.evad.winDLL@24/28@31/1
                                                                                          EGA Information:
                                                                                          • Successful, ratio: 66.7%
                                                                                          HDC Information:
                                                                                          • Successful, ratio: 1.5% (good quality ratio 1.5%)
                                                                                          • Quality average: 75.3%
                                                                                          • Quality standard deviation: 7.4%
                                                                                          HCA Information:
                                                                                          • Successful, ratio: 53%
                                                                                          • Number of executed functions: 20
                                                                                          • Number of non-executed functions: 66
                                                                                          Cookbook Comments:
                                                                                          • Adjust boot time
                                                                                          • Enable AMSI
                                                                                          • Override analysis time to 240s for rundll32

                                                                                          Warnings

                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe
                                                                                          • Excluded IPs from analysis (whitelisted): 23.211.4.86, 23.211.6.115, 80.67.82.235, 80.67.82.211, 20.223.24.244, 52.167.249.196, 52.183.220.149, 52.140.118.28, 51.124.78.146
                                                                                          • Excluded domains from analysis (whitelisted): bhhhpq.com, knajpk.com, vaaoff.com, pniyeh.com, vi.strup.pl, oevgnn.com, kto.gind.at, faiyda.com, anyqaz.com, lntyhe.com, fs-wildcard.microsoft.com.edgekey.net, mwhmpz.com, wkedxi.com, www.bing.com, akiypc.com, oyebru.com, aueolp.com, nkewuc.com, pgmuok.com, mjdvvw.com, settings-prod-cin-1.centralindia.cloudapp.azure.com, pxzoao.com, ris.api.iris.microsoft.com, hheong.com, qfsper.com, lnn.maft.at, iooaai.com, raniod.com, yexisu.com, agrwiq.com, oletfa.com, advein.com, e12564.dspb.akamaiedge.net, oirlzx.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, uptrqo.com, prod.fs.microsoft.com.akadns.net, settings-prod-weu-1.westeurope.cloudapp.azure.com, bnylmd.com, dzwrvg.com, pfntvw.com, eixjei.com, mjrztu.com, atm-settingsfe-prod-weighted.trafficmanager.net, qsyrmp.com, mbbaux.com, weuanq.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, yxdidf.com, qrmrxa.com, oyadis.com, wofqss.com, kqmkgp.com, settings-prod-scus-2.southcentralus.clou
                                                                                          • Execution Graph export aborted for target mssecsvc.exe, PID 6976 because there are no executed function
                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                          • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                                                                          • VT rate limit hit for: UBpReASuEC.dll

                                                                                          Simulations

                                                                                          Behavior and APIs

                                                                                          TimeTypeDescription
                                                                                          05:00:35API Interceptor1x Sleep call for process: loaddll32.exe modified
                                                                                          05:02:29API Interceptor8x Sleep call for process: svchost.exe modified

                                                                                          Joe Sandbox View / Context

                                                                                          IPs

                                                                                          No context

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          dual-a-0001.a-msedge.netSecuriteInfo.com.W32.AIDetectNet.01.15601.exeGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          SecuriteInfo.com.VBA.Logan.3458.11956.xlsGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://www.southtowna982.com/Get hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          FjYNZSPNkt.dllGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          38grJ6wbWq.htmlGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://www.flowcode.com/page/unite292willGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          JWEZOVFR.EXEGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          MY00884Q00129.exeGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://1drv.ms:443/o/s!BCmallTfOXamgzSwGgeeXl7lslt3?e=4Cla4nBnfkadKLTfw_Mdjg&at=9Get hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          PEQzYbY0er.exeGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          Documents KMTCMAA0290019 ( CI+PL+BL).vbsGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          4DzrKufLnK.exeGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://go.nice.com/MzM4LUVKUC00MzEAAAGFtb6zVXuOnVoNFSA7qTufQcWLkaX6RNa3d0vDuXUAKDvgJohiHT6eOcGd-RIg23FVlIC2oKo=Get hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://the.realfactsamerica.com/link.php?AGENCY=COWBOY&M=8124335&N=25331&L=19456&F=H&drurl=aHR0cDovL2ZlZWRsZHMuY29tLz9lPWMzUmxkbVZ1TG5OcGJIWmxjbk4wWldsdVFITndaVzVqWlhKbmFXWjBjeTVqYjIwPQ==Get hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://1drv.ms/o/s!BBDr9SvsQwFJnGrnPPXxUYT0fc6B?e=KkxvxbUlEEmram7MVHeibQ&at=9Get hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://urlsand.esvalabs.com/?u=https%3A%2F%2Fservices.intralinks.com%2FAZ%3Fw%3D13095755%26br%3D1%26p%3D3%26urlId%3D1415095158&e=50525cf7&h=57da353e&f=y&p=yGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          Inv-42092859-4.ppamGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          File.exeGet hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          http://45.134.140.152Get hashmaliciousBrowse
                                                                                          • 204.79.197.200
                                                                                          https://231e02eb.sibforms.com/serve/MUIEADfoAq5V0DVdRclj7_zH_rTFPm-YlKyi7usfXQ3yerbZLkQyg6Yluzckf4ldkvV6aGl63NCfewKNQvuBTUEqJaEwbcKkRqePZwehzpP9BuVPBvwjgIhzgpLaBfjmUQ9u6FehhiXxwYgSz5haG95Y1PMfo6T36WjIWyVWs9re81SdC2BfmO91PC2FkaQcFWh6bexC-1-7Ps1HGet hashmaliciousBrowse
                                                                                          • 204.79.197.200

                                                                                          ASNs

                                                                                          No context

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                          C:\Windows\tasksche.exe2yQ8hmXyz0.dllGet hashmaliciousBrowse
                                                                                            4Maoj78D1f.dllGet hashmaliciousBrowse
                                                                                              9UxtlcUBmY.dllGet hashmaliciousBrowse
                                                                                                41ECj4EgTY.dllGet hashmaliciousBrowse
                                                                                                  NANG-104355_mssecsvr.exeGet hashmaliciousBrowse

                                                                                                    Created / dropped Files

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\1736c80d-6930-4acb-ae77-1088e65a6703.c81d4019-1330-4010-8ca2-301e518d770c.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1230
                                                                                                    Entropy (8bit):3.6110385152907045
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiwmXpjgWzgxjX+vUViwH72tBKf1+BnXsafxOc2CpX3K0bwNzw:LLD2mRi3XpjPgVX+v8iG72tBKN4Xrfew
                                                                                                    MD5:B56ED40CAC267C282D8F4070A3A64510
                                                                                                    SHA1:F9C90BF670ABC4DC90B69F784A15797F44473934
                                                                                                    SHA-256:AC7E5ADF17AD92E800E034711B3ECE829CCFA209CD2A9EDC184972444B0049B1
                                                                                                    SHA-512:1D3A2EC341DE9F3AA859DBA9AC07C35FD30A0D4B8BCEFB2392A02130C81819BE8145145F6B57A23C52F5348F15707447CCC305F3E2E68A7DEFDA3CB9BE3EDD44
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.l.T.B.?.v.e.r.=.2.a.9.4...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.l.T.B.?.v.e.r.=.2.a.9.4...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.u.n.,. .0.3. .J.u.l. .2.0.2.2. .0.5.:.0.2.:.3.7. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.6.0.8.3.3...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .a.e.8.d.a.1.5.5.-.9.0.f.0.-.4.f.7.0.-.a.5.f.d.-.3.d.e.c.7.8.3.e.c.9.6.9...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.6.0.8.3.3...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\1736c80d-6930-4acb-ae77-1088e65a6703.up_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):278
                                                                                                    Entropy (8bit):3.3894363370336076
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRct:ZxMghwLtHSM1Sb9mSMXAvwR
                                                                                                    MD5:A27F678F172C642E24DE4740C5B2DBC3
                                                                                                    SHA1:36444729D96B371E3B182455FD5416A724875FF3
                                                                                                    SHA-256:BF27499FEA1EC1D167352764D5DE5CC87FCE82683C3F8CDB3E3A19086DEC5C82
                                                                                                    SHA-512:7846A476F6349EB719D781B6F529DCAAB21140067A54756A3C51E695B20E4C5FF74F5CA798181023D22860E9EA36C9E452EC003AB8A1B242033EB43F3EFA627F
                                                                                                    Malicious:false
                                                                                                    Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.l.T.B.?.v.e.r.=.2.a.9.4...........

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\328613bb-d9fd-464d-8e18-36a56bfcd660.8072ed17-626f-4b05-8d4e-e1f8c9d17eb3.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1228
                                                                                                    Entropy (8bit):3.617886292983045
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRitvXpjgWzgxjX+vUVitzBBKE1+AMfh+IpsafxOc2CpX3KdbmISz7zzw:LLD2mRiVXpjPgVX+v8iBBBKuhMZ+IprM
                                                                                                    MD5:B41DEC6FFA96BCF82FBAF611911398FA
                                                                                                    SHA1:FB971E95023E6864481564F30D899CF04A6C357D
                                                                                                    SHA-256:3C3118990B8F2F3A274699C9C7AC1A6F958E7E181F7F582EBB4E641D6BFE4334
                                                                                                    SHA-512:5F02AD0357AEEF860D04C7BEDF396DBD8E5E3BD6A17FD404E1171B078CFA1014A15DA9BA66F614A807D614B6A5D9DF2956807CC6E5F6C8D8FEC1FDB44CE5BB71
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.d.v.F.?.v.e.r.=.d.b.7.5...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.d.v.F.?.v.e.r.=.d.b.7.5...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .0.5. .J.u.l. .2.0.2.2. .2.1.:.4.4.:.3.3. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.0.3.2.9.5...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .e.6.6.a.6.3.2.d.-.1.4.1.7.-.4.a.8.0.-.a.e.4.1.-.b.3.d.1.9.e.c.9.8.4.f.c...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.0.3.2.9.5...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\328613bb-d9fd-464d-8e18-36a56bfcd660.down_data

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.2 (Windows), datetime=2021:05:28 16:53:16]
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1603295
                                                                                                    Entropy (8bit):6.753308838105362
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:C4jNiVr4qh4txEPsZkDkUZXmxKnalR3HG/R0JyNHMnVWJhwW8+AcohdhgPq/Jh:C4jNiVr4qpYkOrINOhYq/X
                                                                                                    MD5:646B9FC287CA9DB22069A9DDF5ED981E
                                                                                                    SHA1:1EE0D47BD351A812A177A2EFFE06D600EBA34CA3
                                                                                                    SHA-256:B8AC5EB3B58303B0973EFE90B40DA4569826FDF24B7AB94016FB5C1BD5846E41
                                                                                                    SHA-512:81D84CE00BAD88CC38AFAE5C9995B51B527EF49C7717C487A6C38354F42FF87A42C7D60A794850E11E437E41EA4D68EDFE201D07D50E514EE8D67CFB8E22C8D8
                                                                                                    Malicious:false
                                                                                                    Preview:......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.2 (Windows).2021:05:28 16:53:16.............................8..........................................."...........*.(.....................2...........j.......H.......H..........Adobe_CM......Adobe.d...................................................................................................................................................Z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..].....U../...8Z.Y......F~.......9.!....*..2wC.`.g......q.1s&......(....t..cM.@..A.Rn&.6.k@1...-..[F..|..g_...#....."z...<P....6....2*a....[..,A....U.wI

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\359095cb-bf2b-41bf-8103-13a2a8012235.a3ca69e3-e705-4f64-a747-3b1b77a563b2.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1226
                                                                                                    Entropy (8bit):3.6016456604246807
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiwXFXpjgWzgxjX+vUViwXooBf1+UMMsafxOc2CpX30bDZalXzw:LLD2mRiIXpjPgVX+v8igBNF3rfeIX303
                                                                                                    MD5:07B72D89B1ED8B61E535BC2ABDF597AF
                                                                                                    SHA1:500B80B8B6393EBA57FAE98411F6452BBCF6FBBF
                                                                                                    SHA-256:AFD347D0F717E24CD625960F3606D70E16244AA588F4467183C4AC433EDD6645
                                                                                                    SHA-512:B0B4B14891521B0BB32BD056CDFDB929C042F2B6143B1A43384711FFBE1305955C97E7A1942520AFFEAFA0FED29DE6D78B682A36A9F829B0D878CC2C74718462
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.v.z.u.?.v.e.r.=.4.f.7.d...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.v.z.u.?.v.e.r.=.4.f.7.d...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.u.n.,. .1.7. .J.u.l. .2.0.2.2. .0.4.:.1.2.:.4.5. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .6.4.8.0.7.7...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .a.d.e.e.f.b.3.4.-.c.0.a.5.-.4.a.c.e.-.b.0.8.2.-.9.5.6.a.6.c.0.0.4.a.c.6...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .6.4.8.0.7.7...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\359095cb-bf2b-41bf-8103-13a2a8012235.down_data

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1920x1080, frames 3
                                                                                                    Category:dropped
                                                                                                    Size (bytes):648077
                                                                                                    Entropy (8bit):7.977806082173002
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:6h+OF4uoSA4dEqWveCOlWMKHepZGRnknrXMWDOxUV48SA8Mp4ZrG:6MOFLQ4dLGeCMWM9Qnknr8t+YA+ZS
                                                                                                    MD5:5458F7693784923195702174155D7B3C
                                                                                                    SHA1:7BD70CD83D89E000791953CF8AB54B87C0FEAD85
                                                                                                    SHA-256:FC52469E34A65090EEB9B0333273025AACD873C86C63AA12C915ED7641BFB8FD
                                                                                                    SHA-512:6AA3157057AC486CF64032FE4C20F864B047585DAA890B7F6F05F7D243AF5516EBE913A85224E53247C14AB4E1F198A75594DCBDF61B9CB5ADB531DAD51D0DDE
                                                                                                    Malicious:false
                                                                                                    Preview:......JFIF.....`.`.....C....................................................................C.......................................................................8...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..2..Le....P.a..H..x.;..qLnjV.j&.Z..Z....u#......Q......H.;.M.....M...E..M..a..).h.LZ...K.......m;.]..a.h.O.F...{h.O...V...Z.ZB.n.....6..G..\..Xn.r...i.i.{.........v..M!.E........-.C(#4.zQ...n.@..8.P... .9........F.v.F.Up........E.J..*..J.4-.=).M(...0&9...}'4\..i6.~...\.....`Rm.,%/4...f..........4m5&.Zd.`OZp.....J..f....4.Z..$4.i<.J.c.5 ....S.S..J#...Z......E.7),~.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\6071454c-93cc-4d3c-88ff-dcf9b8a683e4.bf42fc66-610f-446d-84dd-ccdd2b6f9b34.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1228
                                                                                                    Entropy (8bit):3.6254066880554796
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRi7z0XpjgWzgxjX+vUVi7zyBBKj1+LtOpsafxOc2CpX3KwbNdzE:LLD2mRiMXpjPgVX+v8iaBBKR4tOprfeV
                                                                                                    MD5:79767DA61764B38BD317A6BD8241C84A
                                                                                                    SHA1:B9F4C015F6BED65CC645FF1BF86FC88ACF15AA05
                                                                                                    SHA-256:AEDF4AB248A55F40FF2CDD9E983C28B5A3EF6CC2C24A6889F9B645248A8EE19A
                                                                                                    SHA-512:A4552DBB075AC957616C678FBAA2AA00714EBC353F5F436C107B12A3FCEA846BE0702C103D52C42EA73D6F48B1C519D9A564ABEB4AA38EC846D3EB647DD753F3
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.t.7.8.?.v.e.r.=.d.9.b.7...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.t.7.8.?.v.e.r.=.d.9.b.7...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .0.5. .J.u.l. .2.0.2.2. .2.1.:.4.4.:.3.3. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.8.9.8.3.0...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .a.0.3.9.3.c.9.2.-.5.6.1.5.-.4.d.f.8.-.8.d.5.4.-.d.f.7.b.2.b.b.a.e.5.4.d...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.8.9.8.3.0...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\6071454c-93cc-4d3c-88ff-dcf9b8a683e4.down_data

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.2 (Windows), datetime=2021:05:28 16:52:49]
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1689830
                                                                                                    Entropy (8bit):6.861393432577005
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:edC81bzBAsO5ZWOklZjQxKnaDR3HG/R0JyN0qNoH4dX/GkZmO18Il1T/2/QkzJJa:edC81bzaW0CX/GbW841j2bJMe7U
                                                                                                    MD5:33E18071DB8D402840B4A62A95778A13
                                                                                                    SHA1:9E7546F1D11ACAB5A5F0B1AA243BBDF724E26BDA
                                                                                                    SHA-256:BF354FCF29C7BD03804F43ACFC74D916D3085F9015591C21C011F237FD311A05
                                                                                                    SHA-512:6B4863E21FA29D9B7D6E4FBC4B4C239F7DFE72C57C2151E58142B11384A785EDCB646C3BFDC888057F4CD410651C09F6CACB18A1677E39C3AC355F874C4AE091
                                                                                                    Malicious:false
                                                                                                    Preview:......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.2 (Windows).2021:05:28 16:52:49.........................................8..............................."...........*.(.....................2...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................Z...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?.....yk).$."V.-.T.pc..d,....Q.p[,...$............6...K.89...U..SLK.V.y...........:.T....xA.Y..."...R.t.i.w.l......w...F..uB...@i..L~..LO..^!0.v..b...);

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\60f12053-d245-44a6-bc56-ad6e6ab7a7c9.f2d7e325-8812-419f-93c5-393f1d8412fe.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1228
                                                                                                    Entropy (8bit):3.6072733039513065
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiwinWzgx71+Bm6safxOc2CpXpjjX+vUViw/BdX3ibecIzzw:LLD2mRiTggvYm6rfeIXpjjX+v8ieBdXC
                                                                                                    MD5:2513140D9E5B98478FF38E3286EDF25D
                                                                                                    SHA1:71F1480A6A8547B85AAA25A45A045C763B4A0A41
                                                                                                    SHA-256:064955503F206AB1F15650438D870158005709B53DB7D40E6E3EDA64BF572E02
                                                                                                    SHA-512:819F089E97AE62434BE06A75CD59D1C7138844EF49DA17207D040F4825F3679DECFF5F925B30EDB194AA2C9C13C0E05E9ADFFB643F4447BFEC8EAC2707AF8D0F
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.h.j.W.?.v.e.r.=.1.f.7.0...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.a.t.,. .0.2. .J.u.l. .2.0.2.2. .0.5.:.3.0.:.2.2. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .8.6.c.d.e.c.a.5.-.2.5.5.a.-.4.5.6.5.-.9.f.f.d.-.0.d.d.2.6.1.c.f.1.b.e.b...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.h.j.W.?.v.e.r.=.1.f.7.0...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .6.1.3.5.6.7...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .6.1.3.5.6.7...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\60f12053-d245-44a6-bc56-ad6e6ab7a7c9.up_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):278
                                                                                                    Entropy (8bit):3.4350986465636852
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRsalWvl:ZxMghwLtHSM1Sb9mSMXAvwRr
                                                                                                    MD5:89D09B34609397415243075D49AF750D
                                                                                                    SHA1:9F3428A1B21686D99FF5ABB5D80EA55138353479
                                                                                                    SHA-256:669600E7861E4A92733B3366F718FE3BEFB6262E45F17B181F5BDE291AA3EAF1
                                                                                                    SHA-512:FE90351CC0810790A8050F8AF5989ABFD5B39F919381AE0F145436B322F1E6F6514763269E1BED31A600A752D847276E84651B4D46B05AC33947F8DFBAE3E678
                                                                                                    Malicious:false
                                                                                                    Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.h.j.W.?.v.e.r.=.1.f.7.0...........

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\6faba965-83b0-4727-9cf6-f717a8d19482.593aeaca-14dd-4f73-a505-b9177043fbb4.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1232
                                                                                                    Entropy (8bit):3.62022264151444
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiw5CuXpjgWzgxjX+vUViw5nrBB41+lPDipsafxOc2CpX3JbbOGFzw:LLD2mRi+1XpjPgVX+v8i+dBiqPD6rfex
                                                                                                    MD5:F005EE8A58481E0B1EA148A93D8A328E
                                                                                                    SHA1:0E843E5352E75BA0497BB1E97140C39EB238F5B5
                                                                                                    SHA-256:CA5B172DC99F6B2F92681397244946A563E8FC76E49D6A8AE8EC47CE7097C6E6
                                                                                                    SHA-512:62B14F0CEFCD48270255D64A67C8D2149299DD38670C8D1ACF274000F4C5EEC63228DDBAFD7015013C45DABA87E1270F3FB71A5EE1B05956B26253D11CD39B24
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.w.e.j.?.v.e.r.=.c.b.f.0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.w.e.j.?.v.e.r.=.c.b.f.0...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .M.o.n.,. .1.8. .J.u.l. .2.0.2.2. .0.3.:.1.6.:.1.8. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.7.0.8.8.6.5...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .3.b.3.0.3.f.5.5.-.c.4.4.f.-.4.4.5.a.-.8.0.b.2.-.3.9.0.2.9.1.7.3.7.1.c.3...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.7.0.8.8.6.5...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\6faba965-83b0-4727-9cf6-f717a8d19482.up_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):278
                                                                                                    Entropy (8bit):3.422473556620063
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRKaMAo4:ZxMghwLtHSM1Sb9mSMXAvwR/M
                                                                                                    MD5:053A6748354C63633E9F064D374A3D64
                                                                                                    SHA1:F7392A988C29192C2DBB9192931C98C346A03B46
                                                                                                    SHA-256:1867022FBB28FC2A1F79ED84CFA93EFEE48C33EF120A7976E594BD497DA2ED3F
                                                                                                    SHA-512:175DB5E34D5D66ABCBA2DC76ADF44978A26A70A5CCEA46FF96D3EC85F4F34BA0B571785C3A912E87FD3D194F101339B2D0E988D4A611FFA91F9AC9204BDE5765
                                                                                                    Malicious:false
                                                                                                    Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.w.e.j.?.v.e.r.=.c.b.f.0...........

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7d74c1c9-e7b4-43ae-af85-d91ef9a0b3dd.593aeaca-14dd-4f73-a505-b9177043fbb4.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1232
                                                                                                    Entropy (8bit):3.62022264151444
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiw5CuXpjgWzgxjX+vUViw5nrBB41+lPDipsafxOc2CpX3JbbOGFzw:LLD2mRi+1XpjPgVX+v8i+dBiqPD6rfex
                                                                                                    MD5:F005EE8A58481E0B1EA148A93D8A328E
                                                                                                    SHA1:0E843E5352E75BA0497BB1E97140C39EB238F5B5
                                                                                                    SHA-256:CA5B172DC99F6B2F92681397244946A563E8FC76E49D6A8AE8EC47CE7097C6E6
                                                                                                    SHA-512:62B14F0CEFCD48270255D64A67C8D2149299DD38670C8D1ACF274000F4C5EEC63228DDBAFD7015013C45DABA87E1270F3FB71A5EE1B05956B26253D11CD39B24
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.w.e.j.?.v.e.r.=.c.b.f.0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.w.e.j.?.v.e.r.=.c.b.f.0...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .M.o.n.,. .1.8. .J.u.l. .2.0.2.2. .0.3.:.1.6.:.1.8. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.7.0.8.8.6.5...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .3.b.3.0.3.f.5.5.-.c.4.4.f.-.4.4.5.a.-.8.0.b.2.-.3.9.0.2.9.1.7.3.7.1.c.3...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.7.0.8.8.6.5...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\7d74c1c9-e7b4-43ae-af85-d91ef9a0b3dd.down_data

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2022:03:02 13:22:10]
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1708865
                                                                                                    Entropy (8bit):6.97847786200903
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:HdC81bzUVyezQkoZvNEyfcO/irM/R0JGSUxf8QQYVzaIPhwkXtpxODfAL9OeQZzE:HdC81bzIzMbXVzag5OjCOeQJkd
                                                                                                    MD5:BEA60D73FB1ECED3027734526438F17C
                                                                                                    SHA1:94EF9697C95742084DB52EDC303FD4DA31286FE3
                                                                                                    SHA-256:0F41D7DBC9F23B935077A920C03146802FFA26B1342E5A262E62750DDCDDAE21
                                                                                                    SHA-512:29BC20AA7B8C40E1E4B2738F2C9FAA23A1A0D37A34FF44866F81551FE9B374A6EE4EDED8D4292CF2DE3D928D7B008701922AE7A7DD48E9CDBC63A08D4F3CC6C7
                                                                                                    Malicious:false
                                                                                                    Preview:......Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2022:03:02 13:22:10.........................................8..............................."...........*.(.....................2...................H.......H..........Adobe_CM......Adobe.d.................................................................................................................................................Z...."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?..M<.....5 hL..}%....{(.........d8..{+...9....$..r,.6t.J=?......g.....+.3.p..88.4...[.o.......qzu..k_..yf.hh...~....F..M.@7..x....+......?r..]o..6.E

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\883a00d1-26f9-46de-b0d6-299b64c5e1d5.8072ed17-626f-4b05-8d4e-e1f8c9d17eb3.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1228
                                                                                                    Entropy (8bit):3.617886292983045
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRitvXpjgWzgxjX+vUVitzBBKE1+AMfh+IpsafxOc2CpX3KdbmISz7zzw:LLD2mRiVXpjPgVX+v8iBBBKuhMZ+IprM
                                                                                                    MD5:B41DEC6FFA96BCF82FBAF611911398FA
                                                                                                    SHA1:FB971E95023E6864481564F30D899CF04A6C357D
                                                                                                    SHA-256:3C3118990B8F2F3A274699C9C7AC1A6F958E7E181F7F582EBB4E641D6BFE4334
                                                                                                    SHA-512:5F02AD0357AEEF860D04C7BEDF396DBD8E5E3BD6A17FD404E1171B078CFA1014A15DA9BA66F614A807D614B6A5D9DF2956807CC6E5F6C8D8FEC1FDB44CE5BB71
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.d.v.F.?.v.e.r.=.d.b.7.5...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.d.v.F.?.v.e.r.=.d.b.7.5...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .0.5. .J.u.l. .2.0.2.2. .2.1.:.4.4.:.3.3. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.0.3.2.9.5...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .e.6.6.a.6.3.2.d.-.1.4.1.7.-.4.a.8.0.-.a.e.4.1.-.b.3.d.1.9.e.c.9.8.4.f.c...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.0.3.2.9.5...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\883a00d1-26f9-46de-b0d6-299b64c5e1d5.up_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):276
                                                                                                    Entropy (8bit):3.438175784744095
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQiVmrAo:ZxMghwLtHSM1Sb9mSMXAvhr
                                                                                                    MD5:9F7A90D7E32FD4A4110DF064B1957D0A
                                                                                                    SHA1:2362EE9182E294EB85C75042E7489ABB5173D396
                                                                                                    SHA-256:8E828B723168F6DAD1D3D13B3667F1EB91BF9B226FED23AE0ED140D1C277A946
                                                                                                    SHA-512:924547ED720641EBECC589A573E3B68547D5D7693F8E2B8DAB689454C0BCCA872EBD8FB6C1EB8C3C39B26A1E4785C4E5AA3B204AA040A384016BCB269DB2DF5E
                                                                                                    Malicious:false
                                                                                                    Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.d.v.F.?.v.e.r.=.d.b.7.5...........

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8b038c59-1bf5-4ad4-a29a-857cfc273d03.a3ca69e3-e705-4f64-a747-3b1b77a563b2.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1226
                                                                                                    Entropy (8bit):3.6016456604246807
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiwXFXpjgWzgxjX+vUViwXooBf1+UMMsafxOc2CpX30bDZalXzw:LLD2mRiIXpjPgVX+v8igBNF3rfeIX303
                                                                                                    MD5:07B72D89B1ED8B61E535BC2ABDF597AF
                                                                                                    SHA1:500B80B8B6393EBA57FAE98411F6452BBCF6FBBF
                                                                                                    SHA-256:AFD347D0F717E24CD625960F3606D70E16244AA588F4467183C4AC433EDD6645
                                                                                                    SHA-512:B0B4B14891521B0BB32BD056CDFDB929C042F2B6143B1A43384711FFBE1305955C97E7A1942520AFFEAFA0FED29DE6D78B682A36A9F829B0D878CC2C74718462
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.v.z.u.?.v.e.r.=.4.f.7.d...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.v.z.u.?.v.e.r.=.4.f.7.d...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.u.n.,. .1.7. .J.u.l. .2.0.2.2. .0.4.:.1.2.:.4.5. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .6.4.8.0.7.7...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .a.d.e.e.f.b.3.4.-.c.0.a.5.-.4.a.c.e.-.b.0.8.2.-.9.5.6.a.6.c.0.0.4.a.c.6...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .6.4.8.0.7.7...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\8b038c59-1bf5-4ad4-a29a-857cfc273d03.up_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):278
                                                                                                    Entropy (8bit):3.418353962995147
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQwRsZUoal:ZxMghwLtHSM1Sb9mSMXAvwRxn
                                                                                                    MD5:6E8889632FDEFA92D03416F4BCDCF6CA
                                                                                                    SHA1:E031BDACB6AB7C6F27DB20F38E47E397C4444F03
                                                                                                    SHA-256:4D291630362729565E519F5D33BD67FFD4EF5B4E1B43E71696A469F4380F5EA6
                                                                                                    SHA-512:BEC466A5BACABB32CE56962EB37056BEE67227D6BFD433602AE50E92AB2E7FFBC42F628E8E11FE10C131945DB8D4049F1463758343E1B8224F06EC0D33800ED0
                                                                                                    Malicious:false
                                                                                                    Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.v.z.u.?.v.e.r.=.4.f.7.d...........

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa32b058-0d4a-4dd4-a681-a185709cfe4c.c81d4019-1330-4010-8ca2-301e518d770c.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1230
                                                                                                    Entropy (8bit):3.6110385152907045
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiwmXpjgWzgxjX+vUViwH72tBKf1+BnXsafxOc2CpX3K0bwNzw:LLD2mRi3XpjPgVX+v8iG72tBKN4Xrfew
                                                                                                    MD5:B56ED40CAC267C282D8F4070A3A64510
                                                                                                    SHA1:F9C90BF670ABC4DC90B69F784A15797F44473934
                                                                                                    SHA-256:AC7E5ADF17AD92E800E034711B3ECE829CCFA209CD2A9EDC184972444B0049B1
                                                                                                    SHA-512:1D3A2EC341DE9F3AA859DBA9AC07C35FD30A0D4B8BCEFB2392A02130C81819BE8145145F6B57A23C52F5348F15707447CCC305F3E2E68A7DEFDA3CB9BE3EDD44
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.l.T.B.?.v.e.r.=.2.a.9.4...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.P.l.T.B.?.v.e.r.=.2.a.9.4...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.u.n.,. .0.3. .J.u.l. .2.0.2.2. .0.5.:.0.2.:.3.7. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.6.0.8.3.3...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .a.e.8.d.a.1.5.5.-.9.0.f.0.-.4.f.7.0.-.a.5.f.d.-.3.d.e.c.7.8.3.e.c.9.6.9...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.6.0.8.3.3...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\aa32b058-0d4a-4dd4-a681-a185709cfe4c.down_data

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop 21.1 (Windows), datetime=2022:03:02 13:23:15]
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1660833
                                                                                                    Entropy (8bit):6.930794506164581
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24576:+4jNiVr4qksnz807k9ZliEKBcI/prV/RmJGoGa1KZTOsePRxaAxS2+gPu/Zj:+4jNiVr4qu0frZfWxaaqgG/Zj
                                                                                                    MD5:2CD6B59B5F9D8E356D332AA2E645CAFF
                                                                                                    SHA1:A981FFE89A6EC691AB4E5DAD320832D3236ECC12
                                                                                                    SHA-256:3E97C246B7A8DFB0590215FC3C7236583D4AFDFEF0315D89770BB8FE7305DF1C
                                                                                                    SHA-512:CB2A41C198ED4D119ABADA123A96359E923864E73AD3F937DA5DB0AB679C3095AD8E7608DBC737C433B417214716F08450D78FACCB395790B0249C4C6AE12868
                                                                                                    Malicious:false
                                                                                                    Preview:....!.Exif..MM.*.............................b...........j.(...........1.........r.2...........i....................'.......'.Adobe Photoshop 21.1 (Windows).2022:03:02 13:23:15.............................8..........................................."...........*.(.....................2.......... I.......H.......H..........Adobe_CM......Adobe.d...................................................................................................................................................Z.."................?..........................................................................3......!.1.AQa."q.2.....B#$.R.b34r..C.%.S...cs5....&D.TdE.t6..U.e...u..F'...............Vfv........7GWgw........................5.....!1..AQaq"..2.....B#.R..3$b.r..CS.cs4.%......&5..D.T..dEU6te....u..F...............Vfv........'7GWgw.................?...H..{.....hNZ.un.../.%...yt.....Co......".+\..K..z.4...........c>.*....6~.M.~=.N.?.......2.......w._..n.....W:..k.*..f.}':..7.......+.9.f.b.5

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b435ff53-02ad-4cca-9767-787c263d0f27.bf42fc66-610f-446d-84dd-ccdd2b6f9b34.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1228
                                                                                                    Entropy (8bit):3.6254066880554796
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRi7z0XpjgWzgxjX+vUVi7zyBBKj1+LtOpsafxOc2CpX3KwbNdzE:LLD2mRiMXpjPgVX+v8iaBBKR4tOprfeV
                                                                                                    MD5:79767DA61764B38BD317A6BD8241C84A
                                                                                                    SHA1:B9F4C015F6BED65CC645FF1BF86FC88ACF15AA05
                                                                                                    SHA-256:AEDF4AB248A55F40FF2CDD9E983C28B5A3EF6CC2C24A6889F9B645248A8EE19A
                                                                                                    SHA-512:A4552DBB075AC957616C678FBAA2AA00714EBC353F5F436C107B12A3FCEA846BE0702C103D52C42EA73D6F48B1C519D9A564ABEB4AA38EC846D3EB647DD753F3
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.t.7.8.?.v.e.r.=.d.9.b.7...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.t.7.8.?.v.e.r.=.d.9.b.7...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .T.u.e.,. .0.5. .J.u.l. .2.0.2.2. .2.1.:.4.4.:.3.3. .G.M.T...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .1.6.8.9.8.3.0...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .a.0.3.9.3.c.9.2.-.5.6.1.5.-.4.d.f.8.-.8.d.5.4.-.d.f.7.b.2.b.b.a.e.5.4.d...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .1.6.8.9.8.3.0...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\b435ff53-02ad-4cca-9767-787c263d0f27.up_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):276
                                                                                                    Entropy (8bit):3.424945768604952
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:ZyncUkamOwhg2YMYtHSMLhU7lBSliHGSMX6YXKMwEQiVOlnaUoqnG/:ZxMghwLtHSM1Sb9mSMXAv7a8
                                                                                                    MD5:258640F6D6B36C93D7FA148F5167502B
                                                                                                    SHA1:6C2E439AA7B71D93FF77A9CE56B13F1F43A5AFED
                                                                                                    SHA-256:CB11046EDC373FFAF058247C58106FEF5F4123DACD619D696BA89BBE8120BFCA
                                                                                                    SHA-512:712334D9ED01B856ED8FADB48D74968220A98DBA7CD5E8362500BBB74EB5D7FC78F628F426D9AB66C68EDD62F131EAE2C45FF1EBF35EAB4183B8010BAA4C16C1
                                                                                                    Malicious:false
                                                                                                    Preview:F.4.2.0.C.4.E.A.-.4.2.6.1.-.4.B.6.6.-.8.B.9.C.-.E.A.A.8.C.C.C.9.6.A.D.E...G.E.T...h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.W.H.t.7.8.?.v.e.r.=.d.9.b.7...........

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\da1bddb5-07ff-4965-8851-78bdc89a18cf.down_data

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1080x1920, frames 3
                                                                                                    Category:dropped
                                                                                                    Size (bytes):613567
                                                                                                    Entropy (8bit):7.905601627857833
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12288:MzT+UvqrMe4mdkr6gcCShKLz/CGh4Z1LnJjYaIlg:Bymdq6h8P/C1ZPNUg
                                                                                                    MD5:6D031AC336957A7B06E915DE5DD97A6A
                                                                                                    SHA1:4A3CC280924191A6675547792C957041E32B08B7
                                                                                                    SHA-256:656DD2410D701D0C64EFFC15EEB9AFA7FC0833DC201EC626CC77FC56671C1330
                                                                                                    SHA-512:8FF219CF020118C16C2CBDA921E9C3D28BD107663785FAC9A21355A0697128B60651C50218DE20F187DDFEEAE508ABFEB1DB72A1CC4E9C7BE489D512B2519DD9
                                                                                                    Malicious:false
                                                                                                    Preview:......JFIF.....`.`.....C....................................................................C.........................................................................8.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....N.LZzW.Y......E...H.7....s.-"U..\P...g..2..#-G.....fK...P....z..V...v.......&.I..U..QH....S...`..^... aK...]#(Z.G+ ..lSy.+.2.jV..2....e..3mQ.P..v...4...4QRh:.m..r.=Z.E&..ber.T....V..M..>`.+.]...).U.=d.S.)U...E....uJ.VzIS..R..j.J7...oR....*.OB.<.......h....4u...P.P...r...>...+K.5A...6...$l-1.u&.zk5.s\u2....v..ai..n.L.a..5...-BN.9J..j6......V...g

                                                                                                    C:\Users\user\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\da1bddb5-07ff-4965-8851-78bdc89a18cf.f2d7e325-8812-419f-93c5-393f1d8412fe.down_meta

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):1228
                                                                                                    Entropy (8bit):3.6072733039513065
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:24:LLVR2mRiwinWzgx71+Bm6safxOc2CpXpjjX+vUViw/BdX3ibecIzzw:LLD2mRiTggvYm6rfeIXpjjX+v8ieBdXC
                                                                                                    MD5:2513140D9E5B98478FF38E3286EDF25D
                                                                                                    SHA1:71F1480A6A8547B85AAA25A45A045C763B4A0A41
                                                                                                    SHA-256:064955503F206AB1F15650438D870158005709B53DB7D40E6E3EDA64BF572E02
                                                                                                    SHA-512:819F089E97AE62434BE06A75CD59D1C7138844EF49DA17207D040F4825F3679DECFF5F925B30EDB194AA2C9C13C0E05E9ADFFB643F4447BFEC8EAC2707AF8D0F
                                                                                                    Malicious:false
                                                                                                    Preview:h.t.t.p.s.:././.i.m.g.-.p.r.o.d.-.c.m.s.-.r.t.-.m.i.c.r.o.s.o.f.t.-.c.o.m...a.k.a.m.a.i.z.e.d...n.e.t./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.h.j.W.?.v.e.r.=.1.f.7.0...L.a.s.t.-.M.o.d.i.f.i.e.d.:. .S.a.t.,. .0.2. .J.u.l. .2.0.2.2. .0.5.:.3.0.:.2.2. .G.M.T...A.c.c.e.s.s.-.C.o.n.t.r.o.l.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.D.a.t.a.c.e.n.t.e.r.:. .n.o.r.t.h.e.u...X.-.A.c.t.i.v.i.t.y.I.d.:. .8.6.c.d.e.c.a.5.-.2.5.5.a.-.4.5.6.5.-.9.f.f.d.-.0.d.d.2.6.1.c.f.1.b.e.b...T.i.m.i.n.g.-.A.l.l.o.w.-.O.r.i.g.i.n.:. .*...X.-.F.r.a.m.e.-.O.p.t.i.o.n.s.:. .D.E.N.Y...X.-.R.e.s.i.z.e.r.V.e.r.s.i.o.n.:. .1...0...C.o.n.t.e.n.t.-.T.y.p.e.:. .i.m.a.g.e./.j.p.e.g...C.o.n.t.e.n.t.-.L.o.c.a.t.i.o.n.:. .h.t.t.p.s.:././.i.m.a.g.e...p.r.o.d...c.m.s...r.t...m.i.c.r.o.s.o.f.t...c.o.m./.c.m.s./.a.p.i./.a.m./.i.m.a.g.e.F.i.l.e.D.a.t.a./.R.E.4.I.h.j.W.?.v.e.r.=.1.f.7.0...X.-.S.o.u.r.c.e.-.L.e.n.g.t.h.:. .6.1.3.5.6.7...C.o.n.t.e.n.t.-.L.e.n.g.t.h.:. .6.1.3.5.6.7...C.a.c.h.e.-.C.o.n.t.r.o.l.:. .p.u.b.

                                                                                                    C:\Windows\System32\wbem\Performance\WmiApRpl_new.h

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3444
                                                                                                    Entropy (8bit):5.011954215267298
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                    MD5:B133A676D139032A27DE3D9619E70091
                                                                                                    SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                    SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                    SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                    Malicious:false
                                                                                                    Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                    C:\Windows\mssecsvc.exe

                                                                                                    Download File
                                                                                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3751936
                                                                                                    Entropy (8bit):5.726947076292018
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:49152:BnREMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvR:lSPoBhz1aRxcSUDk36SAEdhv
                                                                                                    MD5:2391E0DBB3A7862306913032CE72F302
                                                                                                    SHA1:A92A91E847986494AFBD182D2711BC50FB02F51D
                                                                                                    SHA-256:55D3B4DFEC21BD0B1FDEF783FD8967654D949F4D06534E87CB8F96C91CD08436
                                                                                                    SHA-512:12321B2C9133887090B1762ACC2E44B9A5635A2707AB622A28BBA186D860BF3CEE98D369B69937D42AEA340327FF73A48A9E48921746550241AA06C6D3B11258
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                    • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....J.....................08.......f...........@..........................0g......................................................1.. 6..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc.... 6...1.. 6.. ..............`...lkuhvek...... g......@9.................................................................................................................................................................................................................................................................................................................................

                                                                                                    C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)

                                                                                                    Download File
                                                                                                    Process:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):3444
                                                                                                    Entropy (8bit):5.011954215267298
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:48:ADPo+gDMIuK54DeHNg9dqbEzCJGGgGDU3XgLBgaGKFijiVJtVAAF/XRgW:ADw+gDMhK54qHC7aBvGKFijiV7XRgW
                                                                                                    MD5:B133A676D139032A27DE3D9619E70091
                                                                                                    SHA1:1248AA89938A13640252A79113930EDE2F26F1FA
                                                                                                    SHA-256:AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
                                                                                                    SHA-512:C6B99E13D854CE7A6874497473614EE4BD81C490802783DB1349AB851CD80D1DC06DF8C1F6E434ABA873A5BBF6125CC64104709064E19A9DC1C66DCDE3F898F5
                                                                                                    Malicious:false
                                                                                                    Preview://////////////////////////////////////////////////////////////////////////////////////////////..//..// Copyright (C) 2000 Microsoft Corporation..//..// Module Name:..// WmiApRpl..//..// Abstract:..//..// Include file for object and counters definitions...//..//////////////////////////////////////////////////////////////////////////////////////////////......#define.WMI_Objects.0..#define.HiPerf_Classes.2..#define.HiPerf_Validity.4....#define.MSiSCSI_ConnectionStatistics_00000.6....#define.BytesReceived_00000.8..#define.BytesSent_00000.10..#define.PDUCommandsSent_00000.12..#define.PDUResponsesReceived_00000.14....#define.MSiSCSI_InitiatorInstanceStatistics_00001.16....#define.SessionConnectionTimeoutErrorCount_00001.18..#define.SessionDigestErrorCount_00001.20..#define.SessionFailureCount_00001.22..#define.SessionFormatErrorCount_00001.24....#define.MSiSCSI_InitiatorLoginStatistics_00002.26....#define.LoginAcceptRsps_00002.28..#define.LoginAuthenticateFails_00002.30..#define.LoginAuthFai

                                                                                                    C:\Windows\tasksche.exe

                                                                                                    Download File
                                                                                                    Process:C:\Windows\mssecsvc.exe
                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Category:dropped
                                                                                                    Size (bytes):2061938
                                                                                                    Entropy (8bit):7.993464768178038
                                                                                                    Encrypted:true
                                                                                                    SSDEEP:49152:SEMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvm:ZPoBhz1aRxcSUDk36SAEdhvm
                                                                                                    MD5:A0D0B20286669B4664AE1AEFFAF07A88
                                                                                                    SHA1:28BCAFBD85E84479B575CC1F3C5B3C39875A3A5F
                                                                                                    SHA-256:96D7B2D83E30FED4EEC2CBF2E1FBE426DAD705F918AE8ABBDA0DB4B4AFB82865
                                                                                                    SHA-512:CFF6F64549B7E2961181A041ECBFBE9C90B6B9AAB970609785FCD8A6AD69BE9915B0A6F22C3481EA4E07DC8BE3E4591FB49C551ABC22CEDA2239935ADFEC0249
                                                                                                    Malicious:true
                                                                                                    Yara Hits:
                                                                                                    • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team
                                                                                                    Antivirus:
                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                    • Antivirus: Metadefender, Detection: 75%, Browse
                                                                                                    • Antivirus: ReversingLabs, Detection: 100%
                                                                                                    Joe Sandbox View:
                                                                                                    • Filename: 2yQ8hmXyz0.dll, Detection: malicious, Browse
                                                                                                    • Filename: 4Maoj78D1f.dll, Detection: malicious, Browse
                                                                                                    • Filename: 9UxtlcUBmY.dll, Detection: malicious, Browse
                                                                                                    • Filename: 41ECj4EgTY.dll, Detection: malicious, Browse
                                                                                                    • Filename: NANG-104355_mssecsvr.exe, Detection: malicious, Browse
                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):4.370660965526769
                                                                                                    TrID:
                                                                                                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                    • DOS Executable Generic (2002/1) 0.20%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:UBpReASuEC.dll
                                                                                                    File size:5267459
                                                                                                    MD5:66df13c96db53128fee1997dc75cd1b9
                                                                                                    SHA1:96b538087dd52cdd71b753e25d3f208ad45efc1b
                                                                                                    SHA256:3743363b9a2845554eed086c43ee5756bd8878867b4cb0a3c0ba6f096596aa5d
                                                                                                    SHA512:3cc55afc2900bbe2d329f0da121251123395b178435c08c1e62bcbaec58c90b2824698a2702fe84be4f26b6b9bfc40d3b396def497c3dcbedcf5d14bae683cba
                                                                                                    SSDEEP:49152:onREMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvR:YSPoBhz1aRxcSUDk36SAEdhv
                                                                                                    TLSH:D7363399717C92FCD10529B444ABCA53B2B27C6D12FE6A0F9F4049761D03F5AFB90A43
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

                                                                                                    File Icon

                                                                                                    Icon Hash:74f0e4ecccdce0e4

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x100011e9
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x10000000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                                                                                                    DLL Characteristics:
                                                                                                    Time Stamp:0x59145751 [Thu May 11 12:21:37 2017 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:4
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:4
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:4
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:2e5708ae5fed0403e8117c645fb23e5b

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    push ebp
                                                                                                    mov ebp, esp
                                                                                                    push ebx
                                                                                                    mov ebx, dword ptr [ebp+08h]
                                                                                                    push esi
                                                                                                    mov esi, dword ptr [ebp+0Ch]
                                                                                                    push edi
                                                                                                    mov edi, dword ptr [ebp+10h]
                                                                                                    test esi, esi
                                                                                                    jne 00007F8388BC522Bh
                                                                                                    cmp dword ptr [10003140h], 00000000h
                                                                                                    jmp 00007F8388BC5248h
                                                                                                    cmp esi, 01h
                                                                                                    je 00007F8388BC5227h
                                                                                                    cmp esi, 02h
                                                                                                    jne 00007F8388BC5244h
                                                                                                    mov eax, dword ptr [10003150h]
                                                                                                    test eax, eax
                                                                                                    je 00007F8388BC522Bh
                                                                                                    push edi
                                                                                                    push esi
                                                                                                    push ebx
                                                                                                    call eax
                                                                                                    test eax, eax
                                                                                                    je 00007F8388BC522Eh
                                                                                                    push edi
                                                                                                    push esi
                                                                                                    push ebx
                                                                                                    call 00007F8388BC513Ah
                                                                                                    test eax, eax
                                                                                                    jne 00007F8388BC5226h
                                                                                                    xor eax, eax
                                                                                                    jmp 00007F8388BC5270h
                                                                                                    push edi
                                                                                                    push esi
                                                                                                    push ebx
                                                                                                    call 00007F8388BC4FECh
                                                                                                    cmp esi, 01h
                                                                                                    mov dword ptr [ebp+0Ch], eax
                                                                                                    jne 00007F8388BC522Eh
                                                                                                    test eax, eax
                                                                                                    jne 00007F8388BC5259h
                                                                                                    push edi
                                                                                                    push eax
                                                                                                    push ebx
                                                                                                    call 00007F8388BC5116h
                                                                                                    test esi, esi
                                                                                                    je 00007F8388BC5227h
                                                                                                    cmp esi, 03h
                                                                                                    jne 00007F8388BC5248h
                                                                                                    push edi
                                                                                                    push esi
                                                                                                    push ebx
                                                                                                    call 00007F8388BC5105h
                                                                                                    test eax, eax
                                                                                                    jne 00007F8388BC5225h
                                                                                                    and dword ptr [ebp+0Ch], eax
                                                                                                    cmp dword ptr [ebp+0Ch], 00000000h
                                                                                                    je 00007F8388BC5233h
                                                                                                    mov eax, dword ptr [10003150h]
                                                                                                    test eax, eax
                                                                                                    je 00007F8388BC522Ah
                                                                                                    push edi
                                                                                                    push esi
                                                                                                    push ebx
                                                                                                    call eax
                                                                                                    mov dword ptr [ebp+0Ch], eax
                                                                                                    mov eax, dword ptr [ebp+0Ch]
                                                                                                    pop edi
                                                                                                    pop esi
                                                                                                    pop ebx
                                                                                                    pop ebp
                                                                                                    retn 000Ch
                                                                                                    jmp dword ptr [10002028h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Rich Headers

                                                                                                    Programming Language:
                                                                                                    • [ C ] VS98 (6.0) build 8168
                                                                                                    • [C++] VS98 (6.0) build 8168
                                                                                                    • [RES] VS98 (6.0) cvtres build 1720
                                                                                                    • [LNK] VS98 (6.0) imp/exp build 8168

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x21900x48.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x500060.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5050000x5c.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x3c.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000x28c0x1000False0.13037109375data1.4429971244731552IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0x20000x1d80x1000False0.072509765625data0.7346018133622799IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0x30000x1540x1000False0.016845703125data0.085238686413312IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                    .rsrc0x40000x5000600x501000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x5050000x2ac0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    W0x40600x500000dataEnglishUnited States

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    KERNEL32.dllCloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
                                                                                                    MSVCRT.dllfree, _initterm, malloc, _adjust_fdiv, sprintf

                                                                                                    Exports

                                                                                                    NameOrdinalAddress
                                                                                                    PlayGame10x10001114

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    EnglishUnited States

                                                                                                    Network Behavior

                                                                                                    Snort IDS Alerts

                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                    8.8.8.8192.168.2.653620792811577 07/21/22-05:05:02.361266UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53620798.8.8.8192.168.2.6
                                                                                                    8.8.8.8192.168.2.653642892811577 07/21/22-05:03:37.145468UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53642898.8.8.8192.168.2.6
                                                                                                    8.8.8.8192.168.2.653492872811577 07/21/22-05:03:59.403745UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53492878.8.8.8192.168.2.6
                                                                                                    8.8.8.8192.168.2.653584682811577 07/21/22-05:04:20.247307UDP2811577ETPRO TROJAN Possible Virut DGA NXDOMAIN Responses (com)53584688.8.8.8192.168.2.6
                                                                                                    192.168.2.68.8.8.851748532830018 07/21/22-05:00:40.717318UDP2830018ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)5174853192.168.2.68.8.8.8
                                                                                                    192.168.2.68.8.8.852225532830018 07/21/22-05:03:02.787279UDP2830018ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)5222553192.168.2.68.8.8.8

                                                                                                    Network Port Distribution

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Jul 21, 2022 05:00:40.717318058 CEST5174853192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:00:40.737085104 CEST53517488.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:02:36.417407036 CEST53591068.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:02:36.493227005 CEST53611138.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:02.787278891 CEST5222553192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:03:02.806766033 CEST53522258.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:07.751549959 CEST53645978.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:09.965878963 CEST53641508.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:10.793631077 CEST53641508.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:11.789839983 CEST53641508.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:36.460840940 CEST53620418.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:36.495937109 CEST53576698.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:36.550949097 CEST53571788.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:36.660929918 CEST53624838.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.145467997 CEST53642898.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.206502914 CEST53523288.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.241739035 CEST53580518.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.322237968 CEST53557888.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.353966951 CEST53624488.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.409765959 CEST53585638.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.444437027 CEST53649958.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.521945000 CEST53576298.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.556238890 CEST53574228.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.621068954 CEST53504538.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:37.762723923 CEST53557458.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.264153004 CEST53572698.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.293865919 CEST53569288.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.327878952 CEST53516458.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.362380981 CEST53650108.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.403744936 CEST53492878.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.440141916 CEST53518848.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.478115082 CEST53644428.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.518281937 CEST53561468.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.552108049 CEST53505208.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.580945015 CEST53578618.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.611022949 CEST53568458.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.649991035 CEST53525488.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.697968006 CEST53553008.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.732279062 CEST53518538.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.761785984 CEST53624178.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.790285110 CEST53628348.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.820902109 CEST53610378.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.861679077 CEST53580538.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.894556046 CEST53560318.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.924665928 CEST53580548.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:03:59.968715906 CEST53593748.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:00.006570101 CEST53498158.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:00.041260958 CEST53522778.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:01.053401947 CEST53520698.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:01.213428974 CEST53569498.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.124878883 CEST53531698.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.152489901 CEST53571798.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.184056044 CEST53553318.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.218264103 CEST53643258.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.247307062 CEST53584688.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.287319899 CEST53569848.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.324913979 CEST53516408.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.359482050 CEST53638528.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.389333963 CEST53562038.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.419078112 CEST53545708.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.529089928 CEST53567938.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.558710098 CEST53616518.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.585855007 CEST53599258.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.614231110 CEST53612368.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.641856909 CEST53551698.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.677270889 CEST53498118.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.714093924 CEST53626398.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.749123096 CEST53549458.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.783030987 CEST53596038.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.818799973 CEST53569398.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.862175941 CEST53570598.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.892589092 CEST53546478.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.922207117 CEST53584908.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.963897943 CEST53564658.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:20.994998932 CEST53614368.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:21.025641918 CEST53570488.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:21.069025993 CEST53545588.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:21.100743055 CEST53563338.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:21.127832890 CEST53598248.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:21.162177086 CEST53613288.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:32.489795923 CEST53593448.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:34.699992895 CEST53554038.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:35.507515907 CEST53554038.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:36.698256016 CEST53554038.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:41.441159964 CEST5662553192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:04:41.474972963 CEST53566258.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:41.476295948 CEST5260653192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:04:41.504416943 CEST53526068.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:41.512510061 CEST5773153192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:04:41.541178942 CEST53577318.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:41.547054052 CEST4928253192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:04:41.584184885 CEST53492828.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:04:41.591639042 CEST6076053192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:04:41.705638885 CEST53607608.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:01.722599030 CEST6494153192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:01.757044077 CEST53649418.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:01.758811951 CEST5369053192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.224889040 CEST53536908.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.229168892 CEST6272353192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.262406111 CEST53627238.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.263662100 CEST5576053192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.297456980 CEST53557608.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.298800945 CEST6545253192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.326379061 CEST53654528.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.327914953 CEST6207953192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.361265898 CEST53620798.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.362802982 CEST5156653192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.392694950 CEST53515668.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.398444891 CEST5005053192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.445231915 CEST53500508.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.447536945 CEST5943953192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.481606960 CEST53594398.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.483441114 CEST6452953192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.510925055 CEST53645298.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.513360023 CEST5675953192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.547997952 CEST53567598.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.549376965 CEST6525253192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.575488091 CEST53652528.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.576930046 CEST6525053192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.603158951 CEST53652508.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.604532957 CEST6080153192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.632193089 CEST53608018.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.633825064 CEST6044653192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.659459114 CEST53604468.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.660839081 CEST5167153192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.688256025 CEST53516718.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.689795017 CEST5044253192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.716351032 CEST53504428.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.717899084 CEST5331453192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.743705034 CEST53533148.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.745717049 CEST6151653192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.778855085 CEST53615168.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.780255079 CEST5021353192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.808152914 CEST53502138.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.810801983 CEST6179353192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.838634968 CEST53617938.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.841947079 CEST5169953192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.869591951 CEST53516998.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.871273994 CEST6478153192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.905797958 CEST53647818.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:02.907171965 CEST5118553192.168.2.68.8.8.8
                                                                                                    Jul 21, 2022 05:05:02.939260960 CEST53511858.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:25.797447920 CEST53631988.8.8.8192.168.2.6
                                                                                                    Jul 21, 2022 05:05:25.906717062 CEST53571588.8.8.8192.168.2.6

                                                                                                    ICMP Packets

                                                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                                                    Jul 21, 2022 05:03:10.793848991 CEST192.168.2.68.8.8.8cff1(Port unreachable)Destination Unreachable
                                                                                                    Jul 21, 2022 05:03:11.789988041 CEST192.168.2.68.8.8.8cff1(Port unreachable)Destination Unreachable
                                                                                                    Jul 21, 2022 05:04:35.507611990 CEST192.168.2.68.8.8.8cff1(Port unreachable)Destination Unreachable
                                                                                                    Jul 21, 2022 05:04:36.698510885 CEST192.168.2.68.8.8.8cff1(Port unreachable)Destination Unreachable

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                    Jul 21, 2022 05:00:40.717318058 CEST192.168.2.68.8.8.80x2249Standard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:02.787278891 CEST192.168.2.68.8.8.80xff6aStandard query (0)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.441159964 CEST192.168.2.68.8.8.80xef79Standard query (0)eetebu.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.476295948 CEST192.168.2.68.8.8.80xf616Standard query (0)ufmuub.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.512510061 CEST192.168.2.68.8.8.80x443eStandard query (0)euxngi.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.547054052 CEST192.168.2.68.8.8.80xe7c4Standard query (0)auyazv.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.591639042 CEST192.168.2.68.8.8.80x5e57Standard query (0)hiapba.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:01.722599030 CEST192.168.2.68.8.8.80x7ac6Standard query (0)iqzvcy.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:01.758811951 CEST192.168.2.68.8.8.80x2856Standard query (0)yuyuol.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.229168892 CEST192.168.2.68.8.8.80xcd61Standard query (0)mlgjto.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.263662100 CEST192.168.2.68.8.8.80x62a9Standard query (0)muyuou.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.298800945 CEST192.168.2.68.8.8.80xc93bStandard query (0)ihfjtf.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.327914953 CEST192.168.2.68.8.8.80x38d4Standard query (0)jueuby.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.362802982 CEST192.168.2.68.8.8.80xb0e0Standard query (0)oivayb.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.398444891 CEST192.168.2.68.8.8.80xc093Standard query (0)easecy.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.447536945 CEST192.168.2.68.8.8.80xc85eStandard query (0)mlsjzu.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.483441114 CEST192.168.2.68.8.8.80xeae5Standard query (0)oqiqee.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.513360023 CEST192.168.2.68.8.8.80x5772Standard query (0)rmdyox.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.549376965 CEST192.168.2.68.8.8.80xa768Standard query (0)jkjztp.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.576930046 CEST192.168.2.68.8.8.80x2eeeStandard query (0)jyruxe.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.604532957 CEST192.168.2.68.8.8.80xb18cStandard query (0)bswdic.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.633825064 CEST192.168.2.68.8.8.80x2e31Standard query (0)shyykl.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.660839081 CEST192.168.2.68.8.8.80x8a75Standard query (0)ylyguq.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.689795017 CEST192.168.2.68.8.8.80xa9a8Standard query (0)iietwy.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.717899084 CEST192.168.2.68.8.8.80x18ccStandard query (0)ovalzq.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.745717049 CEST192.168.2.68.8.8.80x56e6Standard query (0)kymlxf.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.780255079 CEST192.168.2.68.8.8.80xbaecStandard query (0)zwstuy.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.810801983 CEST192.168.2.68.8.8.80x64fStandard query (0)qxuyel.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.841947079 CEST192.168.2.68.8.8.80x1ad2Standard query (0)nuejea.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.871273994 CEST192.168.2.68.8.8.80x93c4Standard query (0)ytyepn.comA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.907171965 CEST192.168.2.68.8.8.80xaab6Standard query (0)pfdpty.comA (IP address)IN (0x0001)

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                    Jul 21, 2022 05:00:40.737085104 CEST8.8.8.8192.168.2.60x2249Server failure (2)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:01:11.055315971 CEST8.8.8.8192.168.2.60x19faNo error (0)www-bing-com.dual-a-0001.a-msedge.netdual-a-0001.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                    Jul 21, 2022 05:01:11.055315971 CEST8.8.8.8192.168.2.60x19faNo error (0)dual-a-0001.a-msedge.net204.79.197.200A (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:01:11.055315971 CEST8.8.8.8192.168.2.60x19faNo error (0)dual-a-0001.a-msedge.net13.107.21.200A (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:02:36.417407036 CEST8.8.8.8192.168.2.60x60e9Name error (3)src.gide.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:02:36.493227005 CEST8.8.8.8192.168.2.60x607cName error (3)ww.ziten.runonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:02.806766033 CEST8.8.8.8192.168.2.60xff6aServer failure (2)www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:07.751549959 CEST8.8.8.8192.168.2.60x409eName error (3)kto.gind.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:09.965878963 CEST8.8.8.8192.168.2.60x146aServer failure (2)lnn.maft.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:10.793631077 CEST8.8.8.8192.168.2.60x146aServer failure (2)lnn.maft.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:11.789839983 CEST8.8.8.8192.168.2.60x146aServer failure (2)lnn.maft.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:36.460840940 CEST8.8.8.8192.168.2.60xf8f0Name error (3)agrwiq.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:36.495937109 CEST8.8.8.8192.168.2.60xa73bName error (3)bnylmd.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:36.550949097 CEST8.8.8.8192.168.2.60x29cName error (3)wofqss.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:36.660929918 CEST8.8.8.8192.168.2.60x6afName error (3)akiypc.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.145467997 CEST8.8.8.8192.168.2.60xc064Name error (3)mjrztu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.206502914 CEST8.8.8.8192.168.2.60xda11Name error (3)knajpk.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.241739035 CEST8.8.8.8192.168.2.60x6e97Name error (3)oyebru.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.322237968 CEST8.8.8.8192.168.2.60x6e9cName error (3)voirue.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.353966951 CEST8.8.8.8192.168.2.60xae4dName error (3)ovlicu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.409765959 CEST8.8.8.8192.168.2.60x37d8Name error (3)qsyrmp.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.444437027 CEST8.8.8.8192.168.2.60xf156Name error (3)gvkzcm.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.521945000 CEST8.8.8.8192.168.2.60x64d6Name error (3)oirlzx.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.556238890 CEST8.8.8.8192.168.2.60x3d62Name error (3)kqmkgp.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.621068954 CEST8.8.8.8192.168.2.60x2c4fName error (3)anyqaz.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:37.762723923 CEST8.8.8.8192.168.2.60xf514Name error (3)haqipv.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.264153004 CEST8.8.8.8192.168.2.60x254fName error (3)flpuej.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.293865919 CEST8.8.8.8192.168.2.60x381cName error (3)mwhmpz.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.327878952 CEST8.8.8.8192.168.2.60x840bName error (3)yxdidf.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.362380981 CEST8.8.8.8192.168.2.60xf360Name error (3)edbeos.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.403744936 CEST8.8.8.8192.168.2.60xe154Name error (3)oletfa.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.440141916 CEST8.8.8.8192.168.2.60xa8a5Name error (3)qrmrxa.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.478115082 CEST8.8.8.8192.168.2.60x16c8Name error (3)edmwpe.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.518281937 CEST8.8.8.8192.168.2.60xd837Name error (3)cjebbx.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.552108049 CEST8.8.8.8192.168.2.60xe775Name error (3)zeufbm.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.580945015 CEST8.8.8.8192.168.2.60x97bbName error (3)qsuuox.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.611022949 CEST8.8.8.8192.168.2.60x2d9eName error (3)dhmqvm.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.649991035 CEST8.8.8.8192.168.2.60x6abcName error (3)auowel.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.697968006 CEST8.8.8.8192.168.2.60xc4b5Name error (3)mbbaux.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.732279062 CEST8.8.8.8192.168.2.60xa484Name error (3)tpoxvi.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.761785984 CEST8.8.8.8192.168.2.60x3109Name error (3)vqzvfi.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.790285110 CEST8.8.8.8192.168.2.60xbee3Name error (3)qfsper.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.820902109 CEST8.8.8.8192.168.2.60xa1eName error (3)akelqu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.861679077 CEST8.8.8.8192.168.2.60x74f8Name error (3)yfgraf.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.894556046 CEST8.8.8.8192.168.2.60x2c55Name error (3)uwyrsy.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.924665928 CEST8.8.8.8192.168.2.60x7288Name error (3)hoqayg.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:03:59.968715906 CEST8.8.8.8192.168.2.60xe7f6Name error (3)odivfj.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:00.006570101 CEST8.8.8.8192.168.2.60x5a60Name error (3)mjdvvw.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:00.041260958 CEST8.8.8.8192.168.2.60xb078Name error (3)pfntvw.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:01.053401947 CEST8.8.8.8192.168.2.60x5ddcName error (3)src.gide.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:01.213428974 CEST8.8.8.8192.168.2.60x7ef6Name error (3)ww.ziten.runonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.124878883 CEST8.8.8.8192.168.2.60xe568Name error (3)nkewuc.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.152489901 CEST8.8.8.8192.168.2.60xce79Name error (3)wkedxi.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.184056044 CEST8.8.8.8192.168.2.60xf953Name error (3)julanu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.218264103 CEST8.8.8.8192.168.2.60xedc8Name error (3)lntyhe.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.247307062 CEST8.8.8.8192.168.2.60xa072Name error (3)vusvyj.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.287319899 CEST8.8.8.8192.168.2.60x4a85Name error (3)pniyeh.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.324913979 CEST8.8.8.8192.168.2.60x8a0dName error (3)pgmuok.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.359482050 CEST8.8.8.8192.168.2.60x3091Name error (3)skpqjl.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.389333963 CEST8.8.8.8192.168.2.60xc317Name error (3)oevgnn.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.419078112 CEST8.8.8.8192.168.2.60x3a1Name error (3)unuyas.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.529089928 CEST8.8.8.8192.168.2.60xb9e3Name error (3)ohqasc.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.558710098 CEST8.8.8.8192.168.2.60x51faName error (3)oyadis.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.585855007 CEST8.8.8.8192.168.2.60xd32eName error (3)akufuf.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.614231110 CEST8.8.8.8192.168.2.60xd780Name error (3)yexisu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.641856909 CEST8.8.8.8192.168.2.60x47c6Name error (3)nrwwej.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.677270889 CEST8.8.8.8192.168.2.60x8b13Name error (3)pxzoao.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.714093924 CEST8.8.8.8192.168.2.60x97dcName error (3)iooaai.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.749123096 CEST8.8.8.8192.168.2.60xbe6dName error (3)vaaoff.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.783030987 CEST8.8.8.8192.168.2.60x482Name error (3)uptrqo.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.818799973 CEST8.8.8.8192.168.2.60x83aName error (3)usecvu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.862175941 CEST8.8.8.8192.168.2.60x11cName error (3)eixjei.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.892589092 CEST8.8.8.8192.168.2.60x72f5Name error (3)yfobli.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.922207117 CEST8.8.8.8192.168.2.60x7656Name error (3)weuanq.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.963897943 CEST8.8.8.8192.168.2.60x63c2Name error (3)dzwrvg.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:20.994998932 CEST8.8.8.8192.168.2.60x1328Name error (3)bhhhpq.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:21.025641918 CEST8.8.8.8192.168.2.60x21d7Name error (3)yldizc.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:21.069025993 CEST8.8.8.8192.168.2.60x6190Name error (3)aueolp.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:21.100743055 CEST8.8.8.8192.168.2.60x9f79Name error (3)raniod.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:21.127832890 CEST8.8.8.8192.168.2.60x24e9Name error (3)guseek.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:21.162177086 CEST8.8.8.8192.168.2.60x5bebName error (3)vvwxii.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:32.489795923 CEST8.8.8.8192.168.2.60x1167Name error (3)kto.gind.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:34.699992895 CEST8.8.8.8192.168.2.60xff6Server failure (2)lnn.maft.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:35.507515907 CEST8.8.8.8192.168.2.60xff6Server failure (2)lnn.maft.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:36.698256016 CEST8.8.8.8192.168.2.60xff6Server failure (2)lnn.maft.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.474972963 CEST8.8.8.8192.168.2.60xef79Name error (3)eetebu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.504416943 CEST8.8.8.8192.168.2.60xf616Name error (3)ufmuub.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.541178942 CEST8.8.8.8192.168.2.60x443eName error (3)euxngi.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.584184885 CEST8.8.8.8192.168.2.60xe7c4Name error (3)auyazv.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.705638885 CEST8.8.8.8192.168.2.60x5e57No error (0)hiapba.comtraff-2.hugedomains.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.705638885 CEST8.8.8.8192.168.2.60x5e57No error (0)traff-2.hugedomains.comhdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.705638885 CEST8.8.8.8192.168.2.60x5e57No error (0)hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com3.130.204.160A (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:04:41.705638885 CEST8.8.8.8192.168.2.60x5e57No error (0)hdr-nlb5-4e815dd67a14bf7f.elb.us-east-2.amazonaws.com3.130.253.23A (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:01.757044077 CEST8.8.8.8192.168.2.60x7ac6Name error (3)iqzvcy.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.262406111 CEST8.8.8.8192.168.2.60xcd61Name error (3)mlgjto.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.297456980 CEST8.8.8.8192.168.2.60x62a9Name error (3)muyuou.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.326379061 CEST8.8.8.8192.168.2.60xc93bName error (3)ihfjtf.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.361265898 CEST8.8.8.8192.168.2.60x38d4Name error (3)jueuby.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.392694950 CEST8.8.8.8192.168.2.60xb0e0Name error (3)oivayb.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.445231915 CEST8.8.8.8192.168.2.60xc093Name error (3)easecy.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.481606960 CEST8.8.8.8192.168.2.60xc85eName error (3)mlsjzu.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.510925055 CEST8.8.8.8192.168.2.60xeae5Name error (3)oqiqee.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.547997952 CEST8.8.8.8192.168.2.60x5772Name error (3)rmdyox.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.575488091 CEST8.8.8.8192.168.2.60xa768Name error (3)jkjztp.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.603158951 CEST8.8.8.8192.168.2.60x2eeeName error (3)jyruxe.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.632193089 CEST8.8.8.8192.168.2.60xb18cName error (3)bswdic.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.659459114 CEST8.8.8.8192.168.2.60x2e31Name error (3)shyykl.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.688256025 CEST8.8.8.8192.168.2.60x8a75Name error (3)ylyguq.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.716351032 CEST8.8.8.8192.168.2.60xa9a8Name error (3)iietwy.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.743705034 CEST8.8.8.8192.168.2.60x18ccName error (3)ovalzq.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.778855085 CEST8.8.8.8192.168.2.60x56e6Name error (3)kymlxf.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.808152914 CEST8.8.8.8192.168.2.60xbaecName error (3)zwstuy.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.838634968 CEST8.8.8.8192.168.2.60x64fName error (3)qxuyel.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.869591951 CEST8.8.8.8192.168.2.60x1ad2Name error (3)nuejea.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.905797958 CEST8.8.8.8192.168.2.60x93c4Name error (3)ytyepn.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:02.939260960 CEST8.8.8.8192.168.2.60xaab6Name error (3)pfdpty.comnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:25.797447920 CEST8.8.8.8192.168.2.60x85b7Name error (3)src.gide.atnonenoneA (IP address)IN (0x0001)
                                                                                                    Jul 21, 2022 05:05:25.906717062 CEST8.8.8.8192.168.2.60x6afcName error (3)ww.ziten.runonenoneA (IP address)IN (0x0001)

                                                                                                    Statistics

                                                                                                    CPU Usage

                                                                                                    Click to jump to process

                                                                                                    Memory Usage

                                                                                                    Click to jump to process

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    General

                                                                                                    Target ID:0
                                                                                                    Start time:05:00:30
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\loaddll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:loaddll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll"
                                                                                                    Imagebase:0x920000
                                                                                                    File size:116736 bytes
                                                                                                    MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Target ID:1
                                                                                                    Start time:05:00:31
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1
                                                                                                    Imagebase:0xed0000
                                                                                                    File size:232960 bytes
                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Target ID:2
                                                                                                    Start time:05:00:31
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe C:\Users\user\Desktop\UBpReASuEC.dll,PlayGame
                                                                                                    Imagebase:0xef0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Target ID:3
                                                                                                    Start time:05:00:31
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",#1
                                                                                                    Imagebase:0xef0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Target ID:4
                                                                                                    Start time:05:00:33
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\mssecsvc.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\WINDOWS\mssecsvc.exe
                                                                                                    Imagebase:0x400000
                                                                                                    File size:3751936 bytes
                                                                                                    MD5 hash:2391E0DBB3A7862306913032CE72F302
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.390692739.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.712940908.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.390830304.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.395187719.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.392189177.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.392372689.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.396523616.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.395038973.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.713109877.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.396673500.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly)
                                                                                                    • Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT)
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team
                                                                                                    Antivirus matches:
                                                                                                    • Detection: 100%, Avira
                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                    Reputation:low

                                                                                                    General

                                                                                                    Target ID:5
                                                                                                    Start time:05:00:35
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:rundll32.exe "C:\Users\user\Desktop\UBpReASuEC.dll",PlayGame
                                                                                                    Imagebase:0xef0000
                                                                                                    File size:61952 bytes
                                                                                                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    General

                                                                                                    Target ID:6
                                                                                                    Start time:05:00:36
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\mssecsvc.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\WINDOWS\mssecsvc.exe
                                                                                                    Imagebase:0x400000
                                                                                                    File size:3751936 bytes
                                                                                                    MD5 hash:2391E0DBB3A7862306913032CE72F302
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.395643051.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.400396194.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.398897193.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.397658913.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.400479545.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.395761146.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.398730935.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.397443595.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.470437987.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.470687764.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team

                                                                                                    General

                                                                                                    Target ID:7
                                                                                                    Start time:05:00:38
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\winlogon.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:winlogon.exe
                                                                                                    Imagebase:0x7ff7addb0000
                                                                                                    File size:677376 bytes
                                                                                                    MD5 hash:F9017F2DC455AD373DF036F5817A8870
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:9
                                                                                                    Start time:05:00:40
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\mssecsvc.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\WINDOWS\mssecsvc.exe -m security
                                                                                                    Imagebase:0x400000
                                                                                                    File size:3751936 bytes
                                                                                                    MD5 hash:2391E0DBB3A7862306913032CE72F302
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.403899564.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.517302066.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                    • Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.517693947.0000000000710000.00000080.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
                                                                                                    • Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.403788291.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security

                                                                                                    General

                                                                                                    Target ID:10
                                                                                                    Start time:05:00:40
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\lsass.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\lsass.exe
                                                                                                    Imagebase:0x7ff698380000
                                                                                                    File size:57976 bytes
                                                                                                    MD5 hash:317340CD278A374BCEF6A30194557227
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:12
                                                                                                    Start time:05:00:43
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:fontdrvhost.exe
                                                                                                    Imagebase:0x7ff729420000
                                                                                                    File size:790304 bytes
                                                                                                    MD5 hash:31113981180E69C2773BCADA4051738A
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:14
                                                                                                    Start time:05:00:44
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\fontdrvhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:fontdrvhost.exe
                                                                                                    Imagebase:0x7ff729420000
                                                                                                    File size:790304 bytes
                                                                                                    MD5 hash:31113981180E69C2773BCADA4051738A
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:17
                                                                                                    Start time:05:00:50
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s PlugPlay
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:18
                                                                                                    Start time:05:00:51
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:19
                                                                                                    Start time:05:00:57
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k rpcss -p
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:20
                                                                                                    Start time:05:01:00
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k dcomlaunch -p -s LSM
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:21
                                                                                                    Start time:05:01:01
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\dwm.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:dwm.exe
                                                                                                    Imagebase:0x7ff769df0000
                                                                                                    File size:62464 bytes
                                                                                                    MD5 hash:70073A05B2B43FFB7A625708BB29E7C7
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:22
                                                                                                    Start time:05:01:05
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:23
                                                                                                    Start time:05:01:10
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:24
                                                                                                    Start time:05:01:10
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppXy7vb4pc2dr3kc93kfc509b1d0arkfb2x.mca
                                                                                                    Imagebase:0x7ff783d30000
                                                                                                    File size:19352 bytes
                                                                                                    MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:25
                                                                                                    Start time:05:01:27
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                    Imagebase:0x7ff6536a0000
                                                                                                    File size:36864 bytes
                                                                                                    MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:26
                                                                                                    Start time:05:01:33
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:27
                                                                                                    Start time:05:01:36
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:28
                                                                                                    Start time:05:01:41
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s lmhosts
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:29
                                                                                                    Start time:05:01:42
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\BackgroundTransferHost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                    Imagebase:0x7ff6536a0000
                                                                                                    File size:36864 bytes
                                                                                                    MD5 hash:02BA81746B929ECC9DB6665589B68335
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:30
                                                                                                    Start time:05:01:42
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Schedule
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:31
                                                                                                    Start time:05:01:46
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\wbem\WMIADAP.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:wmiadap.exe /F /T /R
                                                                                                    Imagebase:0x7ff633440000
                                                                                                    File size:177664 bytes
                                                                                                    MD5 hash:9783D0765F31980950445DFD40DB15DA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:32
                                                                                                    Start time:05:01:47
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:33
                                                                                                    Start time:05:01:48
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s TimeBrokerSvc
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:false
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:34
                                                                                                    Start time:05:01:49
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:35
                                                                                                    Start time:05:01:51
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:37
                                                                                                    Start time:05:01:57
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s EventLog
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:38
                                                                                                    Start time:05:02:08
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservice -p -s EventSystem
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:39
                                                                                                    Start time:05:02:09
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\backgroundTaskHost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXv783p9dqgsc3mek8m05c3tj95wa9p858.mca
                                                                                                    Imagebase:0x7ff783d30000
                                                                                                    File size:19352 bytes
                                                                                                    MD5 hash:B7FC4A29431D4F795BBAB1FB182B759A
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:40
                                                                                                    Start time:05:02:15
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    General

                                                                                                    Target ID:41
                                                                                                    Start time:05:02:16
                                                                                                    Start date:21/07/2022
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k netsvcs -p -s Themes
                                                                                                    Imagebase:0x7ff726010000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Disassembly

                                                                                                    Reset < >

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:2.9%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:63.3%
                                                                                                      Total number of Nodes:622
                                                                                                      Total number of Limit Nodes:2
                                                                                                      execution_graph 5672 7fea4baa 5675 7fea4bdd 5672->5675 5676 7fea4be9 5675->5676 5683 7fea43d8 5676->5683 5678 7fea4bf6 5679 7fea43d8 3 API calls 5678->5679 5682 7fea4ca3 5678->5682 5680 7fea4c97 5679->5680 5681 7fea43d8 3 API calls 5680->5681 5680->5682 5681->5682 5684 7fea43e2 CreateFileA 5683->5684 5686 7fea443b CreateFileMappingA 5684->5686 5688 7fea44b2 MapViewOfFile 5686->5688 5690 7fea44e7 5688->5690 5690->5678 5822 bd02fe 5823 bd0415 5822->5823 5825 bd042d 5823->5825 5854 bd10ce 5825->5854 5827 bd048f 5828 bd04dd 5827->5828 5829 bd04b0 GetModuleHandleA 5827->5829 5830 bd04f8 GetVersion 5828->5830 5829->5828 5831 bd050f VirtualAlloc 5830->5831 5836 bd05ca 5830->5836 5832 bd05a9 FindCloseChangeNotification 5831->5832 5833 bd0532 5831->5833 5832->5836 5833->5832 5858 bd05ba 5833->5858 5834 bd05d3 SetProcessAffinityMask 5861 bd05f2 GetModuleHandleA 5834->5861 5836->5832 5836->5834 5837 bd06fc lstrcpyW 5836->5837 5839 bd074c NtMapViewOfSection 5836->5839 5840 bd0717 GetPEB lstrcpyW lstrcatW 5836->5840 5843 bd0780 NtOpenProcessToken 5836->5843 5845 bd07eb Process32Next 5836->5845 5848 bd07fd OpenProcess 5836->5848 5850 bd07b7 CreateToolhelp32Snapshot Process32First 5836->5850 5851 bd085c FindCloseChangeNotification 5836->5851 5852 bd0834 CreateRemoteThread 5836->5852 5853 bd05ba Sleep 5836->5853 5885 bd07ac 5836->5885 5908 bd2574 5836->5908 5883 bd24ae lstrcpyW lstrlenW 5837->5883 5839->5832 5839->5836 5842 bd24ae 3 API calls 5840->5842 5842->5836 5843->5836 5844 bd07c5 CreateToolhelp32Snapshot Process32First 5843->5844 5844->5845 5845->5836 5846 bd0865 FindCloseChangeNotification 5845->5846 5846->5832 5848->5836 5848->5845 5850->5845 5851->5845 5852->5836 5852->5851 5853->5851 5855 bd10db 5854->5855 5855->5854 5856 bd115c 5855->5856 5857 bd1133 GetModuleHandleA GetProcAddress 5855->5857 5856->5827 5857->5855 5859 bd05bf Sleep 5858->5859 5860 bd05c9 5858->5860 5859->5858 5860->5832 5862 bd10ce 2 API calls 5861->5862 5873 bd05ca 5862->5873 5863 bd05a9 FindCloseChangeNotification 5863->5873 5864 bd05d3 SetProcessAffinityMask 5865 bd05f2 30 API calls 5864->5865 5865->5873 5866 bd06fc lstrcpyW 5867 bd24ae 3 API calls 5866->5867 5867->5873 5868 bd074c NtMapViewOfSection 5868->5863 5868->5873 5869 bd0717 GetPEB lstrcpyW lstrcatW 5870 bd24ae 3 API calls 5869->5870 5870->5873 5871 bd0780 NtOpenProcessToken 5872 bd07c5 CreateToolhelp32Snapshot Process32First 5871->5872 5871->5873 5874 bd07eb Process32Next 5872->5874 5873->5863 5873->5864 5873->5866 5873->5868 5873->5869 5873->5871 5873->5874 5876 bd07ac 30 API calls 5873->5876 5877 bd07fd OpenProcess 5873->5877 5878 bd2574 5 API calls 5873->5878 5879 bd07b7 CreateToolhelp32Snapshot Process32First 5873->5879 5880 bd085c FindCloseChangeNotification 5873->5880 5881 bd0834 CreateRemoteThread 5873->5881 5882 bd05ba Sleep 5873->5882 5874->5873 5875 bd0865 FindCloseChangeNotification 5874->5875 5875->5863 5876->5873 5877->5873 5877->5874 5878->5873 5879->5874 5880->5874 5881->5873 5881->5880 5882->5880 5884 bd24ea NtCreateSection 5883->5884 5884->5836 5927 bd144a LookupPrivilegeValueA NtAdjustPrivilegesToken 5885->5927 5887 bd07b2 FreeLibrary FindCloseChangeNotification 5888 bd07c5 CreateToolhelp32Snapshot Process32First 5887->5888 5889 bd07eb Process32Next 5888->5889 5890 bd0865 FindCloseChangeNotification 5889->5890 5898 bd05ca 5889->5898 5891 bd05a9 FindCloseChangeNotification 5890->5891 5891->5898 5892 bd07fd OpenProcess 5892->5889 5892->5898 5893 bd05d3 SetProcessAffinityMask 5895 bd05f2 29 API calls 5893->5895 5894 bd2574 5 API calls 5894->5898 5895->5898 5896 bd085c FindCloseChangeNotification 5896->5889 5897 bd0834 CreateRemoteThread 5897->5896 5897->5898 5898->5889 5898->5891 5898->5892 5898->5893 5898->5894 5898->5896 5898->5897 5899 bd05ba Sleep 5898->5899 5900 bd06fc lstrcpyW 5898->5900 5902 bd074c NtMapViewOfSection 5898->5902 5903 bd0717 GetPEB lstrcpyW lstrcatW 5898->5903 5905 bd0780 NtOpenProcessToken 5898->5905 5906 bd07ac 29 API calls 5898->5906 5907 bd07b7 CreateToolhelp32Snapshot Process32First 5898->5907 5899->5896 5901 bd24ae 3 API calls 5900->5901 5901->5898 5902->5891 5902->5898 5904 bd24ae 3 API calls 5903->5904 5904->5898 5905->5888 5905->5898 5906->5898 5907->5889 5928 bd252f NtOpenSection 5908->5928 5910 bd257c 5911 bd2661 5910->5911 5912 bd2582 NtMapViewOfSection FindCloseChangeNotification 5910->5912 5911->5836 5912->5911 5914 bd25ba 5912->5914 5913 bd25ef 5930 bd2477 NtProtectVirtualMemory NtWriteVirtualMemory 5913->5930 5914->5913 5929 bd2477 NtProtectVirtualMemory NtWriteVirtualMemory 5914->5929 5917 bd2600 5931 bd2477 NtProtectVirtualMemory NtWriteVirtualMemory 5917->5931 5919 bd2611 5932 bd2477 NtProtectVirtualMemory NtWriteVirtualMemory 5919->5932 5921 bd2622 5922 bd2637 5921->5922 5933 bd2477 NtProtectVirtualMemory NtWriteVirtualMemory 5921->5933 5924 bd264c 5922->5924 5934 bd2477 NtProtectVirtualMemory NtWriteVirtualMemory 5922->5934 5924->5911 5935 bd2477 NtProtectVirtualMemory NtWriteVirtualMemory 5924->5935 5927->5887 5928->5910 5929->5913 5930->5917 5931->5919 5932->5921 5933->5922 5934->5924 5935->5911 6387 bd6579 6390 bd6586 6387->6390 6391 bd6583 6390->6391 6392 bd6591 6390->6392 6392->6391 6394 bd6597 6392->6394 6395 bd2574 5 API calls 6394->6395 6396 bd65a9 6395->6396 6396->6391 6397 bd3378 6398 bd337d 6397->6398 6399 bd3407 MapViewOfFile CloseHandle 6398->6399 6400 bd33d8 NtOpenSection 6398->6400 6403 bd3448 6399->6403 6404 bd358b 6399->6404 6402 bd33f7 NtQuerySystemInformation 6400->6402 6400->6404 6401 bd344f UnmapViewOfFile 6401->6404 6402->6399 6403->6401 6403->6404 5949 bd433a 5952 bd144a LookupPrivilegeValueA NtAdjustPrivilegesToken 5949->5952 5951 bd4340 5952->5951 5728 bd37b1 5730 bd37b7 WaitForSingleObject 5728->5730 5731 bd37dd 5730->5731 5732 bd37d3 closesocket 5730->5732 5732->5731 5972 bd3331 5974 bd333a 5972->5974 5975 bd3341 Sleep 5974->5975 5975->5975 5976 7fea2665 5978 7fea266b CreateThread CloseHandle 5976->5978 5979 7fea3bd0 5978->5979 5981 7fea3bd5 5979->5981 5982 7fea3c41 5981->5982 5985 7fea3bf3 GetWindowsDirectoryA 5981->5985 6034 7fea252f NtOpenSection 5982->6034 5984 7fea3c46 5987 7fea3c93 GetSystemDirectoryA 5984->5987 6035 7fea3c5a GetModuleHandleA 5984->6035 5989 7fea3ca9 5985->5989 6082 7fea3cb7 lstrcat 5987->6082 6122 7fea3cce LoadLibraryA 5989->6122 6034->5984 6036 7fea3c76 6035->6036 6037 7fea3c64 6035->6037 6161 7fea3c88 GetModuleHandleA 6036->6161 6039 7fea3c6c GetProcAddress 6037->6039 6039->6036 6083 7fea3cbe 6082->6083 6084 7fea3cce 144 API calls 6083->6084 6085 7fea3cc2 GetProcAddress LoadLibraryA 6084->6085 6087 7fea10ce 2 API calls 6085->6087 6088 7fea3d15 6087->6088 6089 7fea3d2a GetTickCount 6088->6089 6090 7fea3d42 6089->6090 6091 7fea3ddf GetVolumeInformationA 6090->6091 6092 7fea3e12 6091->6092 6093 7fea3ebd 6092->6093 6094 7fea3e4d 93 API calls 6092->6094 6095 7fea3ec9 CreateThread CloseHandle 6093->6095 6096 7fea3ee7 6093->6096 6102 7fea3e41 6094->6102 6095->6096 6097 7fea3ef8 42 API calls 6096->6097 6098 7fea3eec 6097->6098 6099 7fea10ce 2 API calls 6098->6099 6100 7fea3f16 6099->6100 6101 7fea3f27 22 API calls 6100->6101 6103 7fea3f1b 6101->6103 6102->6093 6104 7fea339d 5 API calls 6102->6104 6105 7fea10ce 2 API calls 6103->6105 6104->6093 6106 7fea3f4d 6105->6106 6107 7fea3f5a WSAStartup CreateThread CloseHandle CreateEventA 6106->6107 6108 7fea425f RtlExitUserThread 6106->6108 6119 7fea3fa3 6107->6119 6109 7fea3ff6 gethostbyname 6109->6119 6110 7fea3fe7 lstrlen 6110->6109 6110->6110 6111 7fea4012 socket 6114 7fea4037 connect 6111->6114 6111->6119 6112 7fea421f SetEvent 6113 7fea4231 Sleep ResetEvent 6112->6113 6113->6119 6115 7fea4206 closesocket 6114->6115 6114->6119 6115->6119 6116 7fea4080 GetVersionExA 6116->6119 6117 7fea4103 wsprintfA 6117->6119 6118 7fea412b CreateThread CloseHandle 6118->6119 6119->6108 6119->6109 6119->6110 6119->6111 6119->6112 6119->6113 6119->6115 6119->6116 6119->6117 6119->6118 6120 7fea41d7 Sleep 6119->6120 6120->6119 6121 7fea41e3 GetTickCount 6120->6121 6121->6119 6314 7fea3ce3 GetProcAddress LoadLibraryA 6122->6314 6162 7fea3c93 GetSystemDirectoryA 6161->6162 6204 7fea26d4 6161->6204 6164 7fea3cb7 170 API calls 6162->6164 6165 7fea3ca9 6164->6165 6166 7fea3cce 144 API calls 6165->6166 6167 7fea3cc2 GetProcAddress LoadLibraryA 6166->6167 6169 7fea10ce 2 API calls 6167->6169 6170 7fea3d15 6169->6170 6171 7fea3d2a GetTickCount 6170->6171 6172 7fea3d42 6171->6172 6173 7fea3ddf GetVolumeInformationA 6172->6173 6174 7fea3e12 6173->6174 6175 7fea3ebd 6174->6175 6206 7fea3e4d LoadLibraryA 6174->6206 6177 7fea3ec9 CreateThread CloseHandle 6175->6177 6178 7fea3ee7 6175->6178 6177->6178 6236 7fea3ef8 LoadLibraryA 6178->6236 6205 7fea26c8 6204->6205 6205->6162 6258 7fea3e64 GetProcAddress GetModuleFileNameA wsprintfA 6206->6258 6237 7fea3f16 6236->6237 6238 7fea10ce 2 API calls 6236->6238 6239 7fea3f27 22 API calls 6237->6239 6238->6237 6240 7fea3f1b 6239->6240 6241 7fea10ce 2 API calls 6240->6241 6242 7fea3f4d 6241->6242 6243 7fea3f5a WSAStartup CreateThread CloseHandle CreateEventA 6242->6243 6244 7fea425f RtlExitUserThread 6242->6244 6255 7fea3fa3 6243->6255 6245 7fea3ff6 gethostbyname 6245->6255 6246 7fea3fe7 lstrlen 6246->6245 6246->6246 6247 7fea4012 socket 6250 7fea4037 connect 6247->6250 6247->6255 6248 7fea421f SetEvent 6249 7fea4231 Sleep ResetEvent 6248->6249 6249->6255 6251 7fea4206 closesocket 6250->6251 6250->6255 6251->6255 6252 7fea4080 GetVersionExA 6252->6255 6253 7fea4103 wsprintfA 6253->6255 6254 7fea412b CreateThread CloseHandle 6254->6255 6255->6244 6255->6245 6255->6246 6255->6247 6255->6248 6255->6249 6255->6251 6255->6252 6255->6253 6255->6254 6256 7fea41d7 Sleep 6255->6256 6256->6255 6257 7fea41e3 GetTickCount 6256->6257 6257->6255 6259 7fea3e98 6258->6259 6260 7fea3ebd 6259->6260 6287 7fea339d 6259->6287 6262 7fea3ec9 CreateThread CloseHandle 6260->6262 6263 7fea3ee7 6260->6263 6262->6263 6264 7fea3ef8 42 API calls 6263->6264 6265 7fea3eec 6264->6265 6266 7fea10ce 2 API calls 6265->6266 6267 7fea3f16 6266->6267 6295 7fea3f27 LoadLibraryA 6267->6295 6288 7fea33d3 6287->6288 6288->6288 6289 7fea33d8 NtOpenSection 6288->6289 6290 7fea33f7 NtQuerySystemInformation 6289->6290 6294 7fea358b 6289->6294 6291 7fea3407 MapViewOfFile CloseHandle 6290->6291 6293 7fea3448 6291->6293 6291->6294 6292 7fea344f UnmapViewOfFile 6292->6294 6293->6292 6293->6294 6294->6260 6296 7fea425f RtlExitUserThread 6295->6296 6297 7fea3f35 6295->6297 6298 7fea3f4d 6297->6298 6299 7fea10ce 2 API calls 6297->6299 6298->6296 6300 7fea3f5a WSAStartup CreateThread CloseHandle CreateEventA 6298->6300 6299->6298 6311 7fea3fa3 6300->6311 6301 7fea3ff6 gethostbyname 6301->6311 6302 7fea3fe7 lstrlen 6302->6301 6302->6302 6303 7fea4012 socket 6306 7fea4037 connect 6303->6306 6303->6311 6304 7fea421f SetEvent 6305 7fea4231 Sleep ResetEvent 6304->6305 6305->6311 6307 7fea4206 closesocket 6306->6307 6306->6311 6307->6311 6308 7fea4080 GetVersionExA 6308->6311 6309 7fea4103 wsprintfA 6309->6311 6310 7fea412b CreateThread CloseHandle 6310->6311 6311->6296 6311->6301 6311->6302 6311->6303 6311->6304 6311->6305 6311->6307 6311->6308 6311->6309 6311->6310 6312 7fea41d7 Sleep 6311->6312 6312->6311 6313 7fea41e3 GetTickCount 6312->6313 6313->6311 6315 7fea3d15 6314->6315 6316 7fea10ce 2 API calls 6314->6316 6317 7fea3d2a GetTickCount 6315->6317 6316->6315 6318 7fea3d42 6317->6318 6319 7fea3ddf GetVolumeInformationA 6318->6319 6320 7fea3e12 6319->6320 6321 7fea3ebd 6320->6321 6322 7fea3e4d 93 API calls 6320->6322 6323 7fea3ec9 CreateThread CloseHandle 6321->6323 6324 7fea3ee7 6321->6324 6330 7fea3e41 6322->6330 6323->6324 6325 7fea3ef8 42 API calls 6324->6325 6326 7fea3eec 6325->6326 6327 7fea10ce 2 API calls 6326->6327 6328 7fea3f16 6327->6328 6329 7fea3f27 22 API calls 6328->6329 6331 7fea3f1b 6329->6331 6330->6321 6332 7fea339d 5 API calls 6330->6332 6333 7fea10ce 2 API calls 6331->6333 6332->6321 6334 7fea3f4d 6333->6334 6335 7fea3f5a WSAStartup CreateThread CloseHandle CreateEventA 6334->6335 6336 7fea425f RtlExitUserThread 6334->6336 6337 7fea3fa3 6335->6337 6337->6336 6338 7fea3ff6 gethostbyname 6337->6338 6339 7fea3fe7 lstrlen 6337->6339 6340 7fea4012 socket 6337->6340 6341 7fea421f SetEvent 6337->6341 6342 7fea4231 Sleep ResetEvent 6337->6342 6344 7fea4206 closesocket 6337->6344 6345 7fea4080 GetVersionExA 6337->6345 6346 7fea4103 wsprintfA 6337->6346 6347 7fea412b CreateThread CloseHandle 6337->6347 6348 7fea41d7 Sleep 6337->6348 6338->6337 6339->6338 6339->6339 6340->6337 6343 7fea4037 connect 6340->6343 6341->6342 6342->6337 6343->6337 6343->6344 6344->6337 6345->6337 6346->6337 6347->6337 6348->6337 6349 7fea41e3 GetTickCount 6348->6349 6349->6337 6421 7fea433a 6424 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 6421->6424 6423 7fea4340 6424->6423 6428 bd116f LoadLibraryA 6433 bd1196 GetProcAddress 6428->6433 6430 bd1220 6431 bd145b NtAdjustPrivilegesToken 6432 bd1180 6432->6430 6432->6431 6433->6432 5691 7fea6579 5694 7fea6586 5691->5694 5695 7fea6583 5694->5695 5696 7fea6591 5694->5696 5698 7fea6597 5696->5698 5701 7fea2574 5698->5701 5720 7fea252f NtOpenSection 5701->5720 5703 7fea257c 5704 7fea2582 NtMapViewOfSection CloseHandle 5703->5704 5705 7fea2661 5703->5705 5704->5705 5707 7fea25ba 5704->5707 5705->5695 5706 7fea25ef 5722 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 5706->5722 5707->5706 5721 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 5707->5721 5710 7fea2600 5723 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 5710->5723 5712 7fea2611 5724 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 5712->5724 5714 7fea2622 5715 7fea2637 5714->5715 5725 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 5714->5725 5717 7fea264c 5715->5717 5726 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 5715->5726 5717->5705 5727 7fea2477 NtProtectVirtualMemory NtWriteVirtualMemory 5717->5727 5720->5703 5721->5706 5722->5710 5723->5712 5724->5714 5725->5715 5726->5717 5727->5705 5733 7fea02fe 5734 7fea0415 5733->5734 5736 7fea042d 5734->5736 5767 7fea10ce 5736->5767 5738 7fea048f 5739 7fea04dd 5738->5739 5740 7fea04b0 GetModuleHandleA 5738->5740 5741 7fea04f8 GetVersion 5739->5741 5740->5739 5742 7fea05ca 5741->5742 5743 7fea050f VirtualAlloc 5741->5743 5744 7fea05a9 CloseHandle 5742->5744 5745 7fea05d3 SetProcessAffinityMask 5742->5745 5743->5744 5749 7fea0532 5743->5749 5747 7fea05f2 GetModuleHandleA 5744->5747 5774 7fea05f2 GetModuleHandleA 5745->5774 5748 7fea10ce 2 API calls 5747->5748 5765 7fea05ec 5748->5765 5749->5744 5771 7fea05ba 5749->5771 5750 7fea06fc lstrcpyW 5793 7fea24ae lstrcpyW lstrlenW 5750->5793 5752 7fea074c NtMapViewOfSection 5752->5744 5752->5765 5753 7fea0717 GetPEB lstrcpyW lstrcatW 5754 7fea24ae 3 API calls 5753->5754 5754->5765 5756 7fea0780 NtOpenProcessToken 5757 7fea07c5 CreateToolhelp32Snapshot Process32First 5756->5757 5756->5765 5757->5765 5758 7fea07eb Process32Next 5760 7fea0865 CloseHandle 5758->5760 5758->5765 5760->5744 5761 7fea07fd OpenProcess 5761->5758 5761->5765 5762 7fea2574 5 API calls 5762->5765 5763 7fea085c CloseHandle 5763->5758 5764 7fea0834 CreateRemoteThread 5764->5763 5764->5765 5765->5744 5765->5750 5765->5752 5765->5753 5765->5756 5765->5757 5765->5758 5765->5761 5765->5762 5765->5763 5765->5764 5766 7fea05ba Sleep 5765->5766 5795 7fea07ac 5765->5795 5766->5763 5768 7fea10db 5767->5768 5768->5767 5769 7fea115c 5768->5769 5770 7fea1133 GetModuleHandleA GetProcAddress 5768->5770 5769->5738 5770->5768 5772 7fea05c9 5771->5772 5773 7fea05bf Sleep 5771->5773 5772->5744 5773->5771 5775 7fea10ce 2 API calls 5774->5775 5791 7fea060e 5775->5791 5776 7fea05a9 CloseHandle 5776->5774 5777 7fea06fc lstrcpyW 5778 7fea24ae 3 API calls 5777->5778 5778->5791 5779 7fea074c NtMapViewOfSection 5779->5776 5779->5791 5780 7fea0717 GetPEB lstrcpyW lstrcatW 5781 7fea24ae 3 API calls 5780->5781 5781->5791 5782 7fea0780 NtOpenProcessToken 5783 7fea07c5 CreateToolhelp32Snapshot Process32First 5782->5783 5782->5791 5783->5791 5784 7fea07eb Process32Next 5786 7fea0865 CloseHandle 5784->5786 5784->5791 5785 7fea07ac 30 API calls 5785->5791 5786->5776 5787 7fea07fd OpenProcess 5787->5784 5787->5791 5788 7fea2574 5 API calls 5788->5791 5789 7fea085c CloseHandle 5789->5784 5790 7fea0834 CreateRemoteThread 5790->5789 5790->5791 5791->5776 5791->5777 5791->5779 5791->5780 5791->5782 5791->5783 5791->5784 5791->5785 5791->5787 5791->5788 5791->5789 5791->5790 5792 7fea05ba Sleep 5791->5792 5792->5789 5794 7fea24ea NtCreateSection 5793->5794 5794->5765 5817 7fea144a LookupPrivilegeValueA NtAdjustPrivilegesToken 5795->5817 5797 7fea07b2 FreeLibrary CloseHandle 5798 7fea07c5 CreateToolhelp32Snapshot Process32First 5797->5798 5806 7fea060e 5798->5806 5799 7fea07eb Process32Next 5800 7fea0865 CloseHandle 5799->5800 5799->5806 5801 7fea05a9 CloseHandle 5800->5801 5803 7fea05f2 GetModuleHandleA 5801->5803 5802 7fea07fd OpenProcess 5802->5799 5802->5806 5804 7fea10ce 2 API calls 5803->5804 5804->5806 5805 7fea2574 5 API calls 5805->5806 5806->5798 5806->5799 5806->5801 5806->5802 5806->5805 5807 7fea085c CloseHandle 5806->5807 5808 7fea0834 CreateRemoteThread 5806->5808 5809 7fea05ba Sleep 5806->5809 5810 7fea06fc lstrcpyW 5806->5810 5812 7fea074c NtMapViewOfSection 5806->5812 5813 7fea0717 GetPEB lstrcpyW lstrcatW 5806->5813 5815 7fea0780 NtOpenProcessToken 5806->5815 5816 7fea07ac 13 API calls 5806->5816 5807->5799 5808->5806 5808->5807 5809->5807 5811 7fea24ae 3 API calls 5810->5811 5811->5806 5812->5801 5812->5806 5814 7fea24ae 3 API calls 5813->5814 5814->5806 5815->5798 5815->5806 5816->5806 5817->5797 6434 bd2665 6436 bd266b CreateThread CloseHandle 6434->6436 6437 bd3bd0 6436->6437 6439 bd3bd5 6437->6439 6440 bd3c41 6439->6440 6443 bd3bf3 GetWindowsDirectoryA 6439->6443 6492 bd252f NtOpenSection 6440->6492 6442 bd3c46 6445 bd3c4d 6442->6445 6446 bd3c93 GetSystemDirectoryA 6442->6446 6449 bd3cbe 6443->6449 6493 bd3c5a GetModuleHandleA 6445->6493 6535 bd3cb7 lstrcat 6446->6535 6575 bd3cce LoadLibraryA 6449->6575 6492->6442 6494 bd3c76 6493->6494 6495 bd3c64 6493->6495 6614 bd3c88 GetModuleHandleA 6494->6614 6498 bd3c6c GetProcAddress 6495->6498 6498->6494 6536 bd3cbe 6535->6536 6537 bd3cce 144 API calls 6536->6537 6538 bd3cc3 GetProcAddress LoadLibraryA 6537->6538 6540 bd10ce 2 API calls 6538->6540 6541 bd3d15 6540->6541 6542 bd3d2a GetTickCount 6541->6542 6543 bd3d42 6542->6543 6544 bd3ddf GetVolumeInformationA 6543->6544 6545 bd3e12 6544->6545 6546 bd3ebd 6545->6546 6547 bd3e4d 93 API calls 6545->6547 6548 bd3ec9 CreateThread CloseHandle 6546->6548 6549 bd3ee7 6546->6549 6556 bd3e41 6547->6556 6548->6549 6550 bd3ef8 42 API calls 6549->6550 6551 bd3eec 6550->6551 6552 bd10ce 2 API calls 6551->6552 6553 bd3f16 6552->6553 6554 bd3f27 22 API calls 6553->6554 6555 bd3f1b 6554->6555 6557 bd10ce 2 API calls 6555->6557 6556->6546 6558 bd339d 5 API calls 6556->6558 6559 bd3f4d 6557->6559 6558->6546 6560 bd425f RtlExitUserThread 6559->6560 6561 bd3f5a WSAStartup CreateThread CloseHandle CreateEventA 6559->6561 6564 bd3fa3 6561->6564 6562 bd3fe7 lstrlen 6562->6562 6563 bd3ff6 gethostbyname 6562->6563 6563->6564 6564->6560 6564->6562 6564->6563 6565 bd4012 socket 6564->6565 6567 bd421f SetEvent 6564->6567 6568 bd4231 Sleep ResetEvent 6564->6568 6569 bd4206 closesocket 6564->6569 6570 bd4080 GetVersionExA 6564->6570 6571 bd4103 wsprintfA 6564->6571 6572 bd412b CreateThread CloseHandle 6564->6572 6573 bd41d7 Sleep 6564->6573 6565->6564 6566 bd4037 connect 6565->6566 6566->6564 6566->6569 6567->6568 6568->6564 6569->6564 6570->6564 6571->6564 6572->6564 6573->6564 6574 bd41e3 GetTickCount 6573->6574 6574->6564 6765 bd3ce3 GetProcAddress LoadLibraryA 6575->6765 6655 bd26d4 6614->6655 6617 bd3cb7 170 API calls 6618 bd3caa GetProcAddress LoadLibraryA 6617->6618 6620 bd10ce 2 API calls 6618->6620 6621 bd3d15 6620->6621 6622 bd3d2a GetTickCount 6621->6622 6623 bd3d42 6622->6623 6624 bd3ddf GetVolumeInformationA 6623->6624 6625 bd3e12 6624->6625 6626 bd3ebd 6625->6626 6657 bd3e4d LoadLibraryA 6625->6657 6628 bd3ec9 CreateThread CloseHandle 6626->6628 6629 bd3ee7 6626->6629 6628->6629 6687 bd3ef8 LoadLibraryA 6629->6687 6656 bd26c8 GetSystemDirectoryA 6655->6656 6656->6617 6709 bd3e64 GetProcAddress GetModuleFileNameA wsprintfA 6657->6709 6688 bd3f16 6687->6688 6689 bd10ce 2 API calls 6687->6689 6690 bd3f27 22 API calls 6688->6690 6689->6688 6691 bd3f1b 6690->6691 6692 bd10ce 2 API calls 6691->6692 6693 bd3f4d 6692->6693 6694 bd425f RtlExitUserThread 6693->6694 6695 bd3f5a WSAStartup CreateThread CloseHandle CreateEventA 6693->6695 6698 bd3fa3 6695->6698 6696 bd3fe7 lstrlen 6696->6696 6697 bd3ff6 gethostbyname 6696->6697 6697->6698 6698->6694 6698->6696 6698->6697 6699 bd4012 socket 6698->6699 6701 bd421f SetEvent 6698->6701 6702 bd4231 Sleep ResetEvent 6698->6702 6703 bd4206 closesocket 6698->6703 6704 bd4080 GetVersionExA 6698->6704 6705 bd4103 wsprintfA 6698->6705 6706 bd412b CreateThread CloseHandle 6698->6706 6707 bd41d7 Sleep 6698->6707 6699->6698 6700 bd4037 connect 6699->6700 6700->6698 6700->6703 6701->6702 6702->6698 6703->6698 6704->6698 6705->6698 6706->6698 6707->6698 6708 bd41e3 GetTickCount 6707->6708 6708->6698 6710 bd3e98 6709->6710 6711 bd3ebd 6710->6711 6738 bd339d 6710->6738 6713 bd3ec9 CreateThread CloseHandle 6711->6713 6714 bd3ee7 6711->6714 6713->6714 6715 bd3ef8 42 API calls 6714->6715 6716 bd3eec 6715->6716 6717 bd10ce 2 API calls 6716->6717 6718 bd3f16 6717->6718 6746 bd3f27 LoadLibraryA 6718->6746 6739 bd33d3 6738->6739 6739->6739 6740 bd33d8 NtOpenSection 6739->6740 6741 bd33f7 NtQuerySystemInformation 6740->6741 6745 bd358b 6740->6745 6742 bd3407 MapViewOfFile CloseHandle 6741->6742 6744 bd3448 6742->6744 6742->6745 6743 bd344f UnmapViewOfFile 6743->6745 6744->6743 6744->6745 6745->6711 6747 bd425f RtlExitUserThread 6746->6747 6748 bd3f35 6746->6748 6749 bd3f4d 6748->6749 6750 bd10ce 2 API calls 6748->6750 6749->6747 6751 bd3f5a WSAStartup CreateThread CloseHandle CreateEventA 6749->6751 6750->6749 6754 bd3fa3 6751->6754 6752 bd3fe7 lstrlen 6752->6752 6753 bd3ff6 gethostbyname 6752->6753 6753->6754 6754->6747 6754->6752 6754->6753 6755 bd4012 socket 6754->6755 6757 bd421f SetEvent 6754->6757 6758 bd4231 Sleep ResetEvent 6754->6758 6759 bd4206 closesocket 6754->6759 6760 bd4080 GetVersionExA 6754->6760 6761 bd4103 wsprintfA 6754->6761 6762 bd412b CreateThread CloseHandle 6754->6762 6763 bd41d7 Sleep 6754->6763 6755->6754 6756 bd4037 connect 6755->6756 6756->6754 6756->6759 6757->6758 6758->6754 6759->6754 6760->6754 6761->6754 6762->6754 6763->6754 6764 bd41e3 GetTickCount 6763->6764 6764->6754 6766 bd3d15 6765->6766 6767 bd10ce 2 API calls 6765->6767 6768 bd3d2a GetTickCount 6766->6768 6767->6766 6769 bd3d42 6768->6769 6770 bd3ddf GetVolumeInformationA 6769->6770 6771 bd3e12 6770->6771 6772 bd3ebd 6771->6772 6773 bd3e4d 93 API calls 6771->6773 6774 bd3ec9 CreateThread CloseHandle 6772->6774 6775 bd3ee7 6772->6775 6782 bd3e41 6773->6782 6774->6775 6776 bd3ef8 42 API calls 6775->6776 6777 bd3eec 6776->6777 6778 bd10ce 2 API calls 6777->6778 6779 bd3f16 6778->6779 6780 bd3f27 22 API calls 6779->6780 6781 bd3f1b 6780->6781 6783 bd10ce 2 API calls 6781->6783 6782->6772 6784 bd339d 5 API calls 6782->6784 6785 bd3f4d 6783->6785 6784->6772 6786 bd425f RtlExitUserThread 6785->6786 6787 bd3f5a WSAStartup CreateThread CloseHandle CreateEventA 6785->6787 6790 bd3fa3 6787->6790 6788 bd3fe7 lstrlen 6788->6788 6789 bd3ff6 gethostbyname 6788->6789 6789->6790 6790->6786 6790->6788 6790->6789 6791 bd4012 socket 6790->6791 6793 bd421f SetEvent 6790->6793 6794 bd4231 Sleep ResetEvent 6790->6794 6795 bd4206 closesocket 6790->6795 6796 bd4080 GetVersionExA 6790->6796 6797 bd4103 wsprintfA 6790->6797 6798 bd412b CreateThread CloseHandle 6790->6798 6799 bd41d7 Sleep 6790->6799 6791->6790 6792 bd4037 connect 6791->6792 6792->6790 6792->6795 6793->6794 6794->6790 6795->6790 6796->6790 6797->6790 6798->6790 6799->6790 6800 bd41e3 GetTickCount 6799->6800 6800->6790 6362 bd3820 6364 bd3826 GetSystemTime 6362->6364 6365 bd386a 6364->6365 6366 bd38a4 Sleep 6365->6366 6367 bd38bc InternetGetConnectedState 6365->6367 6368 bd39ca 6365->6368 6369 bd38ec gethostbyname 6365->6369 6372 bd39b7 closesocket 6365->6372 6366->6365 6367->6365 6369->6365 6370 bd3912 socket 6369->6370 6370->6365 6371 bd3928 ioctlsocket connect Sleep 6370->6371 6371->6365 6372->6365 6373 bd1422 LookupPrivilegeValueA NtAdjustPrivilegesToken 6805 bd2762 6807 bd2768 6805->6807 6808 bd2839 InternetCloseHandle 6807->6808 6809 bd2780 GetTempPathA 6807->6809 6817 bd27a7 GetTempFileNameA CreateFileA 6809->6817 6811 bd27a3 CreateFileA 6812 bd27ce InternetReadFile 6811->6812 6813 bd2829 InternetCloseHandle 6811->6813 6814 bd27fe CloseHandle CreateProcessA 6812->6814 6815 bd27e8 6812->6815 6813->6808 6814->6813 6815->6814 6816 bd27ea WriteFile 6815->6816 6816->6812 6816->6814 6818 bd27ce InternetReadFile 6817->6818 6819 bd2829 InternetCloseHandle 6817->6819 6820 bd27fe CloseHandle CreateProcessA 6818->6820 6821 bd27e8 6818->6821 6822 bd2839 InternetCloseHandle 6819->6822 6820->6819 6821->6820 6823 bd27ea WriteFile 6821->6823 6822->6811 6823->6818 6823->6820 6824 bd655f 6825 bd6586 5 API calls 6824->6825 6826 bd6569 6825->6826 6374 7fea655f 6375 7fea6586 5 API calls 6374->6375 6376 7fea6569 6375->6376 5941 bd10cb 5943 bd10ce 5941->5943 5942 bd115c 5943->5942 5944 bd1133 GetModuleHandleA GetProcAddress 5943->5944 5944->5943 5945 7fea1196 GetProcAddress 6377 bd0000 6378 bd0004 6377->6378 6379 bd00a1 6378->6379 6381 bd025e 6378->6381 6385 bd0105 6381->6385 6384 bd0278 6384->6379 6386 bd0116 GetPEB 6385->6386 6386->6384

                                                                                                      Executed Functions

                                                                                                      Function 00BD042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 288memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 bd042d-bd04a4 call bd10ce 3 bd04dd 0->3 4 bd04a6-bd04db call bd273c GetModuleHandleA 0->4 6 bd04e4-bd0509 call bd2750 GetVersion 3->6 4->6 10 bd050f-bd0530 VirtualAlloc 6->10 11 bd05ca-bd05d1 6->11 12 bd05a9-bd05b3 FindCloseChangeNotification 10->12 13 bd0532-bd0562 call bd0305 10->13 11->12 14 bd05d3-bd05fc SetProcessAffinityMask call bd05f2 11->14 12->11 13->12 24 bd0564-bd057b 13->24 19 bd05fe-bd061c 14->19 20 bd0621-bd0630 14->20 19->20 22 bd0639-bd0652 20->22 23 bd0632 20->23 22->12 25 bd0658-bd0671 22->25 23->22 24->12 31 bd057d-bd05a4 call bd05ba 24->31 25->12 26 bd0677-bd0690 25->26 26->12 27 bd0696-bd069c 26->27 29 bd069e-bd06b1 27->29 30 bd06d8-bd06de 27->30 29->12 32 bd06b7-bd06bd 29->32 33 bd06fc-bd0715 lstrcpyW call bd24ae 30->33 34 bd06e0-bd06f3 30->34 31->12 32->30 36 bd06bf-bd06d2 32->36 41 bd074c-bd0775 NtMapViewOfSection 33->41 42 bd0717-bd0746 GetPEB lstrcpyW lstrcatW call bd24ae 33->42 34->33 37 bd06f5 34->37 36->12 36->30 37->33 41->12 45 bd077b-bd078f call bd0305 NtOpenProcessToken 41->45 42->12 42->41 49 bd07c5-bd07e4 CreateToolhelp32Snapshot Process32First 45->49 50 bd0791-bd07a3 call bd115d call bd07ac 45->50 52 bd07eb-bd07f5 Process32Next 49->52 60 bd080e-bd080f 50->60 61 bd07a5 50->61 54 bd0865-bd0872 FindCloseChangeNotification 52->54 55 bd07f7-bd07fb 52->55 54->12 55->52 57 bd07fd-bd080d OpenProcess 55->57 57->52 59 bd080f 57->59 62 bd0810-bd0818 call bd2574 59->62 60->62 61->62 63 bd07a7-bd07e4 CreateToolhelp32Snapshot Process32First 61->63 67 bd085c-bd0863 FindCloseChangeNotification 62->67 68 bd081a-bd0820 62->68 63->52 67->52 68->67 69 bd0822-bd0832 68->69 69->67 70 bd0834-bd084b CreateRemoteThread 69->70 70->67 71 bd084d-bd0857 call bd05ba 70->71 71->67
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00BD04BE
                                                                                                      • GetVersion.KERNEL32 ref: 00BD0500
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00007700,08001000,00000040), ref: 00BD0528
                                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00BD05AD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AllocChangeCloseFindHandleModuleNotificationVersionVirtual
                                                                                                      • String ID: \BaseNamedObjects\rgltVt$\BaseNamedObjects\rgltVt$csrs
                                                                                                      • API String ID: 2920002527-2534361129
                                                                                                      • Opcode ID: 1c9046a76cd4f9cc91b46eb41cc31d523b20a60f6ceb114047097b2d910fbad8
                                                                                                      • Instruction ID: f4f24aa57a66110a462c12d79527a1b9f1471ef7a56a2ee25242dfca5079a70c
                                                                                                      • Opcode Fuzzy Hash: 1c9046a76cd4f9cc91b46eb41cc31d523b20a60f6ceb114047097b2d910fbad8
                                                                                                      • Instruction Fuzzy Hash: 73B1D031514249FFEB21AF20C849BAA7BE9EF45314F10016AFD089E281E7F19F45DB59
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 73 bd05f2-bd0615 GetModuleHandleA call bd10ce 76 bd05a9-bd05b3 FindCloseChangeNotification 73->76 77 bd0617-bd0630 73->77 80 bd05ca-bd05d1 76->80 78 bd0639-bd0652 77->78 79 bd0632 77->79 78->76 81 bd0658-bd0671 78->81 79->78 80->76 83 bd05d3-bd05fc SetProcessAffinityMask call bd05f2 80->83 81->76 82 bd0677-bd0690 81->82 82->76 84 bd0696-bd069c 82->84 92 bd05fe-bd061c 83->92 93 bd0621-bd0630 83->93 86 bd069e-bd06b1 84->86 87 bd06d8-bd06de 84->87 86->76 89 bd06b7-bd06bd 86->89 90 bd06fc-bd0715 lstrcpyW call bd24ae 87->90 91 bd06e0-bd06f3 87->91 89->87 94 bd06bf-bd06d2 89->94 98 bd074c-bd0775 NtMapViewOfSection 90->98 99 bd0717-bd0746 GetPEB lstrcpyW lstrcatW call bd24ae 90->99 91->90 95 bd06f5 91->95 92->93 93->78 93->79 94->76 94->87 95->90 98->76 101 bd077b-bd078f call bd0305 NtOpenProcessToken 98->101 99->76 99->98 105 bd07c5-bd07e4 CreateToolhelp32Snapshot Process32First 101->105 106 bd0791-bd07a3 call bd115d call bd07ac 101->106 108 bd07eb-bd07f5 Process32Next 105->108 116 bd080e-bd080f 106->116 117 bd07a5 106->117 110 bd0865-bd0872 FindCloseChangeNotification 108->110 111 bd07f7-bd07fb 108->111 110->76 111->108 113 bd07fd-bd080d OpenProcess 111->113 113->108 115 bd080f 113->115 118 bd0810-bd0818 call bd2574 115->118 116->118 117->118 119 bd07a7-bd07e4 CreateToolhelp32Snapshot Process32First 117->119 123 bd085c-bd0863 FindCloseChangeNotification 118->123 124 bd081a-bd0820 118->124 119->108 123->108 124->123 125 bd0822-bd0832 124->125 125->123 126 bd0834-bd084b CreateRemoteThread 125->126 126->123 127 bd084d-bd0857 call bd05ba 126->127 127->123
                                                                                                      APIs
                                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00BD05AD
                                                                                                      • GetModuleHandleA.KERNEL32(00BD05EC), ref: 00BD05F2
                                                                                                      • lstrcpyW.KERNEL32(\BaseNamedObjects\rgltVt,\BaseNamedObjects\rgltVt), ref: 00BD070A
                                                                                                      • lstrcpyW.KERNEL32(\BaseNamedObjects\rgltVt,?), ref: 00BD072D
                                                                                                      • lstrcatW.KERNEL32(\BaseNamedObjects\rgltVt,\rgltVt), ref: 00BD073B
                                                                                                      • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00007700,00000000,?,00000002,00000000,00000040), ref: 00BD076B
                                                                                                      • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00BD0786
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BD07C9
                                                                                                      • Process32First.KERNEL32 ref: 00BD07DC
                                                                                                      • Process32Next.KERNEL32 ref: 00BD07ED
                                                                                                      • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00BD0805
                                                                                                      • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00BD0842
                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00BD085D
                                                                                                      • FindCloseChangeNotification.KERNELBASE ref: 00BD086C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ChangeCloseFindNotification$CreateOpenProcessProcess32lstrcpy$FirstHandleModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                                      • String ID: \BaseNamedObjects\rgltVt$\BaseNamedObjects\rgltVt$csrs
                                                                                                      • API String ID: 3804105423-2534361129
                                                                                                      • Opcode ID: 17150f67079a076ac3b54c180adee95029a37e06bb0e30beb99ad34a9de5a8e6
                                                                                                      • Instruction ID: 378d3725de3f4262408533c668a57e1d76649311e22e62a34b3935d3fba3e8a9
                                                                                                      • Opcode Fuzzy Hash: 17150f67079a076ac3b54c180adee95029a37e06bb0e30beb99ad34a9de5a8e6
                                                                                                      • Instruction Fuzzy Hash: 5571CD31210205FFDB21AF10C849BAE7BADEF55315F0400AAFD099E291E7B1AF45EB59
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD116F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 323libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 184 bd116f-bd1187 LoadLibraryA call bd1196 187 bd1189 184->187 188 bd11f2 184->188 189 bd11f4-bd11f8 187->189 190 bd118b-bd1192 187->190 188->189 191 bd11f9-bd120f 189->191 190->191 192 bd1194-bd119a 190->192 193 bd11ef 191->193 194 bd1211-bd1215 191->194 195 bd119c-bd11b9 192->195 196 bd11c3 192->196 198 bd125f-bd1277 193->198 199 bd11f1 193->199 200 bd127f-bd1282 194->200 201 bd1217-bd121e 194->201 207 bd11bb-bd11c2 195->207 197 bd11c4-bd11d8 196->197 197->207 210 bd11da-bd11dc 197->210 199->188 204 bd1283-bd1286 200->204 205 bd11e0-bd11ec 201->205 206 bd1220-bd1230 201->206 209 bd1287-bd12a1 204->209 205->193 213 bd123f-bd125c 206->213 207->196 207->197 214 bd12a3-bd12a4 209->214 210->205 213->198 216 bd12a7-bd12aa 214->216 217 bd12ac-bd12ad 216->217 218 bd12f9 216->218 217->200 219 bd12af-bd12bd 217->219 220 bd12db-bd12dd 218->220 221 bd12fb-bd1301 218->221 219->213 228 bd12bf 219->228 220->200 222 bd12df-bd12e1 220->222 221->214 225 bd1303-bd1305 221->225 226 bd12c3-bd12c5 222->226 227 bd12e3-bd12e5 222->227 231 bd1337-bd1339 225->231 232 bd1307-bd1309 225->232 229 bd1327-bd1329 226->229 230 bd12c7-bd12c9 226->230 227->232 233 bd12e7-bd12e9 227->233 228->226 237 bd136b-bd136d 229->237 238 bd132b-bd132d 229->238 234 bd130b-bd130d 230->234 235 bd12cb-bd12cd 230->235 231->238 241 bd133b-bd133d 231->241 232->234 236 bd131b 232->236 239 bd127b 233->239 240 bd12eb-bd12ed 233->240 243 bd136f-bd1371 234->243 244 bd130f-bd1311 234->244 235->200 242 bd12cf-bd12d1 235->242 236->229 237->243 245 bd138f 237->245 238->219 246 bd132f-bd1331 238->246 239->200 247 bd135f-bd1361 240->247 248 bd12ef-bd12f1 240->248 249 bd13af-bd13b0 241->249 250 bd133f-bd1345 241->250 242->204 252 bd12d3-bd12d5 242->252 254 bd1313-bd1315 243->254 257 bd1373-bd1375 243->257 253 bd1383 244->253 244->254 251 bd1393-bd139e 245->251 246->227 258 bd1333-bd1335 246->258 247->225 256 bd1363-bd1364 247->256 248->256 259 bd12f3-bd12f5 248->259 255 bd13c7-bd13d5 249->255 267 bd1347-bd1349 250->267 268 bd1387-bd138e 250->268 261 bd139f-bd13a7 251->261 252->216 262 bd12d7 252->262 253->268 254->216 263 bd1317-bd1319 254->263 274 bd13f7-bd13f9 255->274 275 bd13d7-bd13e5 255->275 264 bd12f7-bd12f8 256->264 265 bd1367-bd1369 256->265 257->255 266 bd1377-bd1379 257->266 258->231 258->267 259->209 259->264 270 bd13ab-bd13ac 261->270 262->220 263->236 269 bd134b-bd134d 263->269 264->218 265->237 265->241 266->270 272 bd137b-bd137d 266->272 267->241 267->269 268->245 269->222 273 bd134f-bd1355 269->273 270->249 276 bd13ed-bd13f6 272->276 277 bd137f-bd1382 272->277 273->264 284 bd1357-bd1359 273->284 278 bd145b-bd1474 NtAdjustPrivilegesToken 274->278 279 bd13fb-bd13fd 274->279 275->274 281 bd13e7-bd13e9 275->281 276->274 277->253 279->261 283 bd13ff-bd1401 279->283 281->278 285 bd13eb-bd13ec 281->285 283->251 286 bd1403-bd1404 283->286 284->238 287 bd135b-bd135d 284->287 285->276 289 bd141f 286->289 290 bd1407-bd140a 286->290 287->247 287->273 289->278 290->289
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00BD1162,00BD0796,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 00BD116F
                                                                                                        • Part of subcall function 00BD1196: GetProcAddress.KERNEL32(00000000,00BD1180), ref: 00BD1197
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: \rgltVt
                                                                                                      • API String ID: 2574300362-2371919082
                                                                                                      • Opcode ID: 6b25eae9ee9b83da6e5f8c056e2c57b87ce23cad4183cb8f8d95ab1501d07893
                                                                                                      • Instruction ID: 1eb82352ea9b6f0e023c1ded0a03b72e24f984fe0b017eaf1e62264d773c39ff
                                                                                                      • Opcode Fuzzy Hash: 6b25eae9ee9b83da6e5f8c056e2c57b87ce23cad4183cb8f8d95ab1501d07893
                                                                                                      • Instruction Fuzzy Hash: B3814861C1D2827EC735AA7C48454ADFFE6EA2276070C5EDFC4B59BB53F2228D038649
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 316 bd252f-bd2573 NtOpenSection
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,0000000E), ref: 00BD255E
                                                                                                      Strings
                                                                                                      • \BaseNamedObjects\rgltVt, xrefs: 00BD254B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: OpenSection
                                                                                                      • String ID: \BaseNamedObjects\rgltVt
                                                                                                      • API String ID: 1950954290-2940223550
                                                                                                      • Opcode ID: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
                                                                                                      • Instruction ID: be79e926c7ba3cdd2c7dd474d1815d54d5159c487d34c6ebacd093897ac0aaf8
                                                                                                      • Opcode Fuzzy Hash: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
                                                                                                      • Instruction Fuzzy Hash: 75E09AF17402063AFB288A29CC17FA7228DCB80602F0C8604F918DA080E5B4AB108268
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD2574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 317 bd2574-bd257c call bd252f 320 bd2661-bd2664 317->320 321 bd2582-bd25b4 NtMapViewOfSection FindCloseChangeNotification 317->321 321->320 322 bd25ba-bd25c0 321->322 323 bd25ce-bd25d8 322->323 324 bd25c2-bd25cb 322->324 325 bd25ef-bd262a call bd2477 * 3 323->325 326 bd25da-bd25e2 323->326 324->323 335 bd262c-bd2632 call bd2477 325->335 336 bd2637-bd263f 325->336 326->325 327 bd25e4-bd25ea call bd2477 326->327 327->325 335->336 338 bd264c-bd2654 336->338 339 bd2641-bd2647 call bd2477 336->339 338->320 341 bd2656-bd265c call bd2477 338->341 339->338 341->320
                                                                                                      APIs
                                                                                                        • Part of subcall function 00BD252F: NtOpenSection.NTDLL(?,0000000E), ref: 00BD255E
                                                                                                      • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B700,00000000,?,00000002,00100000,00000040), ref: 00BD25A4
                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,0000B700,00000000,?,00000002,00100000,00000040,00000000,0000B700,00000000,?,00BD0815), ref: 00BD25AC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Section$ChangeCloseFindNotificationOpenView
                                                                                                      • String ID:
                                                                                                      • API String ID: 1694706092-0
                                                                                                      • Opcode ID: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
                                                                                                      • Instruction ID: fba7564c955865994041103534af4fbb5dca34036aa4610135b8a96514dca663
                                                                                                      • Opcode Fuzzy Hash: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
                                                                                                      • Instruction Fuzzy Hash: F2218370300685ABDB24DF25DC56FA9B3A9FFA0744F404159F9198F394EBB1AE10CB54
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD1422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 343 bd1422-bd1474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                                      APIs
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00BD145A
                                                                                                      • NtAdjustPrivilegesToken.NTDLL(?,?,00000000,?), ref: 00BD146A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3615134276-0
                                                                                                      • Opcode ID: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
                                                                                                      • Instruction ID: d6f38f481fcad269b120698a2c1356ff37e0dff7a02be2eff211d383f83c851a
                                                                                                      • Opcode Fuzzy Hash: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
                                                                                                      • Instruction Fuzzy Hash: F8F0E932542010BBD6201B42CC8EED73E28EF533A0F040455F4484E151C2624BA1D3F4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD2477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 344 bd2477-bd24ad NtProtectVirtualMemory NtWriteVirtualMemory
                                                                                                      APIs
                                                                                                      • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00BD249B
                                                                                                      • NtWriteVirtualMemory.NTDLL ref: 00BD24A4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryVirtual$ProtectWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 151266762-0
                                                                                                      • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                      • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                                      • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                      • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 345 bd144a-bd1474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                                      APIs
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00BD145A
                                                                                                      • NtAdjustPrivilegesToken.NTDLL(?,?,00000000,?), ref: 00BD146A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3615134276-0
                                                                                                      • Opcode ID: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
                                                                                                      • Instruction ID: 47fd2fdfef69c01f2383a78087d1294dd7e4f4bd71475d1ca0affc6c0d2f20e2
                                                                                                      • Opcode Fuzzy Hash: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
                                                                                                      • Instruction Fuzzy Hash: 1BD06771643034BBD6312A568C0EEE77D1DEF577A0F015441F9089A1A1C5A28EA1C6F5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 129 bd07ac-bd07bf call bd144a FreeLibrary FindCloseChangeNotification 132 bd07c5-bd07e4 CreateToolhelp32Snapshot Process32First 129->132 133 bd07eb-bd07f5 Process32Next 132->133 134 bd0865-bd0872 FindCloseChangeNotification 133->134 135 bd07f7-bd07fb 133->135 136 bd05a9-bd05d1 FindCloseChangeNotification 134->136 135->133 137 bd07fd-bd080d OpenProcess 135->137 141 bd05d3-bd05fc SetProcessAffinityMask call bd05f2 136->141 137->133 138 bd080f 137->138 140 bd0810-bd0818 call bd2574 138->140 145 bd085c-bd0863 FindCloseChangeNotification 140->145 146 bd081a-bd0820 140->146 149 bd05fe-bd061c 141->149 150 bd0621-bd0630 141->150 145->133 146->145 148 bd0822-bd0832 146->148 148->145 151 bd0834-bd084b CreateRemoteThread 148->151 149->150 152 bd0639-bd0652 150->152 153 bd0632 150->153 151->145 154 bd084d-bd0857 call bd05ba 151->154 152->136 155 bd0658-bd0671 152->155 153->152 154->145 155->136 156 bd0677-bd0690 155->156 156->136 158 bd0696-bd069c 156->158 159 bd069e-bd06b1 158->159 160 bd06d8-bd06de 158->160 159->136 161 bd06b7-bd06bd 159->161 162 bd06fc-bd0715 lstrcpyW call bd24ae 160->162 163 bd06e0-bd06f3 160->163 161->160 164 bd06bf-bd06d2 161->164 168 bd074c-bd0775 NtMapViewOfSection 162->168 169 bd0717-bd0746 GetPEB lstrcpyW lstrcatW call bd24ae 162->169 163->162 165 bd06f5 163->165 164->136 164->160 165->162 168->136 171 bd077b-bd078f call bd0305 NtOpenProcessToken 168->171 169->136 169->168 171->132 175 bd0791-bd07a3 call bd115d call bd07ac 171->175 180 bd080e-bd080f 175->180 181 bd07a5 175->181 180->140 181->140 182 bd07a7-bd07e4 CreateToolhelp32Snapshot Process32First 181->182 182->133
                                                                                                      APIs
                                                                                                        • Part of subcall function 00BD144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00BD145A
                                                                                                        • Part of subcall function 00BD144A: NtAdjustPrivilegesToken.NTDLL(?,?,00000000,?), ref: 00BD146A
                                                                                                      • FindCloseChangeNotification.KERNELBASE(?), ref: 00BD05AD
                                                                                                      • FreeLibrary.KERNEL32(76DF0000,?,00BD079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 00BD07B8
                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,00BD079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 00BD07BF
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BD07C9
                                                                                                      • Process32First.KERNEL32 ref: 00BD07DC
                                                                                                      • Process32Next.KERNEL32 ref: 00BD07ED
                                                                                                      • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00BD0805
                                                                                                      • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00BD0842
                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00BD085D
                                                                                                      • FindCloseChangeNotification.KERNELBASE ref: 00BD086C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: ChangeCloseFindNotification$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                                      • String ID: csrs
                                                                                                      • API String ID: 238827593-2321902090
                                                                                                      • Opcode ID: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
                                                                                                      • Instruction ID: 20793470305b0372e2c8e9442d645e664afb572364709bdab046bf4af8132426
                                                                                                      • Opcode Fuzzy Hash: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
                                                                                                      • Instruction Fuzzy Hash: FB112130516105FBEB256F21CC4DFBF7AADEF54701F00006EFD4699151E6B19E019A6A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA43D8 Relevance: 4.6, APIs: 3, Instructions: 83fileCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 291 7fea43d8-7fea43e0 292 7fea43e2-7fea43ec 291->292 293 7fea4407-7fea4443 CreateFileA 291->293 292->293 298 7fea43ee-7fea43ff 292->298 300 7fea4466-7fea448c 293->300 301 7fea4445-7fea445e 293->301 298->293 303 7fea4401 298->303 308 7fea448e-7fea4495 300->308 309 7fea4497-7fea44c1 CreateFileMappingA 300->309 301->300 306 7fea4460 301->306 303->293 306->300 308->309 312 7fea44cc-7fea44e1 MapViewOfFile 309->312 313 7fea44c3-7fea44ca 309->313 315 7fea44e7-7fea44ed 312->315 313->312
                                                                                                      APIs
                                                                                                      • CreateFileA.KERNELBASE(?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61,?,?,7FEA4345,?,7FEA4327,?,7FEA4303), ref: 7FEA442C
                                                                                                      • CreateFileMappingA.KERNEL32(?,00000000,00000004,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA44A4
                                                                                                      • MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,C0000000,00000001,00000000,00000003,00000000,00000000,?,65676E61), ref: 7FEA44D9
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Create$MappingView
                                                                                                      • String ID:
                                                                                                      • API String ID: 1299149932-0
                                                                                                      • Opcode ID: a25d0a244bd87399e907a8ca4fb165620c37478fabe61e369b42e3abbdd64840
                                                                                                      • Instruction ID: f642a9f299f9543a5b0287ba49c011da509250de9aef83acac8e8c1155f8e25e
                                                                                                      • Opcode Fuzzy Hash: a25d0a244bd87399e907a8ca4fb165620c37478fabe61e369b42e3abbdd64840
                                                                                                      • Instruction Fuzzy Hash: 6C21327020430ABAEB229E60CC45BFE356DEF00619F104629E91B9E0A4E7F2AF158754
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD05BA Relevance: 1.3, APIs: 1, Instructions: 7sleepCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 346 bd05ba-bd05bd 347 bd05bf-bd05c7 Sleep 346->347 348 bd05c9 346->348 347->346
                                                                                                      APIs
                                                                                                      • Sleep.KERNELBASE(0000000A,00BD085C,?,00000000,00000000,-00003BD0,00000002,00000000,?,00000000), ref: 00BD05C1
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Sleep
                                                                                                      • String ID:
                                                                                                      • API String ID: 3472027048-0
                                                                                                      • Opcode ID: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                                                                                                      • Instruction ID: b1aed1fec3f7ffaf06a748bbb7ee4bbf08b75a26198777f2459c3dc5ee88d06e
                                                                                                      • Opcode Fuzzy Hash: 3c1f989dfd13240381299ec7adf5382b251643946d8aa86ca05208ab7bb78418
                                                                                                      • Instruction Fuzzy Hash: AAB0122C25030095DA14291064CEB4457A47F11B15FE000DBEA064C1C417E507001D0D
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 7FEA3BD5 Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 472libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 498 7fea3bd5-7fea3bf1 499 7fea3bf3-7fea3bfb 498->499 500 7fea3c41-7fea3c4b call 7fea252f 498->500 501 7fea3bfc-7fea3bff 499->501 508 7fea3c4d-7fea3c74 call 7fea3c5a call 7fea26d4 GetProcAddress 500->508 509 7fea3c93-7fea3cbd GetSystemDirectoryA call 7fea3cb7 500->509 503 7fea3c2b 501->503 504 7fea3c01-7fea3c06 501->504 503->501 507 7fea3c2d-7fea3c3f GetWindowsDirectoryA 503->507 504->503 506 7fea3c08-7fea3c29 504->506 506->503 511 7fea3cbe-7fea3d58 call 7fea3cce GetProcAddress LoadLibraryA call 7fea10ce call 7fea01cb GetTickCount call 7fea3b0e 507->511 521 7fea3c78-7fea3c92 call 7fea3c88 508->521 522 7fea3c76 508->522 509->511 530 7fea3d5a 511->530 531 7fea3d60-7fea3d65 call 7fea3b0e 511->531 521->509 522->521 530->531 534 7fea3d67-7fea3d7e 531->534 535 7fea3d80-7fea3d90 call 7fea62df call 7fea273c 534->535 540 7fea3d92-7fea3d94 535->540 541 7fea3d96-7fea3db2 call 7fea62df 535->541 543 7fea3db3-7fea3db4 540->543 541->543 543->535 545 7fea3db6-7fea3dbc 543->545 545->534 546 7fea3dbe-7fea3dc8 call 7fea273c 545->546 549 7fea3dca-7fea3dd2 call 7fea2750 546->549 550 7fea3dd7-7fea3e10 call 7fea273c GetVolumeInformationA 546->550 549->550 554 7fea3e1a-7fea3e20 550->554 555 7fea3e12-7fea3e18 550->555 556 7fea3e29-7fea3e36 554->556 557 7fea3e22 554->557 555->556 558 7fea3e3c-7fea3e60 call 7fea3e4d 556->558 559 7fea3ebd 556->559 557->556 560 7fea3ec7 558->560 568 7fea3e62-7fea3e68 558->568 559->560 562 7fea3ec9-7fea3ee1 CreateThread CloseHandle 560->562 563 7fea3ee7-7fea3f54 call 7fea3ef8 call 7fea10ce call 7fea3f27 call 7fea10ce 560->563 562->563 582 7fea3f5a-7fea3f9d WSAStartup CreateThread CloseHandle CreateEventA 563->582 583 7fea425f-7fea4261 RtlExitUserThread 563->583 570 7fea3e6a-7fea3e6f 568->570 571 7fea3e91-7fea3ea5 568->571 573 7fea3e98-7fea3ea5 570->573 574 7fea3e71-7fea3e90 570->574 576 7fea3eac-7fea3eb6 571->576 573->576 574->571 576->559 577 7fea3eb8 call 7fea339d 576->577 577->559 584 7fea3fa3-7fea3fbb call 7fea3792 582->584 587 7fea3fbd-7fea3fc0 584->587 588 7fea3fc2-7fea3fd5 call 7fea3b28 584->588 587->588 589 7fea3fdd-7fea3fe5 587->589 596 7fea3fdb 588->596 597 7fea420d-7fea4214 588->597 592 7fea3ff6-7fea3fff gethostbyname 589->592 593 7fea3fe7-7fea3ff4 lstrlen 589->593 594 7fea4254-7fea425a 592->594 595 7fea4005-7fea400c 592->595 593->592 593->593 594->584 599 7fea4012-7fea4031 socket 595->599 596->599 597->583 598 7fea4216-7fea421d 597->598 600 7fea421f-7fea422b SetEvent 598->600 601 7fea4231-7fea424f Sleep ResetEvent 598->601 599->597 602 7fea4037-7fea404a connect 599->602 600->601 601->584 603 7fea4050-7fea4129 call 7fea273c call 7fea2750 GetVersionExA call 7fea2750 call 7fea32f0 call 7fea4109 wsprintfA call 7fea32f0 602->603 604 7fea4206-7fea4207 closesocket 602->604 619 7fea412b-7fea4141 CreateThread CloseHandle 603->619 620 7fea4147 603->620 604->597 619->620 621 7fea414d-7fea4163 620->621 621->604 623 7fea4169-7fea416b 621->623 624 7fea416d-7fea4185 623->624 625 7fea418a-7fea4192 624->625 626 7fea4187 624->626 625->624 627 7fea4194 625->627 626->625 628 7fea419a-7fea419e 627->628 629 7fea41b0-7fea41b2 628->629 630 7fea41a0-7fea41a7 call 7fea2f08 628->630 632 7fea41b4-7fea41be 629->632 630->604 635 7fea41a9 630->635 634 7fea41c3-7fea41d1 call 7fea6480 call 7fea649a 632->634 634->621 641 7fea41d7-7fea41e1 Sleep 634->641 635->632 637 7fea41ab-7fea41ae 635->637 637->628 641->634 642 7fea41e3-7fea41f4 GetTickCount 641->642 642->621 643 7fea41fa-7fea4201 642->643 643->604 643->621
                                                                                                      APIs
                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,00000104), ref: 7FEA3C39
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3C6C
                                                                                                      • GetProcAddress.KERNEL32(00000000,7FEA3CD9), ref: 7FEA3CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 7FEA3D2B
                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6E36,00000000,00000000,00000000,00000000), ref: 7FEA3DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 7FEA3CF6
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA3C38, 7FEA3C9E, 7FEA3CAE, 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3969011833-3441452408
                                                                                                      • Opcode ID: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
                                                                                                      • Instruction ID: 9aca7d3b7fb460b858eaf3e0e80c99dd93525a92ac7923124c4fd82c469f76f2
                                                                                                      • Opcode Fuzzy Hash: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
                                                                                                      • Instruction Fuzzy Hash: 36F1E571519348BEDB229F24CC4ABFA7BACEF42304F00451AE8559F081DBF66F0597A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3BD5 Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 472libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 352 bd3bd5-bd3bf1 353 bd3c41-bd3c4b call bd252f 352->353 354 bd3bf3-bd3bfb 352->354 362 bd3c4d-bd3c66 call bd3c5a 353->362 363 bd3c93-bd3cdb GetSystemDirectoryA call bd3cb7 353->363 355 bd3bfc-bd3bff 354->355 357 bd3c2b 355->357 358 bd3c01-bd3c06 355->358 357->355 361 bd3c2d-bd3cdb GetWindowsDirectoryA call bd3cce 357->361 358->357 360 bd3c08-bd3c29 358->360 360->357 372 bd3cdd-bd3d58 GetProcAddress LoadLibraryA call bd10ce call bd01cb GetTickCount call bd3b0e 361->372 370 bd3c6c-bd3c74 GetProcAddress 362->370 371 bd3c67 call bd26d4 362->371 363->372 375 bd3c78-bd3cdb call bd3c88 370->375 376 bd3c76 370->376 371->370 384 bd3d5a 372->384 385 bd3d60-bd3d65 call bd3b0e 372->385 375->372 376->375 384->385 388 bd3d67-bd3d7e 385->388 389 bd3d80-bd3d90 call bd62df call bd273c 388->389 394 bd3d96-bd3db2 call bd62df 389->394 395 bd3d92-bd3d94 389->395 396 bd3db3-bd3db4 394->396 395->396 396->389 398 bd3db6-bd3dbc 396->398 398->388 400 bd3dbe-bd3dc8 call bd273c 398->400 403 bd3dca-bd3dd2 call bd2750 400->403 404 bd3dd7-bd3e10 call bd273c GetVolumeInformationA 400->404 403->404 408 bd3e1a-bd3e20 404->408 409 bd3e12-bd3e18 404->409 410 bd3e29-bd3e36 408->410 411 bd3e22 408->411 409->410 412 bd3ebd 410->412 413 bd3e3c-bd3e60 call bd3e4d 410->413 411->410 414 bd3ec7 412->414 413->414 421 bd3e62-bd3e68 413->421 417 bd3ec9-bd3ee1 CreateThread CloseHandle 414->417 418 bd3ee7-bd3f54 call bd3ef8 call bd10ce call bd3f27 call bd10ce 414->418 417->418 436 bd425f-bd4261 RtlExitUserThread 418->436 437 bd3f5a-bd3f9d WSAStartup CreateThread CloseHandle CreateEventA 418->437 424 bd3e6a-bd3e6f 421->424 425 bd3e91-bd3ea5 421->425 427 bd3e98-bd3ea5 424->427 428 bd3e71-bd3e90 424->428 430 bd3eac-bd3eb6 425->430 427->430 428->425 430->412 432 bd3eb8 call bd339d 430->432 432->412 438 bd3fa3-bd3fbb call bd3792 437->438 441 bd3fbd-bd3fc0 438->441 442 bd3fc2-bd3fd5 call bd3b28 438->442 441->442 443 bd3fdd-bd3fe5 441->443 450 bd420d-bd4214 442->450 451 bd3fdb 442->451 445 bd3fe7-bd3ff4 lstrlen 443->445 446 bd3ff6-bd3fff gethostbyname 443->446 445->445 445->446 448 bd4005-bd400c 446->448 449 bd4254-bd425a 446->449 452 bd4012-bd4031 socket 448->452 449->438 450->436 453 bd4216-bd421d 450->453 451->452 452->450 454 bd4037-bd404a connect 452->454 455 bd421f-bd422b SetEvent 453->455 456 bd4231-bd424f Sleep ResetEvent 453->456 457 bd4206-bd4207 closesocket 454->457 458 bd4050-bd4129 call bd273c call bd2750 GetVersionExA call bd2750 call bd32f0 call bd4109 wsprintfA call bd32f0 454->458 455->456 456->438 457->450 473 bd412b-bd4141 CreateThread CloseHandle 458->473 474 bd4147 458->474 473->474 475 bd414d-bd4163 474->475 475->457 477 bd4169-bd416b 475->477 478 bd416d-bd4185 477->478 479 bd418a-bd4192 478->479 480 bd4187 478->480 479->478 481 bd4194 479->481 480->479 482 bd419a-bd419e 481->482 483 bd41b0-bd41b2 482->483 484 bd41a0-bd41a7 call bd2f08 482->484 485 bd41b4-bd41be 483->485 484->457 490 bd41a9 484->490 487 bd41c3-bd41d1 call bd6480 call bd649a 485->487 487->475 495 bd41d7-bd41e1 Sleep 487->495 490->485 492 bd41ab-bd41ae 490->492 492->482 495->487 496 bd41e3-bd41f4 GetTickCount 495->496 496->475 497 bd41fa-bd4201 496->497 497->457 497->475
                                                                                                      APIs
                                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,00000104), ref: 00BD3C39
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000002), ref: 00BD3C6C
                                                                                                      • GetProcAddress.KERNEL32(00000000,00BD3CD9), ref: 00BD3CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BD3CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 00BD3D2B
                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BD6E36,00000000,00000000,00000000,00000000), ref: 00BD3DFD
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD3C38, 00BD3C9E, 00BD3CAE, 00BD4119, 00BD4158
                                                                                                      • ADVAPI32.DLL, xrefs: 00BD3CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3969011833-3441452408
                                                                                                      • Opcode ID: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
                                                                                                      • Instruction ID: 1145100158bff55dd90138f8527f27fe4f7e1bdf2e61f05ca02155e42005c5da
                                                                                                      • Opcode Fuzzy Hash: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
                                                                                                      • Instruction Fuzzy Hash: B9F12871519248BFDB35AF24CC4ABEABBECEF41700F04059AE8459F182E7F05F4586A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3C5A Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 417libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(7FEA3C52), ref: 7FEA3C5A
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000002), ref: 7FEA3C6C
                                                                                                      • GetProcAddress.KERNEL32(00000000,7FEA3CD9), ref: 7FEA3CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 7FEA3D2B
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 7FEA3CF6
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA3CAE, 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2837544101-3441452408
                                                                                                      • Opcode ID: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
                                                                                                      • Instruction ID: 5a25107989713debb64ec6711dd094ee3109f09e8278f9dd4288a618bb6666d3
                                                                                                      • Opcode Fuzzy Hash: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
                                                                                                      • Instruction Fuzzy Hash: 24E10671519348BEDB229F34CC5ABFA7BACEF42300F00455AEC559E081DAF65F0587A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3C5A Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 417libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 644 bd3c5a-bd3c62 GetModuleHandleA 645 bd3c78-bd3d58 call bd3c88 GetProcAddress LoadLibraryA call bd10ce call bd01cb GetTickCount call bd3b0e 644->645 646 bd3c64-bd3c74 call bd26d4 GetProcAddress 644->646 659 bd3d5a 645->659 660 bd3d60-bd3d65 call bd3b0e 645->660 646->645 652 bd3c76 646->652 652->645 659->660 663 bd3d67-bd3d7e 660->663 664 bd3d80-bd3d90 call bd62df call bd273c 663->664 669 bd3d96-bd3db2 call bd62df 664->669 670 bd3d92-bd3d94 664->670 671 bd3db3-bd3db4 669->671 670->671 671->664 673 bd3db6-bd3dbc 671->673 673->663 675 bd3dbe-bd3dc8 call bd273c 673->675 678 bd3dca-bd3dd2 call bd2750 675->678 679 bd3dd7-bd3e10 call bd273c GetVolumeInformationA 675->679 678->679 683 bd3e1a-bd3e20 679->683 684 bd3e12-bd3e18 679->684 685 bd3e29-bd3e36 683->685 686 bd3e22 683->686 684->685 687 bd3ebd 685->687 688 bd3e3c-bd3e60 call bd3e4d 685->688 686->685 689 bd3ec7 687->689 688->689 696 bd3e62-bd3e68 688->696 692 bd3ec9-bd3ee1 CreateThread CloseHandle 689->692 693 bd3ee7-bd3f54 call bd3ef8 call bd10ce call bd3f27 call bd10ce 689->693 692->693 711 bd425f-bd4261 RtlExitUserThread 693->711 712 bd3f5a-bd3f9d WSAStartup CreateThread CloseHandle CreateEventA 693->712 699 bd3e6a-bd3e6f 696->699 700 bd3e91-bd3ea5 696->700 702 bd3e98-bd3ea5 699->702 703 bd3e71-bd3e90 699->703 705 bd3eac-bd3eb6 700->705 702->705 703->700 705->687 707 bd3eb8 call bd339d 705->707 707->687 713 bd3fa3-bd3fbb call bd3792 712->713 716 bd3fbd-bd3fc0 713->716 717 bd3fc2-bd3fd5 call bd3b28 713->717 716->717 718 bd3fdd-bd3fe5 716->718 725 bd420d-bd4214 717->725 726 bd3fdb 717->726 720 bd3fe7-bd3ff4 lstrlen 718->720 721 bd3ff6-bd3fff gethostbyname 718->721 720->720 720->721 723 bd4005-bd400c 721->723 724 bd4254-bd425a 721->724 727 bd4012-bd4031 socket 723->727 724->713 725->711 728 bd4216-bd421d 725->728 726->727 727->725 729 bd4037-bd404a connect 727->729 730 bd421f-bd422b SetEvent 728->730 731 bd4231-bd424f Sleep ResetEvent 728->731 732 bd4206-bd4207 closesocket 729->732 733 bd4050-bd4129 call bd273c call bd2750 GetVersionExA call bd2750 call bd32f0 call bd4109 wsprintfA call bd32f0 729->733 730->731 731->713 732->725 748 bd412b-bd4141 CreateThread CloseHandle 733->748 749 bd4147 733->749 748->749 750 bd414d-bd4163 749->750 750->732 752 bd4169-bd416b 750->752 753 bd416d-bd4185 752->753 754 bd418a-bd4192 753->754 755 bd4187 753->755 754->753 756 bd4194 754->756 755->754 757 bd419a-bd419e 756->757 758 bd41b0-bd41b2 757->758 759 bd41a0-bd41a7 call bd2f08 757->759 760 bd41b4-bd41be 758->760 759->732 765 bd41a9 759->765 762 bd41c3-bd41d1 call bd6480 call bd649a 760->762 762->750 770 bd41d7-bd41e1 Sleep 762->770 765->760 767 bd41ab-bd41ae 765->767 767->757 770->762 771 bd41e3-bd41f4 GetTickCount 770->771 771->750 772 bd41fa-bd4201 771->772 772->732 772->750
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00BD3C52), ref: 00BD3C5A
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000002), ref: 00BD3C6C
                                                                                                      • GetProcAddress.KERNEL32(00000000,00BD3CD9), ref: 00BD3CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BD3CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 00BD3D2B
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD3CAE, 00BD4119, 00BD4158
                                                                                                      • ADVAPI32.DLL, xrefs: 00BD3CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2837544101-3441452408
                                                                                                      • Opcode ID: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
                                                                                                      • Instruction ID: f37c06629c6679f86b76a8c9f809ed4c80d74510f38b8c6e62e7e54f09a7c6ad
                                                                                                      • Opcode Fuzzy Hash: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
                                                                                                      • Instruction Fuzzy Hash: 3AE13771519248BFDB25AF24CC4ABEABBECEF42700F04059AEC449E182E7F45F458666
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3C88 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 394COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(7FEA3C7D), ref: 7FEA3C88
                                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,00000104), ref: 7FEA3C9F
                                                                                                        • Part of subcall function 7FEA3CB7: lstrcat.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,7FEA3CAA), ref: 7FEA3CB8
                                                                                                        • Part of subcall function 7FEA3CB7: GetProcAddress.KERNEL32(00000000,7FEA3CD9), ref: 7FEA3CE4
                                                                                                        • Part of subcall function 7FEA3CB7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3CF7
                                                                                                        • Part of subcall function 7FEA3CB7: GetTickCount.KERNEL32 ref: 7FEA3D2B
                                                                                                        • Part of subcall function 7FEA3CB7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6E36,00000000,00000000,00000000,00000000), ref: 7FEA3DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 7FEA3CF6
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA3C9E, 7FEA3CAE, 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 215653160-3441452408
                                                                                                      • Opcode ID: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
                                                                                                      • Instruction ID: aeaaef09d323b934acf6576f031b8d72fc496fbf9d0374d28b6ab2dc06a08c56
                                                                                                      • Opcode Fuzzy Hash: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
                                                                                                      • Instruction Fuzzy Hash: 71D1E671519348BEDB229F30CC5ABFA7BACEF42300F00455AEC559E091D6F65F058766
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3C88 Relevance: 38.9, APIs: 18, Strings: 4, Instructions: 394COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00BD3C7D), ref: 00BD3C88
                                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,00000104), ref: 00BD3C9F
                                                                                                        • Part of subcall function 00BD3CB7: lstrcat.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,00BD3CAA), ref: 00BD3CB8
                                                                                                        • Part of subcall function 00BD3CB7: GetProcAddress.KERNEL32(00000000,00BD3CD9), ref: 00BD3CE4
                                                                                                        • Part of subcall function 00BD3CB7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BD3CF7
                                                                                                        • Part of subcall function 00BD3CB7: GetTickCount.KERNEL32 ref: 00BD3D2B
                                                                                                        • Part of subcall function 00BD3CB7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BD6E36,00000000,00000000,00000000,00000000), ref: 00BD3DFD
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD3C9E, 00BD3CAE, 00BD4119, 00BD4158
                                                                                                      • ADVAPI32.DLL, xrefs: 00BD3CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 215653160-3441452408
                                                                                                      • Opcode ID: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
                                                                                                      • Instruction ID: b9d80f887e5f3bf24a62443d8e635fa7e9ac877d84d0f63f12e7da48b88be998
                                                                                                      • Opcode Fuzzy Hash: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
                                                                                                      • Instruction Fuzzy Hash: 33D14771515248BFDB25AF20CC4ABEABBECEF01700F00059AEC589E182E7F45F458666
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3CB7 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 374stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrcat.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,7FEA3CAA), ref: 7FEA3CB8
                                                                                                        • Part of subcall function 7FEA3CCE: LoadLibraryA.KERNEL32(7FEA3CC3), ref: 7FEA3CCE
                                                                                                        • Part of subcall function 7FEA3CCE: GetProcAddress.KERNEL32(00000000,7FEA3CD9), ref: 7FEA3CE4
                                                                                                        • Part of subcall function 7FEA3CCE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3CF7
                                                                                                        • Part of subcall function 7FEA3CCE: GetTickCount.KERNEL32 ref: 7FEA3D2B
                                                                                                        • Part of subcall function 7FEA3CCE: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6E36,00000000,00000000,00000000,00000000), ref: 7FEA3DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 7FEA3CF6
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA3CB7, 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2038497427-3441452408
                                                                                                      • Opcode ID: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
                                                                                                      • Instruction ID: e965e319ca092c4b75a0ff691012f0174cc64fcd4b44b9f7ff1122fc9856030a
                                                                                                      • Opcode Fuzzy Hash: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
                                                                                                      • Instruction Fuzzy Hash: C8D10571519348BEDB229F34CC4ABFA7BACEF42300F00455AEC599E091DAF66F058766
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3CB7 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 374stringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrcat.KERNEL32(C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,00BD3CAA), ref: 00BD3CB8
                                                                                                        • Part of subcall function 00BD3CCE: LoadLibraryA.KERNEL32(00BD3CC3), ref: 00BD3CCE
                                                                                                        • Part of subcall function 00BD3CCE: GetProcAddress.KERNEL32(00000000,00BD3CD9), ref: 00BD3CE4
                                                                                                        • Part of subcall function 00BD3CCE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BD3CF7
                                                                                                        • Part of subcall function 00BD3CCE: GetTickCount.KERNEL32 ref: 00BD3D2B
                                                                                                        • Part of subcall function 00BD3CCE: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BD6E36,00000000,00000000,00000000,00000000), ref: 00BD3DFD
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD3CB7, 00BD4119, 00BD4158
                                                                                                      • ADVAPI32.DLL, xrefs: 00BD3CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2038497427-3441452408
                                                                                                      • Opcode ID: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
                                                                                                      • Instruction ID: f98602038c5131626f3bbd3b00bee1c07d535ec4d72eec7e783059f115b85248
                                                                                                      • Opcode Fuzzy Hash: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
                                                                                                      • Instruction Fuzzy Hash: 45D14571515248BFDB25AF24CC4ABEABBECEF01700F04059AE8489E182E7F45F458666
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3CCE Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 364libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(7FEA3CC3), ref: 7FEA3CCE
                                                                                                        • Part of subcall function 7FEA3CE3: GetProcAddress.KERNEL32(00000000,7FEA3CD9), ref: 7FEA3CE4
                                                                                                        • Part of subcall function 7FEA3CE3: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3CF7
                                                                                                        • Part of subcall function 7FEA3CE3: GetTickCount.KERNEL32 ref: 7FEA3D2B
                                                                                                        • Part of subcall function 7FEA3CE3: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6E36,00000000,00000000,00000000,00000000), ref: 7FEA3DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 7FEA3CF6
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3734769084-3441452408
                                                                                                      • Opcode ID: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
                                                                                                      • Instruction ID: 347449e041cf090d5cde17e7f90b40bb8426bab528207790e0da05e8a845151b
                                                                                                      • Opcode Fuzzy Hash: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
                                                                                                      • Instruction Fuzzy Hash: 0DD1067151A348BEDB229F34CC5ABFA7BACEF41300F00055AEC5A9E091DAF66F058765
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3CCE Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 364libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00BD3CC3), ref: 00BD3CCE
                                                                                                        • Part of subcall function 00BD3CE3: GetProcAddress.KERNEL32(00000000,00BD3CD9), ref: 00BD3CE4
                                                                                                        • Part of subcall function 00BD3CE3: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BD3CF7
                                                                                                        • Part of subcall function 00BD3CE3: GetTickCount.KERNEL32 ref: 00BD3D2B
                                                                                                        • Part of subcall function 00BD3CE3: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BD6E36,00000000,00000000,00000000,00000000), ref: 00BD3DFD
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD4119, 00BD4158
                                                                                                      • ADVAPI32.DLL, xrefs: 00BD3CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3734769084-3441452408
                                                                                                      • Opcode ID: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
                                                                                                      • Instruction ID: fab416862cc414f5a2bab4e5eefafa1e8c6802f682816cea700f630c2fcbaf2d
                                                                                                      • Opcode Fuzzy Hash: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
                                                                                                      • Instruction Fuzzy Hash: 1DD14671515248BFDB35AF24CC4ABEABBECEF01700F00059AF8499E182E7F05F458666
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3CE3 Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 371networklibrarythreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(00000000,7FEA3CD9), ref: 7FEA3CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 7FEA3CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 7FEA3D2B
                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,7FEA6E36,00000000,00000000,00000000,00000000), ref: 7FEA3DFD
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,7FEA3629,00000000,00000000), ref: 7FEA3ED8
                                                                                                      • CloseHandle.KERNEL32(?,54521404), ref: 7FEA3EE1
                                                                                                      • WSAStartup.WS2_32(00000101), ref: 7FEA3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 7FEA3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3F97
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4028
                                                                                                      • connect.WS2_32(63727305,7FEA3AA1,00000010), ref: 7FEA4042
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA408C
                                                                                                      • wsprintfA.USER32 ref: 7FEA410A
                                                                                                      • SetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA4225
                                                                                                      • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA4236
                                                                                                      • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA4249
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 7FEA3CF6
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepStartupTickVersionVolumeconnectsocketwsprintf
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 927156256-3441452408
                                                                                                      • Opcode ID: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
                                                                                                      • Instruction ID: 41f8a3244067a1c8dd509b3612971c8a0996764845d8b26299085c2c851ffe36
                                                                                                      • Opcode Fuzzy Hash: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
                                                                                                      • Instruction Fuzzy Hash: 67D1E57151A348BEDB229F34CC5ABFA7BACEF41300F00465AE8599F081DAF66F058765
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3CE3 Relevance: 35.4, APIs: 16, Strings: 4, Instructions: 371networklibrarythreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(00000000,00BD3CD9), ref: 00BD3CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00BD3CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 00BD3D2B
                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00BD6E36,00000000,00000000,00000000,00000000), ref: 00BD3DFD
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,00BD3629,00000000,00000000), ref: 00BD3ED8
                                                                                                      • CloseHandle.KERNEL32(?,54521404), ref: 00BD3EE1
                                                                                                      • WSAStartup.WS2_32(00000101), ref: 00BD3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00BD3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00BD3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BD3F97
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 00BD4028
                                                                                                      • connect.WS2_32(63727305,00BD3AA1,00000010), ref: 00BD4042
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 00BD408C
                                                                                                      • wsprintfA.USER32 ref: 00BD410A
                                                                                                      • SetEvent.KERNEL32(000002A0,?,00000000), ref: 00BD4225
                                                                                                      • Sleep.KERNEL32(00007530,?,00000000), ref: 00BD4236
                                                                                                      • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 00BD4249
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD4119, 00BD4158
                                                                                                      • ADVAPI32.DLL, xrefs: 00BD3CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepStartupTickVersionVolumeconnectsocketwsprintf
                                                                                                      • String ID: ADVAPI32.DLL$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 927156256-3441452408
                                                                                                      • Opcode ID: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
                                                                                                      • Instruction ID: 0b180e410ea04e0a002a2de4285247c59f0146313c4cc8f201b32f6d98ad8b92
                                                                                                      • Opcode Fuzzy Hash: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
                                                                                                      • Instruction Fuzzy Hash: 8BD12471515248BFDB35AF24CC4ABEABBECEF41700F04059AE8489E182E7F45F458666
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 288memoryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 7FEA04BE
                                                                                                      • GetVersion.KERNEL32 ref: 7FEA0500
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00007700,08001000,00000040), ref: 7FEA0528
                                                                                                      • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$AllocCloseModuleVersionVirtual
                                                                                                      • String ID: \BaseNamedObjects\rgltVt$\BaseNamedObjects\rgltVt$csrs
                                                                                                      • API String ID: 3017432202-2534361129
                                                                                                      • Opcode ID: 1c9046a76cd4f9cc91b46eb41cc31d523b20a60f6ceb114047097b2d910fbad8
                                                                                                      • Instruction ID: 7453ff9238031f863b2d147c82ab63f78e87516cde53e26c39151d6fd9cdc771
                                                                                                      • Opcode Fuzzy Hash: 1c9046a76cd4f9cc91b46eb41cc31d523b20a60f6ceb114047097b2d910fbad8
                                                                                                      • Instruction Fuzzy Hash: DBB19E31505349FFEB229F20C809BFA3BA9EF45715F100528EE0A9E181D7F2AB45CB59
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA05F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                                      • GetModuleHandleA.KERNEL32(7FEA05EC), ref: 7FEA05F2
                                                                                                      • lstrcpyW.KERNEL32(\BaseNamedObjects\rgltVt,\BaseNamedObjects\rgltVt), ref: 7FEA070A
                                                                                                      • lstrcpyW.KERNEL32(\BaseNamedObjects\rgltVt,?), ref: 7FEA072D
                                                                                                      • lstrcatW.KERNEL32(\BaseNamedObjects\rgltVt,\rgltVt), ref: 7FEA073B
                                                                                                      • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00007700,00000000,?,00000002,00000000,00000040), ref: 7FEA076B
                                                                                                      • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 7FEA0786
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                                                                                                      • Process32First.KERNEL32 ref: 7FEA07DC
                                                                                                      • Process32Next.KERNEL32 ref: 7FEA07ED
                                                                                                      • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 7FEA0805
                                                                                                      • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 7FEA0842
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 7FEA085D
                                                                                                      • CloseHandle.KERNEL32 ref: 7FEA086C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                                      • String ID: \BaseNamedObjects\rgltVt$\BaseNamedObjects\rgltVt$csrs
                                                                                                      • API String ID: 1545766225-2534361129
                                                                                                      • Opcode ID: 17150f67079a076ac3b54c180adee95029a37e06bb0e30beb99ad34a9de5a8e6
                                                                                                      • Instruction ID: e642c59752a96cf2e9a29b673145a5f75ff07002b0fcf2144558137ad18020e6
                                                                                                      • Opcode Fuzzy Hash: 17150f67079a076ac3b54c180adee95029a37e06bb0e30beb99ad34a9de5a8e6
                                                                                                      • Instruction Fuzzy Hash: CE718D31505205FFDB219F20C849BBE3BBEEF85725F100128EE0A9E190C7B6AB45DB59
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3826 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemTime.KERNEL32(00BD74C4), ref: 00BD3837
                                                                                                      • Sleep.KERNEL32(0000EA60), ref: 00BD38A9
                                                                                                      • InternetGetConnectedState.WININET(?,00000000), ref: 00BD38C2
                                                                                                      • gethostbyname.WS2_32(0D278065), ref: 00BD3904
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 00BD3919
                                                                                                      • ioctlsocket.WS2_32(?,8004667E), ref: 00BD3932
                                                                                                      • connect.WS2_32(?,?,00000010), ref: 00BD394B
                                                                                                      • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 00BD3959
                                                                                                      • closesocket.WS2_32 ref: 00BD39B8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                                                                      • String ID: oirlzx.com
                                                                                                      • API String ID: 159131500-700772952
                                                                                                      • Opcode ID: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
                                                                                                      • Instruction ID: 46009450f3b729982c486c56f14633320e39183d40db44e16b393cd46f7d11aa
                                                                                                      • Opcode Fuzzy Hash: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
                                                                                                      • Instruction Fuzzy Hash: 6541F371705249BADB315F208C5DBA9BADEEF85B10F04445AFA099E2C2E7F59F00C726
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3378 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA33E2
                                                                                                      • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3401
                                                                                                      • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA342B
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA3438
                                                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 7FEA3450
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1, xrefs: 7FEA33AC
                                                                                                      • \Device\PhysicalMemory, xrefs: 7FEA3378
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
                                                                                                      • API String ID: 2985292042-3481447464
                                                                                                      • Opcode ID: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
                                                                                                      • Instruction ID: 56a11edcbb1c689dbd1713449122b98a438c0060f72ca6f09a76162296ec45fe
                                                                                                      • Opcode Fuzzy Hash: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
                                                                                                      • Instruction Fuzzy Hash: AE81AB71500208FFEB258F14CC89ABA7BBDEF44711F104618ED1A9F291D7B2AF558BA4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3378 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 220filenativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00BD33E2
                                                                                                      • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00BD3401
                                                                                                      • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00BD342B
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00BD3438
                                                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 00BD3450
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1, xrefs: 00BD33AC
                                                                                                      • \Device\PhysicalMemory, xrefs: 00BD3378
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1$\Device\PhysicalMemory
                                                                                                      • API String ID: 2985292042-3481447464
                                                                                                      • Opcode ID: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
                                                                                                      • Instruction ID: 921068f7424ffd0bf1e420561fb211a438beca28069d4040c905c51635ab28e0
                                                                                                      • Opcode Fuzzy Hash: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
                                                                                                      • Instruction Fuzzy Hash: F681AE71500208FFEB249F14CC89ABA77ACEF44B10F104559ED199B292E7F0AF55CBA9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA339D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA33E2
                                                                                                      • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3401
                                                                                                      • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA342B
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA3438
                                                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 7FEA3450
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1, xrefs: 7FEA33AC
                                                                                                      • ysic, xrefs: 7FEA33E8, 7FEA33FE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1$ysic
                                                                                                      • API String ID: 2985292042-3421363416
                                                                                                      • Opcode ID: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
                                                                                                      • Instruction ID: ff6e1720a4d5288448ee75bc0faa3df6a4e6c75d0573f4a9372b1c80ae80cf43
                                                                                                      • Opcode Fuzzy Hash: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
                                                                                                      • Instruction Fuzzy Hash: D1118B70140709BFEB248F10CC56FAB367CEF88704F004618EA1A9F290EBF56F148A68
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD339D Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61filenativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00BD33E2
                                                                                                      • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00BD3401
                                                                                                      • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00BD342B
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00BD3438
                                                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 00BD3450
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1, xrefs: 00BD33AC
                                                                                                      • ysic, xrefs: 00BD33E8, 00BD33FE
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1$ysic
                                                                                                      • API String ID: 2985292042-3421363416
                                                                                                      • Opcode ID: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
                                                                                                      • Instruction ID: 02c24b4086e277a1f81c9183920d93db36f17b955cc190bd17e3f7f8c4615d98
                                                                                                      • Opcode Fuzzy Hash: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
                                                                                                      • Instruction Fuzzy Hash: 8A11B270140609FBEB348F10CC56FAB76BCEF88B10F104519EA199B2D1E7F4AF148A69
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTempFileNameA.KERNEL32(?,00BD27A3,00000000,?), ref: 00BD27A8
                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00BD27A3,00000000,?), ref: 00BD27C3
                                                                                                      • InternetReadFile.WININET(?,?,00000104), ref: 00BD27DD
                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00BD27A3,00000000,?), ref: 00BD27F3
                                                                                                      • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00BD27A3,00000000,?), ref: 00BD27FF
                                                                                                      • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00BD27A3), ref: 00BD2823
                                                                                                      • InternetCloseHandle.WININET(?), ref: 00BD2833
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00BD283A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3452404049-0
                                                                                                      • Opcode ID: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
                                                                                                      • Instruction ID: 75959b7f275fb15effc2aa3d336b653262907242207358d60b28518f80cce1f1
                                                                                                      • Opcode Fuzzy Hash: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
                                                                                                      • Instruction Fuzzy Hash: 78116DB1101645FBEB350B20CC4AFFB7A6DEF94B10F004519FA0599190EBF59E5096A8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA4BDD Relevance: 7.1, Strings: 5, Instructions: 887COMMON
                                                                                                      Download Yara Rule
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Create$MappingView
                                                                                                      • String ID: !$&$&$($@
                                                                                                      • API String ID: 1299149932-3998544071
                                                                                                      • Opcode ID: 25fd66c91c24a4fd03ddee83c8a1d13ddf3750b043df019a0650e26a20b1b082
                                                                                                      • Instruction ID: 9a47f9b56868187d74c23fa501e9b99ff18267223aec4681d09f20923d468791
                                                                                                      • Opcode Fuzzy Hash: 25fd66c91c24a4fd03ddee83c8a1d13ddf3750b043df019a0650e26a20b1b082
                                                                                                      • Instruction Fuzzy Hash: F0821131504349EFDB26CF28C8457A97BBAEF40328F245219C82A8F195D3F6AF94CB55
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrcpyW.KERNEL32(?,\BaseNamedObjects\rgltVt), ref: 7FEA24BA
                                                                                                      • lstrlenW.KERNEL32(?), ref: 7FEA24C1
                                                                                                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 7FEA2516
                                                                                                      Strings
                                                                                                      • \BaseNamedObjects\rgltVt, xrefs: 7FEA24B8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateSectionlstrcpylstrlen
                                                                                                      • String ID: \BaseNamedObjects\rgltVt
                                                                                                      • API String ID: 2597515329-2940223550
                                                                                                      • Opcode ID: 6df0d3fc1f16acd4470fa2c95d69911b6900c7005e3f5048832692c16ca5b6c3
                                                                                                      • Instruction ID: 3d658928266ddf13e57175c854466b86464fdc84b0814c26b1264ca4c3db85b9
                                                                                                      • Opcode Fuzzy Hash: 6df0d3fc1f16acd4470fa2c95d69911b6900c7005e3f5048832692c16ca5b6c3
                                                                                                      • Instruction Fuzzy Hash: 7901A4B0791304BBF7305B29CC4BF5F7969DF81B51F548154F718AE1C4DAB89A0483A9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD24AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrcpyW.KERNEL32(?,\BaseNamedObjects\rgltVt), ref: 00BD24BA
                                                                                                      • lstrlenW.KERNEL32(?), ref: 00BD24C1
                                                                                                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00BD2516
                                                                                                      Strings
                                                                                                      • \BaseNamedObjects\rgltVt, xrefs: 00BD24B8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateSectionlstrcpylstrlen
                                                                                                      • String ID: \BaseNamedObjects\rgltVt
                                                                                                      • API String ID: 2597515329-2940223550
                                                                                                      • Opcode ID: 6df0d3fc1f16acd4470fa2c95d69911b6900c7005e3f5048832692c16ca5b6c3
                                                                                                      • Instruction ID: 846742326d140018b256c80f0446e25c34b617fdd11b7c01e698797142f7f708
                                                                                                      • Opcode Fuzzy Hash: 6df0d3fc1f16acd4470fa2c95d69911b6900c7005e3f5048832692c16ca5b6c3
                                                                                                      • Instruction Fuzzy Hash: 1A01AFB0791305BBF7305B29CC8BF5F7969DF81B50F948158F718AE1C4DAB89A0483A9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                                                                                                      Strings
                                                                                                      • \BaseNamedObjects\rgltVt, xrefs: 7FEA254B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: OpenSection
                                                                                                      • String ID: \BaseNamedObjects\rgltVt
                                                                                                      • API String ID: 1950954290-2940223550
                                                                                                      • Opcode ID: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
                                                                                                      • Instruction ID: be79e926c7ba3cdd2c7dd474d1815d54d5159c487d34c6ebacd093897ac0aaf8
                                                                                                      • Opcode Fuzzy Hash: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
                                                                                                      • Instruction Fuzzy Hash: 75E09AF17402063AFB288A29CC17FA7228DCB80602F0C8604F918DA080E5B4AB108268
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA2574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 7FEA252F: NtOpenSection.NTDLL(?,0000000E), ref: 7FEA255E
                                                                                                      • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B700,00000000,?,00000002,00100000,00000040), ref: 7FEA25A4
                                                                                                      • CloseHandle.KERNEL32(00000000,0000B700,00000000,?,00000002,00100000,00000040,00000000,0000B700,00000000,?,7FEA0815), ref: 7FEA25AC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Section$CloseHandleOpenView
                                                                                                      • String ID:
                                                                                                      • API String ID: 2731707328-0
                                                                                                      • Opcode ID: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
                                                                                                      • Instruction ID: 1146768d7d0c0653ae7c65a746e47e6098816a1e91a2f6cfed56a84069563c97
                                                                                                      • Opcode Fuzzy Hash: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
                                                                                                      • Instruction Fuzzy Hash: B7213B70301746ABDB18DE65CC95FBA7369FF80684F401118E81ABE1D4DBB2BE14CB58
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA1422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                                      • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3615134276-0
                                                                                                      • Opcode ID: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
                                                                                                      • Instruction ID: d6f38f481fcad269b120698a2c1356ff37e0dff7a02be2eff211d383f83c851a
                                                                                                      • Opcode Fuzzy Hash: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
                                                                                                      • Instruction Fuzzy Hash: F8F0E932542010BBD6201B42CC8EED73E28EF533A0F040455F4484E151C2624BA1D3F4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA2477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 7FEA249B
                                                                                                      • NtWriteVirtualMemory.NTDLL ref: 7FEA24A4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryVirtual$ProtectWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 151266762-0
                                                                                                      • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                      • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                                      • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                      • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                                      • NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3615134276-0
                                                                                                      • Opcode ID: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
                                                                                                      • Instruction ID: 47fd2fdfef69c01f2383a78087d1294dd7e4f4bd71475d1ca0affc6c0d2f20e2
                                                                                                      • Opcode Fuzzy Hash: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
                                                                                                      • Instruction Fuzzy Hash: 1BD06771643034BBD6312A568C0EEE77D1DEF577A0F015441F9089A1A1C5A28EA1C6F5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA28C8 Relevance: .1, Instructions: 107COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                      • Instruction ID: 599e4210a27b95691828082bf071d632d483ec5813d8a2b375e76b2b2bcd3a21
                                                                                                      • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                      • Instruction Fuzzy Hash: 6A31F5326006158BEB148E38C94079AB7F2FB84704F10C63CE557FB594D676F6898BC0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD28C8 Relevance: .1, Instructions: 107COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                      • Instruction ID: 73fecf105264d62452fb9899f96a34b48ea67d95b07828405ce22351cb0d92e6
                                                                                                      • Opcode Fuzzy Hash: 0642b33d3ce8112a54256d33be083f0dc48b56f423af93a4a8a3c14605054926
                                                                                                      • Instruction Fuzzy Hash: 3D3128326006558BEB148F38C85579AF7E2FBA4304F10C67DE556E7680E679FA898BC0
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA025E Relevance: .0, Instructions: 44COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c8218de38323479a09e09664737f0271114d8ef91b7d521b1daf9042e2ccc4ac
                                                                                                      • Instruction ID: f0f9d25d209616971c0a9408303952b9b6fab7fe69a8d4d9e188e35ba333143e
                                                                                                      • Opcode Fuzzy Hash: c8218de38323479a09e09664737f0271114d8ef91b7d521b1daf9042e2ccc4ac
                                                                                                      • Instruction Fuzzy Hash: A00124326053455ED721DE38CD88FADBBA1EBC5324F118325E6944F08AD637A28186A1
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD025E Relevance: .0, Instructions: 44COMMON
                                                                                                      Download Yara Rule
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID:
                                                                                                      • String ID:
                                                                                                      • API String ID:
                                                                                                      • Opcode ID: c8218de38323479a09e09664737f0271114d8ef91b7d521b1daf9042e2ccc4ac
                                                                                                      • Instruction ID: 2055c70c792a8a4706949f77a70733e08a1b3724ede9ee8f2de011d2cad672df
                                                                                                      • Opcode Fuzzy Hash: c8218de38323479a09e09664737f0271114d8ef91b7d521b1daf9042e2ccc4ac
                                                                                                      • Instruction Fuzzy Hash: E60164322011455ED720FE28CC89F9DF3E1ABC4320F00C3BAF4945B28AE636A2818681
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3F27 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205networkthreadlibraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(7FEA3F1B), ref: 7FEA3F27
                                                                                                      • WSAStartup.WS2_32(00000101), ref: 7FEA3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 7FEA3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3F97
                                                                                                      • lstrlen.KERNEL32(src.gide.at,?,00000000), ref: 7FEA3FE8
                                                                                                      • gethostbyname.WS2_32(src.gide.at), ref: 7FEA3FF7
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4028
                                                                                                      • connect.WS2_32(63727305,7FEA3AA1,00000010), ref: 7FEA4042
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA408C
                                                                                                      • wsprintfA.USER32 ref: 7FEA410A
                                                                                                      • CreateThread.KERNEL32(?,?,Function_000037B1,63727305), ref: 7FEA4138
                                                                                                      • CloseHandle.KERNEL32(?,?,Function_000037B1,63727305,?,?,00000023,7FEA6E36,000000A8,63727305,63727305,7FEA3AEA,00000014,00000000), ref: 7FEA4141
                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 7FEA4261
                                                                                                      Strings
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • src.gide.at, xrefs: 7FEA3FE7, 7FEA3FF6
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateThread$CloseHandle$EventExitLibraryLoadStartupUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$src.gide.at
                                                                                                      • API String ID: 3947895852-2196962613
                                                                                                      • Opcode ID: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
                                                                                                      • Instruction ID: 1f19dfe30ab9c43e13b8bae516eeccfb55818e60c833b419f6a1145a3973a7c9
                                                                                                      • Opcode Fuzzy Hash: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
                                                                                                      • Instruction Fuzzy Hash: F181D171119349BFDB229F30C819BEE7BADEF81304F000559E85A9E091D7F6AF058B69
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3F27 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205networkthreadlibraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00BD3F1B), ref: 00BD3F27
                                                                                                      • WSAStartup.WS2_32(00000101), ref: 00BD3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00BD3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00BD3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BD3F97
                                                                                                      • lstrlen.KERNEL32(src.gide.at,?,00000000), ref: 00BD3FE8
                                                                                                      • gethostbyname.WS2_32(src.gide.at), ref: 00BD3FF7
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 00BD4028
                                                                                                      • connect.WS2_32(63727305,00BD3AA1,00000010), ref: 00BD4042
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 00BD408C
                                                                                                      • wsprintfA.USER32 ref: 00BD410A
                                                                                                      • CreateThread.KERNEL32(?,?,Function_000037B1,63727305), ref: 00BD4138
                                                                                                      • CloseHandle.KERNEL32(?,?,Function_000037B1,63727305,?,?,00000023,00BD6E36,000000A8,63727305,63727305,00BD3AEA,00000014,00000000), ref: 00BD4141
                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 00BD4261
                                                                                                      Strings
                                                                                                      • src.gide.at, xrefs: 00BD3FE7, 00BD3FF6
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD4119, 00BD4158
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateThread$CloseHandle$EventExitLibraryLoadStartupUserVersionconnectgethostbynamelstrlensocketwsprintf
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$src.gide.at
                                                                                                      • API String ID: 3947895852-2196962613
                                                                                                      • Opcode ID: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
                                                                                                      • Instruction ID: c034815f4d7ca6c59874a26810c9f51fa951e5bb6de1747b685feada98d5dfd2
                                                                                                      • Opcode Fuzzy Hash: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
                                                                                                      • Instruction Fuzzy Hash: E081D171515249BFDB219F24C85ABEABBECEF41700F04058AF8595E281E3F09F458B6A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3E64 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 246threadlibraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(00000000,7FEA3E58), ref: 7FEA3E65
                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,000000C8), ref: 7FEA3E7A
                                                                                                      • wsprintfA.USER32 ref: 7FEA3E8F
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,7FEA3629,00000000,00000000), ref: 7FEA3ED8
                                                                                                      • CloseHandle.KERNEL32(?,54521404), ref: 7FEA3EE1
                                                                                                      • WSAStartup.WS2_32(00000101), ref: 7FEA3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 7FEA3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3F97
                                                                                                        • Part of subcall function 7FEA339D: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 7FEA33E2
                                                                                                        • Part of subcall function 7FEA339D: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 7FEA3401
                                                                                                        • Part of subcall function 7FEA339D: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 7FEA342B
                                                                                                        • Part of subcall function 7FEA339D: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 7FEA3438
                                                                                                        • Part of subcall function 7FEA339D: UnmapViewOfFile.KERNEL32(?), ref: 7FEA3450
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1, xrefs: 7FEA3E8E
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA3E77, 7FEA3E8C, 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionStartupSystemUnmapwsprintf
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3630706530-3782157705
                                                                                                      • Opcode ID: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
                                                                                                      • Instruction ID: 9d17da7c4a2217e4ad46382ead5c8f654a5b3290fe2f47b08ae3b003c422590d
                                                                                                      • Opcode Fuzzy Hash: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
                                                                                                      • Instruction Fuzzy Hash: 2891C17151A348BFDB229F24CC5ABEB7BACEF81304F000659E8595E091D6F26F0587A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3E64 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 246threadlibraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(00000000,00BD3E58), ref: 00BD3E65
                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,000000C8), ref: 00BD3E7A
                                                                                                      • wsprintfA.USER32 ref: 00BD3E8F
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,00BD3629,00000000,00000000), ref: 00BD3ED8
                                                                                                      • CloseHandle.KERNEL32(?,54521404), ref: 00BD3EE1
                                                                                                      • WSAStartup.WS2_32(00000101), ref: 00BD3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00BD3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00BD3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BD3F97
                                                                                                        • Part of subcall function 00BD339D: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00BD33E2
                                                                                                        • Part of subcall function 00BD339D: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00BD3401
                                                                                                        • Part of subcall function 00BD339D: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00BD342B
                                                                                                        • Part of subcall function 00BD339D: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00BD3438
                                                                                                        • Part of subcall function 00BD339D: UnmapViewOfFile.KERNEL32(?), ref: 00BD3450
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1, xrefs: 00BD3E8E
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD3E77, 00BD3E8C, 00BD4119, 00BD4158
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionStartupSystemUnmapwsprintf
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe:*:enabled:@shell32.dll,-1$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3630706530-3782157705
                                                                                                      • Opcode ID: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
                                                                                                      • Instruction ID: 9df4efdff615a93cec6e4b9d16b5dae767ff7878cb247c9cd6b4df6789683f64
                                                                                                      • Opcode Fuzzy Hash: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
                                                                                                      • Instruction Fuzzy Hash: 2691E471515248BFDB21AF24CC4ABEBBBACEF41300F04069AF8595E182E7F05F4587A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3E4D Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262networklibrarythreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(7FEA3E41), ref: 7FEA3E4D
                                                                                                        • Part of subcall function 7FEA3E64: GetProcAddress.KERNEL32(00000000,7FEA3E58), ref: 7FEA3E65
                                                                                                        • Part of subcall function 7FEA3E64: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,000000C8), ref: 7FEA3E7A
                                                                                                        • Part of subcall function 7FEA3E64: wsprintfA.USER32 ref: 7FEA3E8F
                                                                                                        • Part of subcall function 7FEA3E64: CreateThread.KERNEL32(00000000,00000000,7FEA3629,00000000,00000000), ref: 7FEA3ED8
                                                                                                        • Part of subcall function 7FEA3E64: CloseHandle.KERNEL32(?,54521404), ref: 7FEA3EE1
                                                                                                        • Part of subcall function 7FEA3E64: WSAStartup.WS2_32(00000101), ref: 7FEA3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 7FEA3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 7FEA3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3F97
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4028
                                                                                                      • connect.WS2_32(63727305,7FEA3AA1,00000010), ref: 7FEA4042
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA408C
                                                                                                      • wsprintfA.USER32 ref: 7FEA410A
                                                                                                      Strings
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 7FEA3EA4
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcStartupVersionconnectsocket
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2507355515-2145749575
                                                                                                      • Opcode ID: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
                                                                                                      • Instruction ID: 6b43f42d33c473ca34d55eb3a46b2bfc1632f845a8dbf175e61849a723126759
                                                                                                      • Opcode Fuzzy Hash: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
                                                                                                      • Instruction Fuzzy Hash: FE910471519344BEDB229F34CC5ABFB7BACEF81300F004659E85A9E091D6F26F0587A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3E4D Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 262networklibrarythreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00BD3E41), ref: 00BD3E4D
                                                                                                        • Part of subcall function 00BD3E64: GetProcAddress.KERNEL32(00000000,00BD3E58), ref: 00BD3E65
                                                                                                        • Part of subcall function 00BD3E64: GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe,000000C8), ref: 00BD3E7A
                                                                                                        • Part of subcall function 00BD3E64: wsprintfA.USER32 ref: 00BD3E8F
                                                                                                        • Part of subcall function 00BD3E64: CreateThread.KERNEL32(00000000,00000000,00BD3629,00000000,00000000), ref: 00BD3ED8
                                                                                                        • Part of subcall function 00BD3E64: CloseHandle.KERNEL32(?,54521404), ref: 00BD3EE1
                                                                                                        • Part of subcall function 00BD3E64: WSAStartup.WS2_32(00000101), ref: 00BD3F66
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00BD3F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00BD3F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BD3F97
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 00BD4028
                                                                                                      • connect.WS2_32(63727305,00BD3AA1,00000010), ref: 00BD4042
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 00BD408C
                                                                                                      • wsprintfA.USER32 ref: 00BD410A
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD4119, 00BD4158
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00BD3EA4
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create$CloseHandleThreadwsprintf$AddressEventFileLibraryLoadModuleNameProcStartupVersionconnectsocket
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2507355515-2145749575
                                                                                                      • Opcode ID: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
                                                                                                      • Instruction ID: 92ffaf6ada7bfcbcc02d55ece21a1e7420c210ee5b12940ee80d1bc7139e56ae
                                                                                                      • Opcode Fuzzy Hash: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
                                                                                                      • Instruction Fuzzy Hash: 55910571519244BFDB21AF24CC5ABEBBBECEF41300F04059AF8599E182E6F05F4586A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA4109 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 178sleepnetworkthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4028
                                                                                                      • connect.WS2_32(63727305,7FEA3AA1,00000010), ref: 7FEA4042
                                                                                                      • wsprintfA.USER32 ref: 7FEA410A
                                                                                                      • CreateThread.KERNEL32(?,?,Function_000037B1,63727305), ref: 7FEA4138
                                                                                                      • CloseHandle.KERNEL32(?,?,Function_000037B1,63727305,?,?,00000023,7FEA6E36,000000A8,63727305,63727305,7FEA3AEA,00000014,00000000), ref: 7FEA4141
                                                                                                      • Sleep.KERNEL32(00000064,?,?,?,Function_000037B1,63727305,?,?,00000023,7FEA6E36,000000A8,63727305,63727305,7FEA3AEA,00000014,00000000), ref: 7FEA41DA
                                                                                                      • GetTickCount.KERNEL32 ref: 7FEA41E3
                                                                                                      • closesocket.WS2_32(63727305), ref: 7FEA4207
                                                                                                      • SetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA4225
                                                                                                      • Sleep.KERNEL32(00007530,?,00000000), ref: 7FEA4236
                                                                                                      • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 7FEA4249
                                                                                                      Strings
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA4109, 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EventSleep$CloseCountCreateHandleResetThreadTickclosesocketconnectsocketwsprintf
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                                      • API String ID: 2506426657-3731079479
                                                                                                      • Opcode ID: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
                                                                                                      • Instruction ID: 89d05568f6f0f74edd9da8b322cf757c92d4c5c9e4e33640a8c574e91f1d73db
                                                                                                      • Opcode Fuzzy Hash: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
                                                                                                      • Instruction Fuzzy Hash: 1C610571119349BEDB229F34C819BEE7BADEF92304F040649E85A5E091C7F6AF018769
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD4109 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 178sleepnetworkthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 00BD4028
                                                                                                      • connect.WS2_32(63727305,00BD3AA1,00000010), ref: 00BD4042
                                                                                                      • wsprintfA.USER32 ref: 00BD410A
                                                                                                      • CreateThread.KERNEL32(?,?,Function_000037B1,63727305), ref: 00BD4138
                                                                                                      • CloseHandle.KERNEL32(?,?,Function_000037B1,63727305,?,?,00000023,00BD6E36,000000A8,63727305,63727305,00BD3AEA,00000014,00000000), ref: 00BD4141
                                                                                                      • Sleep.KERNEL32(00000064,?,?,?,Function_000037B1,63727305,?,?,00000023,00BD6E36,000000A8,63727305,63727305,00BD3AEA,00000014,00000000), ref: 00BD41DA
                                                                                                      • GetTickCount.KERNEL32 ref: 00BD41E3
                                                                                                      • closesocket.WS2_32(63727305), ref: 00BD4207
                                                                                                      • SetEvent.KERNEL32(000002A0,?,00000000), ref: 00BD4225
                                                                                                      • Sleep.KERNEL32(00007530,?,00000000), ref: 00BD4236
                                                                                                      • ResetEvent.KERNEL32(000002A0,?,00000000), ref: 00BD4249
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD4109, 00BD4119, 00BD4158
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EventSleep$CloseCountCreateHandleResetThreadTickclosesocketconnectsocketwsprintf
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                                      • API String ID: 2506426657-3731079479
                                                                                                      • Opcode ID: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
                                                                                                      • Instruction ID: 86f3f805dd60dc6e910b68ce788efd0980732e907f3598897cd2f55940397c86
                                                                                                      • Opcode Fuzzy Hash: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
                                                                                                      • Instruction Fuzzy Hash: 9D611571114249BBDF219F24C85ABDEBFECEF41700F14058AE8595E281E3F09F41876A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3EF8 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(7FEA3EEC), ref: 7FEA3EF8
                                                                                                        • Part of subcall function 7FEA3F27: LoadLibraryA.KERNEL32(7FEA3F1B), ref: 7FEA3F27
                                                                                                        • Part of subcall function 7FEA3F27: WSAStartup.WS2_32(00000101), ref: 7FEA3F66
                                                                                                        • Part of subcall function 7FEA3F27: CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 7FEA3F81
                                                                                                        • Part of subcall function 7FEA3F27: CloseHandle.KERNEL32(?,00000000), ref: 7FEA3F8A
                                                                                                        • Part of subcall function 7FEA3F27: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 7FEA3F97
                                                                                                        • Part of subcall function 7FEA3F27: socket.WS2_32(00000002,00000001,00000000), ref: 7FEA4028
                                                                                                        • Part of subcall function 7FEA3F27: connect.WS2_32(63727305,7FEA3AA1,00000010), ref: 7FEA4042
                                                                                                        • Part of subcall function 7FEA3F27: GetVersionExA.KERNEL32(?,?,00000000), ref: 7FEA408C
                                                                                                      Strings
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 7FEA4157
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 7FEA4119, 7FEA4158
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateLibraryLoad$CloseEventHandleStartupThreadVersionconnectsocket
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                                      • API String ID: 3793714048-3731079479
                                                                                                      • Opcode ID: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
                                                                                                      • Instruction ID: b67a33e171a28624ddfe8ab1e5238558b27c32c4c3291d9317fedc6211665881
                                                                                                      • Opcode Fuzzy Hash: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
                                                                                                      • Instruction Fuzzy Hash: B961E471119349BEDB229F34CC1ABEA7BACEF81304F000659E8595F091D6F66F0587A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD3EF8 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 192libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00BD3EEC), ref: 00BD3EF8
                                                                                                        • Part of subcall function 00BD3F27: LoadLibraryA.KERNEL32(00BD3F1B), ref: 00BD3F27
                                                                                                        • Part of subcall function 00BD3F27: WSAStartup.WS2_32(00000101), ref: 00BD3F66
                                                                                                        • Part of subcall function 00BD3F27: CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00BD3F81
                                                                                                        • Part of subcall function 00BD3F27: CloseHandle.KERNEL32(?,00000000), ref: 00BD3F8A
                                                                                                        • Part of subcall function 00BD3F27: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00BD3F97
                                                                                                        • Part of subcall function 00BD3F27: socket.WS2_32(00000002,00000001,00000000), ref: 00BD4028
                                                                                                        • Part of subcall function 00BD3F27: connect.WS2_32(63727305,00BD3AA1,00000010), ref: 00BD4042
                                                                                                        • Part of subcall function 00BD3F27: GetVersionExA.KERNEL32(?,?,00000000), ref: 00BD408C
                                                                                                      Strings
                                                                                                      • C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe, xrefs: 00BD4119, 00BD4158
                                                                                                      • C:\WINDOWS\TASKSCHE.EXE, xrefs: 00BD4157
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateLibraryLoad$CloseEventHandleStartupThreadVersionconnectsocket
                                                                                                      • String ID: C:\Program Files (x86)\UcSHtshAXpIeFikosOpnMKxLOaGwqPwoIdcBkfuyrmT\RfsaVDBoWSoGjxwXebEIpiWge.exe$C:\WINDOWS\TASKSCHE.EXE
                                                                                                      • API String ID: 3793714048-3731079479
                                                                                                      • Opcode ID: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
                                                                                                      • Instruction ID: 07ec0fb70af4b129373670cd5923d27448a74d28fa0d0f16eb17cfca05a5ed8c
                                                                                                      • Opcode Fuzzy Hash: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
                                                                                                      • Instruction Fuzzy Hash: AA61D671515249BFDB21AF24CC5ABEABBECEF41300F04059AF8595E182E3F05F4587A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA3826 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 127networksleeptimeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetSystemTime.KERNEL32(7FEA74C4), ref: 7FEA3837
                                                                                                      • Sleep.KERNEL32(0000EA60), ref: 7FEA38A9
                                                                                                      • InternetGetConnectedState.WININET(?,00000000), ref: 7FEA38C2
                                                                                                      • gethostbyname.WS2_32(0D278065), ref: 7FEA3904
                                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 7FEA3919
                                                                                                      • ioctlsocket.WS2_32(?,8004667E), ref: 7FEA3932
                                                                                                      • connect.WS2_32(?,?,00000010), ref: 7FEA394B
                                                                                                      • Sleep.KERNEL32(?,00000010,BB010002,00000000,8004667E,?,00000001), ref: 7FEA3959
                                                                                                      • closesocket.WS2_32 ref: 7FEA39B8
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Sleep$ConnectedInternetStateSystemTimeclosesocketconnectgethostbynameioctlsocketsocket
                                                                                                      • String ID: oirlzx.com
                                                                                                      • API String ID: 159131500-700772952
                                                                                                      • Opcode ID: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
                                                                                                      • Instruction ID: 679708d68e1f1f1ff3adb2774e65a255b4cfa23130b2b7b2cbe7d81c0c76102a
                                                                                                      • Opcode Fuzzy Hash: 8a686a087b9ca882c45b70cfb202359d5926509ce2d560687b0ead4f7edf597d
                                                                                                      • Instruction Fuzzy Hash: 5641B371606349BEDB219F208C0DBE97B6EEF86715F004459FA0AAE0C0DBF79B419664
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA07AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                        • Part of subcall function 7FEA144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 7FEA145A
                                                                                                        • Part of subcall function 7FEA144A: NtAdjustPrivilegesToken.NTDLL(?,00000000,?,00000000,00000000,00000000), ref: 7FEA146A
                                                                                                      • CloseHandle.KERNEL32(?), ref: 7FEA05AD
                                                                                                      • FreeLibrary.KERNEL32(76DF0000,?,7FEA079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 7FEA07B8
                                                                                                      • CloseHandle.KERNEL32(?,?,7FEA079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 7FEA07BF
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 7FEA07C9
                                                                                                      • Process32First.KERNEL32 ref: 7FEA07DC
                                                                                                      • Process32Next.KERNEL32 ref: 7FEA07ED
                                                                                                      • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 7FEA0805
                                                                                                      • CreateRemoteThread.KERNEL32(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 7FEA0842
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 7FEA085D
                                                                                                      • CloseHandle.KERNEL32 ref: 7FEA086C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseHandle$CreateProcess32$AdjustFirstFreeLibraryLookupNextOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                                      • String ID: csrs
                                                                                                      • API String ID: 3908997113-2321902090
                                                                                                      • Opcode ID: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
                                                                                                      • Instruction ID: 2cd7a14c00b21565bcb56f83c63b20fe79d5af0ee737aa92731432fe19230117
                                                                                                      • Opcode Fuzzy Hash: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
                                                                                                      • Instruction Fuzzy Hash: 35113030506205FBEB256F31CD49BBF3A6DEF44711F00016DFE4B9D051D6B5AA019A6A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTempPathA.KERNEL32(00000104), ref: 7FEA278C
                                                                                                        • Part of subcall function 7FEA27A7: GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                                                                                                        • Part of subcall function 7FEA27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                                                                                                        • Part of subcall function 7FEA27A7: InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                                                                                                        • Part of subcall function 7FEA27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                                                                                                        • Part of subcall function 7FEA27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                                                                                                        • Part of subcall function 7FEA27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                                                                                                        • Part of subcall function 7FEA27A7: InternetCloseHandle.WININET(?), ref: 7FEA2833
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 1995088466-0
                                                                                                      • Opcode ID: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
                                                                                                      • Instruction ID: 74c89064570d784bd3ffb51b95ebf9e27efa287465053b468b7125fe6face982
                                                                                                      • Opcode Fuzzy Hash: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
                                                                                                      • Instruction Fuzzy Hash: A321D2B1146305BFE7215A24CC8EFFF3A2DEF85B10F000119FA45AD091D7B2AA05C676
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD2768 Relevance: 12.1, APIs: 8, Instructions: 85networkCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTempPathA.KERNEL32(00000104), ref: 00BD278C
                                                                                                        • Part of subcall function 00BD27A7: GetTempFileNameA.KERNEL32(?,00BD27A3,00000000,?), ref: 00BD27A8
                                                                                                        • Part of subcall function 00BD27A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00BD27A3,00000000,?), ref: 00BD27C3
                                                                                                        • Part of subcall function 00BD27A7: InternetReadFile.WININET(?,?,00000104), ref: 00BD27DD
                                                                                                        • Part of subcall function 00BD27A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00BD27A3,00000000,?), ref: 00BD27F3
                                                                                                        • Part of subcall function 00BD27A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00BD27A3,00000000,?), ref: 00BD27FF
                                                                                                        • Part of subcall function 00BD27A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00BD27A3), ref: 00BD2823
                                                                                                        • Part of subcall function 00BD27A7: InternetCloseHandle.WININET(?), ref: 00BD2833
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 00BD283A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseHandleInternet$CreateTemp$NamePathProcessReadWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 1995088466-0
                                                                                                      • Opcode ID: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
                                                                                                      • Instruction ID: 8cf4a3a0ce78389536d5d262b22913f1b232d6a77760110a5697e6ace7a98828
                                                                                                      • Opcode Fuzzy Hash: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
                                                                                                      • Instruction Fuzzy Hash: 4E21C0B1146245BFE7315B20CC8EFFF7A6CEF95B10F00011AFA4899191E7B19E458676
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA27A7 Relevance: 12.1, APIs: 8, Instructions: 65filenetworkprocessCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTempFileNameA.KERNEL32(?,7FEA27A3,00000000,?), ref: 7FEA27A8
                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27C3
                                                                                                      • InternetReadFile.WININET(?,?,00000104), ref: 7FEA27DD
                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27F3
                                                                                                      • CloseHandle.KERNEL32(?,00000104,?,00000000,?,7FEA27A3,00000000,?), ref: 7FEA27FF
                                                                                                      • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,7FEA27A3), ref: 7FEA2823
                                                                                                      • InternetCloseHandle.WININET(?), ref: 7FEA2833
                                                                                                      • InternetCloseHandle.WININET(00000000), ref: 7FEA283A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CloseHandleInternet$Create$NameProcessReadTempWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3452404049-0
                                                                                                      • Opcode ID: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
                                                                                                      • Instruction ID: 253c23f555185b814b1cdcf545c16be04bb5684639417fd8c89e0d35e34b2959
                                                                                                      • Opcode Fuzzy Hash: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
                                                                                                      • Instruction Fuzzy Hash: D0116DB1102605FBEB250B24CC49FFB7A2DEF85B14F004519FA06AD090DBF5AA5096A8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 7FEA10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(01AAF790), ref: 7FEA113D
                                                                                                      • GetProcAddress.KERNEL32(00000000,7FEA11D6), ref: 7FEA1148
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.716248732.000000007FEA0000.00000040.10000000.00040000.00000000.sdmp, Offset: 7FEA0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_7fea0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: .DLL
                                                                                                      • API String ID: 1646373207-899428287
                                                                                                      • Opcode ID: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
                                                                                                      • Instruction ID: 64e96567a4fa29470c832aebb982c78cc4185b42e07649bfd7ba7b32abc738d9
                                                                                                      • Opcode Fuzzy Hash: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
                                                                                                      • Instruction Fuzzy Hash: 5A01C434116206EAC7538E28C8457FE3BBDEF14275F004115D91A8F159C67AAA50CF95
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00BD10CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(01AAF790), ref: 00BD113D
                                                                                                      • GetProcAddress.KERNEL32(00000000,00BD11D6), ref: 00BD1148
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000004.00000002.714310186.0000000000BD0000.00000040.10000000.00040000.00000000.sdmp, Offset: 00BD0000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_4_2_bd0000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: .DLL
                                                                                                      • API String ID: 1646373207-899428287
                                                                                                      • Opcode ID: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
                                                                                                      • Instruction ID: aa1848bdfb2ed68b2b20958080f0ead8d74c1d4983a97723c6d686db35b5416b
                                                                                                      • Opcode Fuzzy Hash: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
                                                                                                      • Instruction Fuzzy Hash: 92012670115006FADB659E6CC84A6EABBFCEF04341F004892EA199B316E770DE80C695
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Execution Graph

                                                                                                      Execution Coverage:3.9%
                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                      Signature Coverage:0%
                                                                                                      Total number of Nodes:314
                                                                                                      Total number of Limit Nodes:0
                                                                                                      execution_graph 2483 b96579 2486 b96586 2483->2486 2487 b96583 2486->2487 2488 b96591 2486->2488 2488->2487 2490 b96597 2488->2490 2493 b92574 2490->2493 2512 b9252f NtOpenSection 2493->2512 2495 b9257c 2496 b92661 2495->2496 2497 b92582 NtMapViewOfSection FindCloseChangeNotification 2495->2497 2496->2487 2497->2496 2498 b925ba 2497->2498 2499 b925ef 2498->2499 2513 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 2498->2513 2514 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 2499->2514 2502 b92600 2515 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 2502->2515 2504 b92611 2516 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 2504->2516 2506 b92622 2507 b92637 2506->2507 2517 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 2506->2517 2509 b9264c 2507->2509 2518 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 2507->2518 2509->2496 2519 b92477 NtProtectVirtualMemory NtWriteVirtualMemory 2509->2519 2512->2495 2513->2499 2514->2502 2515->2504 2516->2506 2517->2507 2518->2509 2519->2496 2520 b93378 2521 b9337d 2520->2521 2522 b93407 MapViewOfFile CloseHandle 2521->2522 2523 b933d8 NtOpenSection 2521->2523 2526 b93448 2522->2526 2527 b9358b 2522->2527 2525 b933f7 NtQuerySystemInformation 2523->2525 2523->2527 2524 b9344f UnmapViewOfFile 2524->2527 2525->2522 2526->2524 2526->2527 2453 b9433a 2456 b9144a LookupPrivilegeValueA NtAdjustPrivilegesToken 2453->2456 2455 b94340 2456->2455 2982 b9655f 2983 b96586 5 API calls 2982->2983 2984 b96569 2983->2984 2532 b902fe 2533 b90415 2532->2533 2535 b9042d 2533->2535 2566 b910ce 2535->2566 2537 b9048f 2538 b904dd 2537->2538 2539 b904b0 GetModuleHandleA 2537->2539 2540 b904f8 GetVersion 2538->2540 2539->2538 2541 b905ca 2540->2541 2542 b9050f VirtualAlloc 2540->2542 2543 b905a9 CloseHandle 2541->2543 2544 b905d3 SetProcessAffinityMask 2541->2544 2542->2543 2548 b90532 2542->2548 2546 b905f2 GetModuleHandleA 2543->2546 2573 b905f2 GetModuleHandleA 2544->2573 2547 b910ce 2 API calls 2546->2547 2564 b905ec 2547->2564 2548->2543 2570 b905ba 2548->2570 2549 b906fc lstrcpyW 2592 b924ae lstrcpyW lstrlenW 2549->2592 2551 b9074c NtMapViewOfSection 2551->2543 2551->2564 2552 b90717 GetPEB lstrcpyW lstrcatW 2553 b924ae 3 API calls 2552->2553 2553->2564 2555 b90780 NtOpenProcessToken 2556 b907c5 CreateToolhelp32Snapshot Process32First 2555->2556 2555->2564 2557 b907eb Process32Next 2556->2557 2558 b90865 CloseHandle 2557->2558 2557->2564 2558->2543 2560 b907fd OpenProcess 2560->2557 2560->2564 2561 b92574 5 API calls 2561->2564 2562 b9085c CloseHandle 2562->2557 2563 b90834 CreateRemoteThread 2563->2562 2563->2564 2564->2543 2564->2549 2564->2551 2564->2552 2564->2555 2564->2556 2564->2557 2564->2560 2564->2561 2564->2562 2564->2563 2565 b905ba Sleep 2564->2565 2594 b907ac 2564->2594 2565->2562 2567 b910db 2566->2567 2567->2566 2568 b9115c 2567->2568 2569 b91133 GetModuleHandleA GetProcAddress 2567->2569 2568->2537 2569->2567 2571 b905c9 2570->2571 2572 b905bf Sleep 2570->2572 2571->2543 2572->2570 2574 b910ce 2 API calls 2573->2574 2585 b9060e 2574->2585 2575 b905a9 CloseHandle 2575->2573 2576 b906fc lstrcpyW 2577 b924ae 3 API calls 2576->2577 2577->2585 2578 b9074c NtMapViewOfSection 2578->2575 2578->2585 2579 b90717 GetPEB lstrcpyW lstrcatW 2580 b924ae 3 API calls 2579->2580 2580->2585 2581 b90780 NtOpenProcessToken 2582 b907c5 CreateToolhelp32Snapshot Process32First 2581->2582 2581->2585 2583 b907eb Process32Next 2582->2583 2584 b90865 CloseHandle 2583->2584 2583->2585 2584->2575 2585->2575 2585->2576 2585->2578 2585->2579 2585->2581 2585->2582 2585->2583 2586 b907ac 30 API calls 2585->2586 2587 b907fd OpenProcess 2585->2587 2588 b92574 5 API calls 2585->2588 2589 b9085c CloseHandle 2585->2589 2590 b90834 CreateRemoteThread 2585->2590 2591 b905ba Sleep 2585->2591 2586->2585 2587->2583 2587->2585 2588->2585 2589->2583 2590->2585 2590->2589 2591->2589 2593 b924ea NtCreateSection 2592->2593 2593->2564 2617 b9144a LookupPrivilegeValueA NtAdjustPrivilegesToken 2594->2617 2596 b907b2 FreeLibrary FindCloseChangeNotification 2597 b907c5 CreateToolhelp32Snapshot Process32First 2596->2597 2598 b907eb Process32Next 2597->2598 2599 b90865 CloseHandle 2598->2599 2600 b9060e 2598->2600 2601 b905a9 CloseHandle 2599->2601 2600->2597 2600->2598 2600->2601 2602 b907fd OpenProcess 2600->2602 2605 b92574 5 API calls 2600->2605 2606 b9085c CloseHandle 2600->2606 2607 b90834 CreateRemoteThread 2600->2607 2610 b906fc lstrcpyW 2600->2610 2612 b9074c NtMapViewOfSection 2600->2612 2613 b90717 GetPEB lstrcpyW lstrcatW 2600->2613 2615 b90780 NtOpenProcessToken 2600->2615 2616 b907ac 13 API calls 2600->2616 2603 b905f2 GetModuleHandleA 2601->2603 2602->2598 2602->2600 2604 b910ce 2 API calls 2603->2604 2604->2600 2605->2600 2606->2598 2607->2606 2608 b9084d 2607->2608 2609 b905ba Sleep 2608->2609 2609->2606 2611 b924ae 3 API calls 2610->2611 2611->2600 2612->2600 2612->2601 2614 b924ae 3 API calls 2613->2614 2614->2600 2615->2597 2615->2600 2616->2600 2617->2596 2457 b937b1 2459 b937b7 WaitForSingleObject 2457->2459 2460 b937d3 2459->2460 2461 b93331 2463 b9333a 2461->2463 2464 b93341 Sleep 2463->2464 2464->2464 2985 b910cb 2986 b910ce 2985->2986 2987 b9115c 2986->2987 2988 b91133 GetModuleHandleA GetProcAddress 2986->2988 2988->2986 2621 b9116f LoadLibraryA 2626 b91196 GetProcAddress 2621->2626 2623 b91180 2624 b91220 2623->2624 2625 b9145b NtAdjustPrivilegesToken 2623->2625 2626->2623 2465 b93820 2467 b93826 GetSystemTime 2465->2467 2468 b9386a 2467->2468 2469 b938a4 Sleep 2468->2469 2470 b939ca 2468->2470 2471 b93951 Sleep 2468->2471 2469->2468 2471->2468 2473 b90000 2474 b90004 2473->2474 2475 b900a1 2474->2475 2477 b9025e 2474->2477 2481 b90105 2477->2481 2480 b90278 2480->2475 2482 b90116 GetPEB 2481->2482 2482->2480 2472 b91422 LookupPrivilegeValueA NtAdjustPrivilegesToken 2627 b92762 2629 b92768 2627->2629 2630 b92829 2629->2630 2631 b92780 GetTempPathA 2629->2631 2637 b927a7 GetTempFileNameA CreateFileA 2631->2637 2634 b927ce 2635 b927fe CloseHandle CreateProcessA 2634->2635 2636 b927ea WriteFile 2634->2636 2635->2630 2636->2634 2636->2635 2638 b927ce 2637->2638 2641 b927a3 CreateFileA 2637->2641 2639 b927fe CloseHandle CreateProcessA 2638->2639 2640 b927ea WriteFile 2638->2640 2639->2641 2640->2638 2640->2639 2641->2630 2641->2634 2642 b92665 2644 b9266b CreateThread CloseHandle 2642->2644 2645 b93bd0 2644->2645 2647 b93bd5 2645->2647 2648 b93c41 2647->2648 2651 b93bf3 GetWindowsDirectoryA 2647->2651 2696 b9252f NtOpenSection 2648->2696 2650 b93c46 2653 b93c93 GetSystemDirectoryA 2650->2653 2697 b93c5a GetModuleHandleA 2650->2697 2654 b93cbe 2651->2654 2738 b93cb7 lstrcat 2653->2738 2774 b93cce LoadLibraryA 2654->2774 2696->2650 2698 b93c76 2697->2698 2699 b93c64 2697->2699 2809 b93c88 GetModuleHandleA 2698->2809 2700 b93c6c GetProcAddress 2699->2700 2700->2698 2739 b93cbe 2738->2739 2740 b93cce 117 API calls 2739->2740 2741 b93cc3 GetProcAddress LoadLibraryA 2740->2741 2743 b910ce 2 API calls 2741->2743 2744 b93d15 2743->2744 2745 b93d2a GetTickCount 2744->2745 2746 b93d42 2745->2746 2747 b93ddf GetVolumeInformationA 2746->2747 2748 b93e12 2747->2748 2749 b93ebd 2748->2749 2750 b93e4d 78 API calls 2748->2750 2751 b93ec9 CreateThread CloseHandle 2749->2751 2752 b93ee7 2749->2752 2759 b93e41 2750->2759 2751->2752 2753 b93ef8 40 API calls 2752->2753 2754 b93eec 2753->2754 2755 b910ce 2 API calls 2754->2755 2756 b93f16 2755->2756 2757 b93f27 26 API calls 2756->2757 2758 b93f1b 2757->2758 2760 b910ce 2 API calls 2758->2760 2759->2749 2761 b9339d 5 API calls 2759->2761 2762 b93f4d 2760->2762 2761->2749 2763 b9425f RtlExitUserThread 2762->2763 2764 b93f6c CreateThread CloseHandle CreateEventA 2762->2764 2770 b93fa3 2764->2770 2765 b93fe7 lstrlen 2765->2765 2765->2770 2766 b9421f SetEvent 2767 b94231 Sleep ResetEvent 2766->2767 2767->2770 2768 b94080 GetVersionExA 2768->2770 2769 b94109 10 API calls 2769->2770 2770->2763 2770->2765 2770->2766 2770->2767 2770->2768 2770->2769 2771 b9412b CreateThread CloseHandle 2770->2771 2772 b941d7 Sleep 2770->2772 2771->2770 2772->2770 2773 b941e3 GetTickCount 2772->2773 2773->2770 2950 b93ce3 GetProcAddress LoadLibraryA 2774->2950 2846 b926d4 2809->2846 2812 b93cb7 137 API calls 2813 b93caa GetProcAddress LoadLibraryA 2812->2813 2815 b910ce 2 API calls 2813->2815 2816 b93d15 2815->2816 2817 b93d2a GetTickCount 2816->2817 2818 b93d42 2817->2818 2819 b93ddf GetVolumeInformationA 2818->2819 2820 b93e12 2819->2820 2821 b93ebd 2820->2821 2848 b93e4d LoadLibraryA 2820->2848 2823 b93ec9 CreateThread CloseHandle 2821->2823 2824 b93ee7 2821->2824 2823->2824 2874 b93ef8 LoadLibraryA 2824->2874 2847 b926c8 GetSystemDirectoryA 2846->2847 2847->2812 2892 b93e64 GetProcAddress GetModuleFileNameA 2848->2892 2875 b93f16 2874->2875 2876 b910ce 2 API calls 2874->2876 2877 b93f27 26 API calls 2875->2877 2876->2875 2878 b93f1b 2877->2878 2879 b910ce 2 API calls 2878->2879 2880 b93f4d 2879->2880 2881 b9425f RtlExitUserThread 2880->2881 2882 b93f6c CreateThread CloseHandle CreateEventA 2880->2882 2887 b93fa3 2882->2887 2883 b93fe7 lstrlen 2883->2883 2883->2887 2884 b9421f SetEvent 2885 b94231 Sleep ResetEvent 2884->2885 2885->2887 2886 b94080 GetVersionExA 2886->2887 2887->2881 2887->2883 2887->2884 2887->2885 2887->2886 2888 b94109 10 API calls 2887->2888 2889 b9412b CreateThread CloseHandle 2887->2889 2890 b941d7 Sleep 2887->2890 2888->2887 2889->2887 2890->2887 2891 b941e3 GetTickCount 2890->2891 2891->2887 2893 b93e95 2892->2893 2894 b93ebd 2893->2894 2917 b9339d 2893->2917 2896 b93ec9 CreateThread CloseHandle 2894->2896 2897 b93ee7 2894->2897 2896->2897 2898 b93ef8 40 API calls 2897->2898 2899 b93eec 2898->2899 2900 b910ce 2 API calls 2899->2900 2901 b93f16 2900->2901 2925 b93f27 LoadLibraryA 2901->2925 2918 b933d3 2917->2918 2918->2918 2919 b933d8 NtOpenSection 2918->2919 2920 b9358b 2919->2920 2921 b933f7 NtQuerySystemInformation 2919->2921 2920->2894 2922 b93407 MapViewOfFile CloseHandle 2921->2922 2922->2920 2924 b93448 2922->2924 2923 b9344f UnmapViewOfFile 2923->2920 2924->2920 2924->2923 2926 b9425f RtlExitUserThread 2925->2926 2927 b93f35 2925->2927 2928 b93f4d 2927->2928 2929 b910ce 2 API calls 2927->2929 2928->2926 2930 b93f6c CreateThread CloseHandle CreateEventA 2928->2930 2929->2928 2931 b93fa3 2930->2931 2931->2926 2932 b93fe7 lstrlen 2931->2932 2933 b9421f SetEvent 2931->2933 2934 b94231 Sleep ResetEvent 2931->2934 2935 b94080 GetVersionExA 2931->2935 2937 b9412b CreateThread CloseHandle 2931->2937 2938 b941d7 Sleep 2931->2938 2940 b94109 2931->2940 2932->2931 2932->2932 2933->2934 2934->2931 2935->2931 2937->2931 2938->2931 2939 b941e3 GetTickCount 2938->2939 2939->2931 2942 b93fa3 2940->2942 2941 b9412b CreateThread CloseHandle 2941->2942 2942->2941 2943 b9425f RtlExitUserThread 2942->2943 2944 b9421f SetEvent 2942->2944 2945 b94231 Sleep ResetEvent 2942->2945 2946 b93fe7 lstrlen 2942->2946 2947 b941d7 Sleep 2942->2947 2949 b94080 GetVersionExA 2942->2949 2944->2945 2945->2942 2946->2942 2946->2946 2947->2942 2948 b941e3 GetTickCount 2947->2948 2948->2942 2949->2942 2951 b93d15 2950->2951 2952 b910ce 2 API calls 2950->2952 2953 b93d2a GetTickCount 2951->2953 2952->2951 2954 b93d42 2953->2954 2955 b93ddf GetVolumeInformationA 2954->2955 2956 b93e12 2955->2956 2957 b93ebd 2956->2957 2958 b93e4d 78 API calls 2956->2958 2959 b93ec9 CreateThread CloseHandle 2957->2959 2960 b93ee7 2957->2960 2967 b93e41 2958->2967 2959->2960 2961 b93ef8 40 API calls 2960->2961 2962 b93eec 2961->2962 2963 b910ce 2 API calls 2962->2963 2964 b93f16 2963->2964 2965 b93f27 26 API calls 2964->2965 2966 b93f1b 2965->2966 2968 b910ce 2 API calls 2966->2968 2967->2957 2969 b9339d 5 API calls 2967->2969 2970 b93f4d 2968->2970 2969->2957 2971 b9425f RtlExitUserThread 2970->2971 2972 b93f6c CreateThread CloseHandle CreateEventA 2970->2972 2977 b93fa3 2972->2977 2973 b93fe7 lstrlen 2973->2973 2973->2977 2974 b9421f SetEvent 2975 b94231 Sleep ResetEvent 2974->2975 2975->2977 2976 b94080 GetVersionExA 2976->2977 2977->2971 2977->2973 2977->2974 2977->2975 2977->2976 2978 b94109 10 API calls 2977->2978 2979 b9412b CreateThread CloseHandle 2977->2979 2980 b941d7 Sleep 2977->2980 2978->2977 2979->2977 2980->2977 2981 b941e3 GetTickCount 2980->2981 2981->2977

                                                                                                      Executed Functions

                                                                                                      Function 00B9042D Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 288memoryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 0 b9042d-b904a4 call b910ce 3 b904dd 0->3 4 b904a6-b904db call b9273c GetModuleHandleA 0->4 6 b904e4-b90509 call b92750 GetVersion 3->6 4->6 10 b905ca-b905d1 6->10 11 b9050f-b90530 VirtualAlloc 6->11 12 b905a9-b90615 CloseHandle GetModuleHandleA call b910ce 10->12 14 b905d3-b905fc SetProcessAffinityMask call b905f2 10->14 11->12 13 b90532-b90562 call b90305 11->13 28 b90617-b90630 12->28 13->12 27 b90564-b9057b 13->27 20 b905fe-b9061c 14->20 21 b90621-b90630 14->21 20->21 24 b90639-b90652 21->24 25 b90632 21->25 24->12 29 b90658-b90671 24->29 25->24 27->12 33 b9057d-b905a4 27->33 28->24 28->25 29->12 30 b90677-b90690 29->30 30->12 32 b90696-b9069c 30->32 34 b906d8-b906de 32->34 35 b9069e-b906b1 32->35 33->12 48 b905a4 call b905ba 33->48 36 b906fc-b90715 lstrcpyW call b924ae 34->36 37 b906e0-b906f3 34->37 35->12 38 b906b7-b906bd 35->38 44 b9074c-b90775 NtMapViewOfSection 36->44 45 b90717-b90746 GetPEB lstrcpyW lstrcatW call b924ae 36->45 37->36 39 b906f5 37->39 38->34 42 b906bf-b906d2 38->42 39->36 42->12 42->34 44->12 49 b9077b-b9078f call b90305 NtOpenProcessToken 44->49 45->12 45->44 48->12 53 b90791-b907a3 call b9115d call b907ac 49->53 54 b907c5-b907e4 CreateToolhelp32Snapshot Process32First 49->54 64 b9080e-b9080f 53->64 65 b907a5 53->65 55 b907eb-b907f5 Process32Next 54->55 57 b90865-b90872 CloseHandle 55->57 58 b907f7-b907fb 55->58 57->12 58->55 61 b907fd-b9080d OpenProcess 58->61 61->55 63 b9080f 61->63 66 b90810-b90818 call b92574 63->66 64->66 65->66 67 b907a7-b907c4 65->67 71 b9081a-b90820 66->71 72 b9085c-b90863 CloseHandle 66->72 67->54 71->72 73 b90822-b90832 71->73 72->55 73->72 74 b90834-b9084b CreateRemoteThread 73->74 74->72 75 b9084d-b90857 call b905ba 74->75 75->72
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 00B904BE
                                                                                                      • GetVersion.KERNEL32 ref: 00B90500
                                                                                                      • VirtualAlloc.KERNEL32(00000000,00007700,08001000,00000040), ref: 00B90528
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00B905AD
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$AllocCloseModuleVersionVirtual
                                                                                                      • String ID: \BaseNamedObjects\whptVt$\BaseNamedObjects\whptVt$csrs
                                                                                                      • API String ID: 3017432202-1901567157
                                                                                                      • Opcode ID: 1c9046a76cd4f9cc91b46eb41cc31d523b20a60f6ceb114047097b2d910fbad8
                                                                                                      • Instruction ID: 997d835ddaca8b0f0daf656a6a790e568f90e7574d808bd2961cb4376cdae66b
                                                                                                      • Opcode Fuzzy Hash: 1c9046a76cd4f9cc91b46eb41cc31d523b20a60f6ceb114047097b2d910fbad8
                                                                                                      • Instruction Fuzzy Hash: 21B1BA31624209FFEF21AF60C84ABAA3BE9EF44311F1101A9F9089E181C7F49F45DB59
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B905F2 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 193stringnativeprocessCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 77 b905f2-b90615 GetModuleHandleA call b910ce 80 b905a9-b905b3 CloseHandle 77->80 81 b90617-b90630 77->81 80->77 82 b90639-b90652 81->82 83 b90632 81->83 82->80 84 b90658-b90671 82->84 83->82 84->80 85 b90677-b90690 84->85 85->80 86 b90696-b9069c 85->86 87 b906d8-b906de 86->87 88 b9069e-b906b1 86->88 89 b906fc-b90715 lstrcpyW call b924ae 87->89 90 b906e0-b906f3 87->90 88->80 91 b906b7-b906bd 88->91 96 b9074c-b90775 NtMapViewOfSection 89->96 97 b90717-b90746 GetPEB lstrcpyW lstrcatW call b924ae 89->97 90->89 92 b906f5 90->92 91->87 94 b906bf-b906d2 91->94 92->89 94->80 94->87 96->80 99 b9077b-b9078f call b90305 NtOpenProcessToken 96->99 97->80 97->96 103 b90791-b907a3 call b9115d call b907ac 99->103 104 b907c5-b907e4 CreateToolhelp32Snapshot Process32First 99->104 114 b9080e-b9080f 103->114 115 b907a5 103->115 105 b907eb-b907f5 Process32Next 104->105 107 b90865-b90872 CloseHandle 105->107 108 b907f7-b907fb 105->108 107->80 108->105 111 b907fd-b9080d OpenProcess 108->111 111->105 113 b9080f 111->113 116 b90810-b90818 call b92574 113->116 114->116 115->116 117 b907a7-b907c4 115->117 121 b9081a-b90820 116->121 122 b9085c-b90863 CloseHandle 116->122 117->104 121->122 123 b90822-b90832 121->123 122->105 123->122 124 b90834-b9084b CreateRemoteThread 123->124 124->122 125 b9084d-b90857 call b905ba 124->125 125->122
                                                                                                      APIs
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00B905AD
                                                                                                      • GetModuleHandleA.KERNEL32(00B905EC), ref: 00B905F2
                                                                                                      • lstrcpyW.KERNEL32(\BaseNamedObjects\whptVt,\BaseNamedObjects\whptVt), ref: 00B9070A
                                                                                                      • lstrcpyW.KERNEL32(\BaseNamedObjects\whptVt,?), ref: 00B9072D
                                                                                                      • lstrcatW.KERNEL32(\BaseNamedObjects\whptVt,\whptVt), ref: 00B9073B
                                                                                                      • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00007700,00000000,?,00000002,00000000,00000040), ref: 00B9076B
                                                                                                      • NtOpenProcessToken.NTDLL(000000FF,00000020), ref: 00B90786
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B907C9
                                                                                                      • Process32First.KERNEL32 ref: 00B907DC
                                                                                                      • Process32Next.KERNEL32 ref: 00B907ED
                                                                                                      • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00B90805
                                                                                                      • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00B90842
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00B9085D
                                                                                                      • CloseHandle.KERNEL32 ref: 00B9086C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Handle$Close$CreateOpenProcessProcess32lstrcpy$FirstModuleNextRemoteSectionSnapshotThreadTokenToolhelp32Viewlstrcat
                                                                                                      • String ID: \BaseNamedObjects\whptVt$\BaseNamedObjects\whptVt$csrs
                                                                                                      • API String ID: 1545766225-1901567157
                                                                                                      • Opcode ID: 17150f67079a076ac3b54c180adee95029a37e06bb0e30beb99ad34a9de5a8e6
                                                                                                      • Instruction ID: 40eb5df70f9eaf97870d3b47a831472e82941ded140fc36076b23f68ebe2930f
                                                                                                      • Opcode Fuzzy Hash: 17150f67079a076ac3b54c180adee95029a37e06bb0e30beb99ad34a9de5a8e6
                                                                                                      • Instruction Fuzzy Hash: 51719A31620205FFDF21AF50C849BAE3BEDEF44311F1100B9E9099E191C7B5AF45AB59
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B9116F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 320libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 180 b9116f-b91187 LoadLibraryA call b91196 183 b91189 180->183 184 b911f2 180->184 185 b9118b-b91192 183->185 186 b911f4-b911f8 183->186 184->186 187 b911f9-b9120f 185->187 188 b91194-b9119a 185->188 186->187 191 b911ef 187->191 192 b91211-b91215 187->192 189 b9119c-b911c2 188->189 190 b911c3 188->190 189->190 194 b911c4-b911dc 189->194 190->194 195 b9125f-b91277 191->195 196 b911f1 191->196 197 b9127f-b91282 192->197 198 b91217-b9121e 192->198 199 b911e0-b911ec 194->199 196->184 202 b91283-b91286 197->202 198->199 200 b91220-b91230 198->200 199->191 206 b9123f-b9125c 200->206 204 b91287-b912a1 202->204 208 b912a3-b912a4 204->208 206->195 210 b912a7-b912aa 208->210 211 b912f9 210->211 212 b912ac-b912ad 210->212 214 b912db-b912dd 211->214 215 b912fb-b91301 211->215 212->197 213 b912af-b912bd 212->213 213->206 219 b912bf 213->219 214->197 218 b912df-b912e1 214->218 215->208 220 b91303-b91305 215->220 221 b912c3-b912c5 218->221 222 b912e3-b912e5 218->222 219->221 225 b91337-b91339 220->225 226 b91307-b91309 220->226 223 b91327-b91329 221->223 224 b912c7-b912c9 221->224 222->226 227 b912e7-b912e9 222->227 228 b9132b-b9132d 223->228 233 b9136b-b9136d 223->233 230 b9130b-b9130d 224->230 231 b912cb-b912cd 224->231 225->228 229 b9133b-b9133d 225->229 226->230 232 b9131b 226->232 234 b9127b 227->234 235 b912eb-b912ed 227->235 228->213 241 b9132f-b91331 228->241 236 b913af-b913b0 229->236 237 b9133f-b91345 229->237 239 b9136f-b91371 230->239 240 b9130f-b91311 230->240 231->197 238 b912cf-b912d1 231->238 232->223 233->239 242 b9138f 233->242 234->197 243 b9135f-b91361 235->243 244 b912ef-b912f1 235->244 250 b913c7-b913d5 236->250 256 b91387-b9138e 237->256 257 b91347-b91349 237->257 238->202 247 b912d3-b912d5 238->247 249 b91313-b91315 239->249 252 b91373-b91375 239->252 248 b91383 240->248 240->249 241->222 253 b91333-b91335 241->253 246 b91393-b9139e 242->246 243->220 251 b91363-b91364 243->251 244->251 254 b912f3-b912f5 244->254 258 b9139f-b913a7 246->258 247->210 259 b912d7 247->259 248->256 249->210 260 b91317-b91319 249->260 270 b913f7-b913f9 250->270 271 b913d7-b913e5 250->271 255 b912f7-b912f8 251->255 261 b91367-b91369 251->261 252->250 262 b91377-b91379 252->262 253->225 253->257 254->204 254->255 255->211 256->242 257->229 265 b9134b-b9134d 257->265 263 b913ab-b913ac 258->263 259->214 260->232 260->265 261->229 261->233 262->263 264 b9137b-b9137d 262->264 263->236 267 b913ed-b913f6 264->267 268 b9137f-b91382 264->268 265->218 269 b9134f-b91355 265->269 267->270 268->248 269->255 278 b91357-b91359 269->278 273 b9145b-b91474 NtAdjustPrivilegesToken 270->273 274 b913fb-b913fd 270->274 271->270 276 b913e7-b913e9 271->276 274->258 277 b913ff-b91401 274->277 276->273 279 b913eb-b913ec 276->279 277->246 281 b91403-b91404 277->281 278->228 282 b9135b-b9135d 278->282 279->267 283 b9141f 281->283 284 b91407-b9140a 281->284 282->243 282->269 283->273 284->283
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00B91162,00B90796,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 00B9116F
                                                                                                        • Part of subcall function 00B91196: GetProcAddress.KERNEL32(00000000,00B91180), ref: 00B91197
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressLibraryLoadProc
                                                                                                      • String ID: \whptVt
                                                                                                      • API String ID: 2574300362-1160934063
                                                                                                      • Opcode ID: 479442f7bfc4ff850ddc3259933bc137c33014730e34b28b791d72e1ef723d3d
                                                                                                      • Instruction ID: f30fdb83ef619fdb2261199e68639078bbba25d100796390a35f4d1fb93954e0
                                                                                                      • Opcode Fuzzy Hash: 479442f7bfc4ff850ddc3259933bc137c33014730e34b28b791d72e1ef723d3d
                                                                                                      • Instruction Fuzzy Hash: 65813561C1D2836EDF35BB7C48450A9BFF6EA2275071C5EFDC4B19BA53C2228D03A645
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B9252F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 285 b9252f-b92573 NtOpenSection
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,0000000E), ref: 00B9255E
                                                                                                      Strings
                                                                                                      • \BaseNamedObjects\whptVt, xrefs: 00B9254B
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: OpenSection
                                                                                                      • String ID: \BaseNamedObjects\whptVt
                                                                                                      • API String ID: 1950954290-1729277563
                                                                                                      • Opcode ID: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
                                                                                                      • Instruction ID: be79e926c7ba3cdd2c7dd474d1815d54d5159c487d34c6ebacd093897ac0aaf8
                                                                                                      • Opcode Fuzzy Hash: d78bf25e7d60e3ca5bd26387aae6e314818fabfb1d4b2e27edbc6fd945c633ca
                                                                                                      • Instruction Fuzzy Hash: 75E09AF17402063AFB288A29CC17FA7228DCB80602F0C8604F918DA080E5B4AB108268
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B92574 Relevance: 3.1, APIs: 2, Instructions: 66nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 286 b92574-b9257c call b9252f 289 b92661-b92664 286->289 290 b92582-b925b4 NtMapViewOfSection FindCloseChangeNotification 286->290 290->289 291 b925ba-b925c0 290->291 292 b925ce-b925d8 291->292 293 b925c2-b925cb 291->293 294 b925da-b925e2 292->294 295 b925ef-b9262a call b92477 * 3 292->295 293->292 294->295 296 b925e4-b925ea call b92477 294->296 304 b9262c-b92632 call b92477 295->304 305 b92637-b9263f 295->305 296->295 304->305 307 b9264c-b92654 305->307 308 b92641-b92647 call b92477 305->308 307->289 310 b92656-b9265c call b92477 307->310 308->307 310->289
                                                                                                      APIs
                                                                                                        • Part of subcall function 00B9252F: NtOpenSection.NTDLL(?,0000000E), ref: 00B9255E
                                                                                                      • NtMapViewOfSection.NTDLL(00000000,?,?,00000000,0000B700,00000000,?,00000002,00100000,00000040), ref: 00B925A4
                                                                                                      • FindCloseChangeNotification.KERNELBASE(00000000,0000B700,00000000,?,00000002,00100000,00000040,00000000,0000B700,00000000,?,00B90815), ref: 00B925AC
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Section$ChangeCloseFindNotificationOpenView
                                                                                                      • String ID:
                                                                                                      • API String ID: 1694706092-0
                                                                                                      • Opcode ID: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
                                                                                                      • Instruction ID: 4953bbd5202766a111081227140ae40ff46effb8d5244a3924d24fe478678d30
                                                                                                      • Opcode Fuzzy Hash: 7bef6bf2a50047ffc7f3cd4018dfe575c0559d17770fc5c6e4c634ed419af6cd
                                                                                                      • Instruction Fuzzy Hash: C0215E70B00605BBDF24EF25CC56FAA73A9FF80744F400168F9198E2A4DBB1AE24C714
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B91422 Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 312 b91422-b91474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                                      APIs
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B9145A
                                                                                                      • NtAdjustPrivilegesToken.NTDLL(?,?,00000000,?), ref: 00B9146A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3615134276-0
                                                                                                      • Opcode ID: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
                                                                                                      • Instruction ID: d6f38f481fcad269b120698a2c1356ff37e0dff7a02be2eff211d383f83c851a
                                                                                                      • Opcode Fuzzy Hash: cc86f677ff09b61866951c90db79301e57ffd1e2cff1b35255cc9d89dc5b2434
                                                                                                      • Instruction Fuzzy Hash: F8F0E932542010BBD6201B42CC8EED73E28EF533A0F040455F4484E151C2624BA1D3F4
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B92477 Relevance: 3.0, APIs: 2, Instructions: 25nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 313 b92477-b924ad NtProtectVirtualMemory NtWriteVirtualMemory
                                                                                                      APIs
                                                                                                      • NtProtectVirtualMemory.NTDLL(?,?,?,00000040), ref: 00B9249B
                                                                                                      • NtWriteVirtualMemory.NTDLL ref: 00B924A4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: MemoryVirtual$ProtectWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 151266762-0
                                                                                                      • Opcode ID: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                      • Instruction ID: 6bbb67ea70d6ee96dfa5f1d7b4d314b28acc786a60d934acbd3f762ecc45b662
                                                                                                      • Opcode Fuzzy Hash: 3b89ad314080acfcfa5e752e4380cd5b7e8fc3aa7940f56e0bfe36a9f1ccff9c
                                                                                                      • Instruction Fuzzy Hash: 2AE012E07502007FF5185F55DC5FF7B391DDB41751F410208FA0A981C4F9A15E18467A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B9144A Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 314 b9144a-b91474 LookupPrivilegeValueA NtAdjustPrivilegesToken
                                                                                                      APIs
                                                                                                      • LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B9145A
                                                                                                      • NtAdjustPrivilegesToken.NTDLL(?,?,00000000,?), ref: 00B9146A
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                                                                                                      • String ID:
                                                                                                      • API String ID: 3615134276-0
                                                                                                      • Opcode ID: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
                                                                                                      • Instruction ID: 47fd2fdfef69c01f2383a78087d1294dd7e4f4bd71475d1ca0affc6c0d2f20e2
                                                                                                      • Opcode Fuzzy Hash: 516db6a43922e3348a8f3b60dc7b7b81588e67f26302b6e21a5b03875f902ac7
                                                                                                      • Instruction Fuzzy Hash: 1BD06771643034BBD6312A568C0EEE77D1DEF577A0F015441F9089A1A1C5A28EA1C6F5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B907AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62processthreadinjectionCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 127 b907ac-b907bf call b9144a FreeLibrary FindCloseChangeNotification 130 b907c5-b907e4 CreateToolhelp32Snapshot Process32First 127->130 131 b907eb-b907f5 Process32Next 130->131 132 b90865-b90872 CloseHandle 131->132 133 b907f7-b907fb 131->133 134 b905a9-b90615 CloseHandle GetModuleHandleA call b910ce 132->134 133->131 135 b907fd-b9080d OpenProcess 133->135 143 b90617-b90630 134->143 135->131 136 b9080f 135->136 138 b90810-b90818 call b92574 136->138 144 b9081a-b90820 138->144 145 b9085c-b90863 CloseHandle 138->145 146 b90639-b90652 143->146 147 b90632 143->147 144->145 148 b90822-b90832 144->148 145->131 146->134 149 b90658-b90671 146->149 147->146 148->145 150 b90834-b9084b CreateRemoteThread 148->150 149->134 151 b90677-b90690 149->151 150->145 152 b9084d-b90857 call b905ba 150->152 151->134 153 b90696-b9069c 151->153 152->145 155 b906d8-b906de 153->155 156 b9069e-b906b1 153->156 157 b906fc-b90715 lstrcpyW call b924ae 155->157 158 b906e0-b906f3 155->158 156->134 159 b906b7-b906bd 156->159 164 b9074c-b90775 NtMapViewOfSection 157->164 165 b90717-b90746 GetPEB lstrcpyW lstrcatW call b924ae 157->165 158->157 160 b906f5 158->160 159->155 162 b906bf-b906d2 159->162 160->157 162->134 162->155 164->134 167 b9077b-b9078f call b90305 NtOpenProcessToken 164->167 165->134 165->164 167->130 171 b90791-b907a3 call b9115d call b907ac 167->171 176 b9080e-b9080f 171->176 177 b907a5 171->177 176->138 177->138 178 b907a7-b907c4 177->178 178->130
                                                                                                      APIs
                                                                                                        • Part of subcall function 00B9144A: LookupPrivilegeValueA.ADVAPI32(00000000,?), ref: 00B9145A
                                                                                                        • Part of subcall function 00B9144A: NtAdjustPrivilegesToken.NTDLL(?,?,00000000,?), ref: 00B9146A
                                                                                                      • CloseHandle.KERNEL32(?), ref: 00B905AD
                                                                                                      • FreeLibrary.KERNEL32(76DF0000,?,00B9079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 00B907B8
                                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,00B9079B,00000000,00007700,00000000,?,00000002,00000000,00000040,00000000,00007700), ref: 00B907BF
                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00B907C9
                                                                                                      • Process32First.KERNEL32 ref: 00B907DC
                                                                                                      • Process32Next.KERNEL32 ref: 00B907ED
                                                                                                      • OpenProcess.KERNEL32(0000002A,00000000,?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00B90805
                                                                                                      • CreateRemoteThread.KERNELBASE(?,00000000,00000000,-00003BD0,00000002,00000000), ref: 00B90842
                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,00000002,00000000,00000040,00000000,00007700), ref: 00B9085D
                                                                                                      • CloseHandle.KERNEL32 ref: 00B9086C
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Close$Handle$CreateProcess32$AdjustChangeFindFirstFreeLibraryLookupNextNotificationOpenPrivilegePrivilegesProcessRemoteSnapshotThreadTokenToolhelp32Value
                                                                                                      • String ID: csrs
                                                                                                      • API String ID: 2727238916-2321902090
                                                                                                      • Opcode ID: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
                                                                                                      • Instruction ID: 5fd36af5a82ae8346d19f1f26e50ec3f9bf64017079b92429ea088d70ce7420c
                                                                                                      • Opcode Fuzzy Hash: f5f5cebb265d1853f7019ca829e2ca1ff70c3e720cc08ba597563a20905a2943
                                                                                                      • Instruction Fuzzy Hash: F9111C30616205FFEF256E21CC8DBBF3AADEF54711F0000ADF94A99091D6B49E019A6A
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Non-executed Functions

                                                                                                      Function 00B93BD5 Relevance: 30.2, APIs: 15, Strings: 2, Instructions: 472libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 315 b93bd5-b93bf1 316 b93c41-b93c4b call b9252f 315->316 317 b93bf3-b93bfb 315->317 325 b93c4d-b93c74 call b93c5a call b926d4 GetProcAddress 316->325 326 b93c93-b93cdb GetSystemDirectoryA call b93cb7 316->326 319 b93bfc-b93bff 317->319 320 b93c2b 319->320 321 b93c01-b93c06 319->321 320->319 324 b93c2d-b93cdb GetWindowsDirectoryA call b93cce 320->324 321->320 323 b93c08-b93c29 321->323 323->320 334 b93cdd-b93d58 GetProcAddress LoadLibraryA call b910ce call b901cb GetTickCount call b93b0e 324->334 339 b93c78-b93c92 call b93c88 325->339 340 b93c76 325->340 326->334 347 b93d5a 334->347 348 b93d60-b93d65 call b93b0e 334->348 339->326 340->339 347->348 351 b93d67-b93d7e 348->351 352 b93d80-b93d90 call b962df call b9273c 351->352 357 b93d92-b93d94 352->357 358 b93d96-b93db2 call b962df 352->358 359 b93db3-b93db4 357->359 358->359 359->352 361 b93db6-b93dbc 359->361 361->351 363 b93dbe-b93dc8 call b9273c 361->363 366 b93dca-b93dd2 call b92750 363->366 367 b93dd7-b93e10 call b9273c GetVolumeInformationA 363->367 366->367 371 b93e1a-b93e20 367->371 372 b93e12-b93e18 367->372 373 b93e29-b93e36 371->373 374 b93e22 371->374 372->373 375 b93ebd 373->375 376 b93e3c-b93e60 call b93e4d 373->376 374->373 377 b93ec7 375->377 376->377 384 b93e62-b93e68 376->384 379 b93ec9-b93ee1 CreateThread CloseHandle 377->379 380 b93ee7-b93f54 call b93ef8 call b910ce call b93f27 call b910ce 377->380 379->380 399 b93f5a-b93f9d CreateThread CloseHandle CreateEventA 380->399 400 b9425f-b94261 RtlExitUserThread 380->400 386 b93e6a-b93e6f 384->386 387 b93e91-b93ea5 384->387 390 b93e98-b93ea5 386->390 391 b93e71-b93e90 386->391 393 b93eac-b93eb6 387->393 390->393 391->387 393->375 395 b93eb8 call b9339d 393->395 395->375 402 b93fa3-b93fbb call b93792 399->402 405 b93fbd-b93fc0 402->405 406 b93fc2-b93fd5 call b93b28 402->406 405->406 407 b93fdd-b93fe5 405->407 412 b93fdb 406->412 413 b9420d-b94214 406->413 409 b93fe7-b93ff4 lstrlen 407->409 410 b93ff6-b93fff 407->410 409->409 409->410 417 b94005-b9400c 410->417 418 b94254-b9425a 410->418 414 b94012-b94031 412->414 413->400 416 b94216-b9421d 413->416 414->413 422 b94037-b9404a 414->422 419 b9421f-b9422b SetEvent 416->419 420 b94231-b9424f Sleep ResetEvent 416->420 417->414 418->402 419->420 420->402 424 b94050-b94129 call b9273c call b92750 GetVersionExA call b92750 call b932f0 call b94109 call b932f0 422->424 425 b94206 422->425 441 b9412b-b94141 CreateThread CloseHandle 424->441 442 b94147 424->442 425->413 441->442 443 b9414d-b94163 442->443 443->425 445 b94169-b9416b 443->445 446 b9416d-b94185 445->446 447 b9418a-b94192 446->447 448 b94187 446->448 447->446 449 b94194 447->449 448->447 450 b9419a-b9419e 449->450 451 b941b0-b941b2 450->451 452 b941a0-b941a7 call b92f08 450->452 454 b941b4-b941be 451->454 452->425 457 b941a9 452->457 456 b941c3-b941d1 call b96480 call b9649a 454->456 456->443 463 b941d7-b941e1 Sleep 456->463 457->454 459 b941ab-b941ae 457->459 459->450 463->456 464 b941e3-b941f4 GetTickCount 463->464 464->443 465 b941fa-b94201 464->465 465->425 465->443
                                                                                                      APIs
                                                                                                      • GetWindowsDirectoryA.KERNEL32(00B969E2,00000104), ref: 00B93C39
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000002), ref: 00B93C6C
                                                                                                      • GetProcAddress.KERNEL32(00000000,00B93CD9), ref: 00B93CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 00B93D2B
                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96E36,00000000,00000000,00000000,00000000), ref: 00B93DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 00B93CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CountDirectoryInformationLibraryLoadTickVolumeWindows
                                                                                                      • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3969011833-2287716718
                                                                                                      • Opcode ID: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
                                                                                                      • Instruction ID: 72acf008c64b8fab0f0e03d9cfeb0f2b0448e13bb874f1f44f1a6599b565dbbe
                                                                                                      • Opcode Fuzzy Hash: 6fec74ca2565ad77cf16187e820aa09f4f743d7765ef450cb713a8fe50d10e2c
                                                                                                      • Instruction Fuzzy Hash: D3F12671519258BFDF21AF24CC5ABEA3BECEF42700F0405A9E8459F082D7F45F4686A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93C5A Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 417libraryloaderCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 466 b93c5a-b93c62 GetModuleHandleA 467 b93c78-b93d58 call b93c88 GetSystemDirectoryA call b93cb7 GetProcAddress LoadLibraryA call b910ce call b901cb GetTickCount call b93b0e 466->467 468 b93c64-b93c66 466->468 484 b93d5a 467->484 485 b93d60-b93d65 call b93b0e 467->485 469 b93c6c-b93c74 GetProcAddress 468->469 470 b93c67 call b926d4 468->470 469->467 473 b93c76 469->473 470->469 473->467 484->485 488 b93d67-b93d7e 485->488 489 b93d80-b93d90 call b962df call b9273c 488->489 494 b93d92-b93d94 489->494 495 b93d96-b93db2 call b962df 489->495 496 b93db3-b93db4 494->496 495->496 496->489 498 b93db6-b93dbc 496->498 498->488 500 b93dbe-b93dc8 call b9273c 498->500 503 b93dca-b93dd2 call b92750 500->503 504 b93dd7-b93e10 call b9273c GetVolumeInformationA 500->504 503->504 508 b93e1a-b93e20 504->508 509 b93e12-b93e18 504->509 510 b93e29-b93e36 508->510 511 b93e22 508->511 509->510 512 b93ebd 510->512 513 b93e3c-b93e60 call b93e4d 510->513 511->510 514 b93ec7 512->514 513->514 521 b93e62-b93e68 513->521 516 b93ec9-b93ee1 CreateThread CloseHandle 514->516 517 b93ee7-b93f54 call b93ef8 call b910ce call b93f27 call b910ce 514->517 516->517 536 b93f5a-b93f9d CreateThread CloseHandle CreateEventA 517->536 537 b9425f-b94261 RtlExitUserThread 517->537 523 b93e6a-b93e6f 521->523 524 b93e91-b93ea5 521->524 527 b93e98-b93ea5 523->527 528 b93e71-b93e90 523->528 530 b93eac-b93eb6 524->530 527->530 528->524 530->512 532 b93eb8 call b9339d 530->532 532->512 539 b93fa3-b93fbb call b93792 536->539 542 b93fbd-b93fc0 539->542 543 b93fc2-b93fd5 call b93b28 539->543 542->543 544 b93fdd-b93fe5 542->544 549 b93fdb 543->549 550 b9420d-b94214 543->550 546 b93fe7-b93ff4 lstrlen 544->546 547 b93ff6-b93fff 544->547 546->546 546->547 554 b94005-b9400c 547->554 555 b94254-b9425a 547->555 551 b94012-b94031 549->551 550->537 553 b94216-b9421d 550->553 551->550 559 b94037-b9404a 551->559 556 b9421f-b9422b SetEvent 553->556 557 b94231-b9424f Sleep ResetEvent 553->557 554->551 555->539 556->557 557->539 561 b94050-b94129 call b9273c call b92750 GetVersionExA call b92750 call b932f0 call b94109 call b932f0 559->561 562 b94206 559->562 578 b9412b-b94141 CreateThread CloseHandle 561->578 579 b94147 561->579 562->550 578->579 580 b9414d-b94163 579->580 580->562 582 b94169-b9416b 580->582 583 b9416d-b94185 582->583 584 b9418a-b94192 583->584 585 b94187 583->585 584->583 586 b94194 584->586 585->584 587 b9419a-b9419e 586->587 588 b941b0-b941b2 587->588 589 b941a0-b941a7 call b92f08 587->589 591 b941b4-b941be 588->591 589->562 594 b941a9 589->594 593 b941c3-b941d1 call b96480 call b9649a 591->593 593->580 600 b941d7-b941e1 Sleep 593->600 594->591 596 b941ab-b941ae 594->596 596->587 600->593 601 b941e3-b941f4 GetTickCount 600->601 601->580 602 b941fa-b94201 601->602 602->562 602->580
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00B93C52), ref: 00B93C5A
                                                                                                      • GetProcAddress.KERNEL32(00000000,00000002), ref: 00B93C6C
                                                                                                      • GetProcAddress.KERNEL32(00000000,00B93CD9), ref: 00B93CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 00B93D2B
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 00B93CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressProc$CountHandleLibraryLoadModuleTick
                                                                                                      • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2837544101-2287716718
                                                                                                      • Opcode ID: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
                                                                                                      • Instruction ID: 41a9bd0b1ba9f35c7b0852df9117ac36292f32ed1162bd3b3a31f36655a9e1b4
                                                                                                      • Opcode Fuzzy Hash: 027acb289342bb118d02a87de8172ec9d27ea8879ecf6df1c79d6d68dda35319
                                                                                                      • Instruction Fuzzy Hash: B6E12671519258BFDF25AF34CC5ABEA3BECEF42700F0005A9E8459E082D7F45F4686A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93C88 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 394COMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 603 b93c88-b93d58 GetModuleHandleA call b926d4 GetSystemDirectoryA call b93cb7 GetProcAddress LoadLibraryA call b910ce call b901cb GetTickCount call b93b0e 615 b93d5a 603->615 616 b93d60-b93d65 call b93b0e 603->616 615->616 619 b93d67-b93d7e 616->619 620 b93d80-b93d90 call b962df call b9273c 619->620 625 b93d92-b93d94 620->625 626 b93d96-b93db2 call b962df 620->626 627 b93db3-b93db4 625->627 626->627 627->620 629 b93db6-b93dbc 627->629 629->619 631 b93dbe-b93dc8 call b9273c 629->631 634 b93dca-b93dd2 call b92750 631->634 635 b93dd7-b93e10 call b9273c GetVolumeInformationA 631->635 634->635 639 b93e1a-b93e20 635->639 640 b93e12-b93e18 635->640 641 b93e29-b93e36 639->641 642 b93e22 639->642 640->641 643 b93ebd 641->643 644 b93e3c-b93e60 call b93e4d 641->644 642->641 645 b93ec7 643->645 644->645 652 b93e62-b93e68 644->652 647 b93ec9-b93ee1 CreateThread CloseHandle 645->647 648 b93ee7-b93f54 call b93ef8 call b910ce call b93f27 call b910ce 645->648 647->648 667 b93f5a-b93f9d CreateThread CloseHandle CreateEventA 648->667 668 b9425f-b94261 RtlExitUserThread 648->668 654 b93e6a-b93e6f 652->654 655 b93e91-b93ea5 652->655 658 b93e98-b93ea5 654->658 659 b93e71-b93e90 654->659 661 b93eac-b93eb6 655->661 658->661 659->655 661->643 663 b93eb8 call b9339d 661->663 663->643 670 b93fa3-b93fbb call b93792 667->670 673 b93fbd-b93fc0 670->673 674 b93fc2-b93fd5 call b93b28 670->674 673->674 675 b93fdd-b93fe5 673->675 680 b93fdb 674->680 681 b9420d-b94214 674->681 677 b93fe7-b93ff4 lstrlen 675->677 678 b93ff6-b93fff 675->678 677->677 677->678 685 b94005-b9400c 678->685 686 b94254-b9425a 678->686 682 b94012-b94031 680->682 681->668 684 b94216-b9421d 681->684 682->681 690 b94037-b9404a 682->690 687 b9421f-b9422b SetEvent 684->687 688 b94231-b9424f Sleep ResetEvent 684->688 685->682 686->670 687->688 688->670 692 b94050-b94129 call b9273c call b92750 GetVersionExA call b92750 call b932f0 call b94109 call b932f0 690->692 693 b94206 690->693 709 b9412b-b94141 CreateThread CloseHandle 692->709 710 b94147 692->710 693->681 709->710 711 b9414d-b94163 710->711 711->693 713 b94169-b9416b 711->713 714 b9416d-b94185 713->714 715 b9418a-b94192 714->715 716 b94187 714->716 715->714 717 b94194 715->717 716->715 718 b9419a-b9419e 717->718 719 b941b0-b941b2 718->719 720 b941a0-b941a7 call b92f08 718->720 722 b941b4-b941be 719->722 720->693 725 b941a9 720->725 724 b941c3-b941d1 call b96480 call b9649a 722->724 724->711 731 b941d7-b941e1 Sleep 724->731 725->722 727 b941ab-b941ae 725->727 727->718 731->724 732 b941e3-b941f4 GetTickCount 731->732 732->711 733 b941fa-b94201 732->733 733->693 733->711
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(00B93C7D), ref: 00B93C88
                                                                                                      • GetSystemDirectoryA.KERNEL32(00B969E2,00000104), ref: 00B93C9F
                                                                                                        • Part of subcall function 00B93CB7: lstrcat.KERNEL32(00B969E2,00B93CAA), ref: 00B93CB8
                                                                                                        • Part of subcall function 00B93CB7: GetProcAddress.KERNEL32(00000000,00B93CD9), ref: 00B93CE4
                                                                                                        • Part of subcall function 00B93CB7: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93CF7
                                                                                                        • Part of subcall function 00B93CB7: GetTickCount.KERNEL32 ref: 00B93D2B
                                                                                                        • Part of subcall function 00B93CB7: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96E36,00000000,00000000,00000000,00000000), ref: 00B93DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 00B93CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressCountDirectoryHandleInformationLibraryLoadModuleProcSystemTickVolumelstrcat
                                                                                                      • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 215653160-2287716718
                                                                                                      • Opcode ID: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
                                                                                                      • Instruction ID: 5fb30711a3cd8829a3de750a46f7f9e3c225f42510b0120acc48d72e89f5c265
                                                                                                      • Opcode Fuzzy Hash: 655e1f48a5b14d5ebf2e49081fd326607dd54f27207fd34772f1e266f9ded85e
                                                                                                      • Instruction Fuzzy Hash: D9D12571515258BFDF25AF34CC5ABEA3BECEF42700F0005A9E8499E082D7F45F4686A5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93CB7 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 374stringCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 734 b93cb7-b93d58 lstrcat call b93cce GetProcAddress LoadLibraryA call b910ce call b901cb GetTickCount call b93b0e 745 b93d5a 734->745 746 b93d60-b93d65 call b93b0e 734->746 745->746 749 b93d67-b93d7e 746->749 750 b93d80-b93d90 call b962df call b9273c 749->750 755 b93d92-b93d94 750->755 756 b93d96-b93db2 call b962df 750->756 757 b93db3-b93db4 755->757 756->757 757->750 759 b93db6-b93dbc 757->759 759->749 761 b93dbe-b93dc8 call b9273c 759->761 764 b93dca-b93dd2 call b92750 761->764 765 b93dd7-b93e10 call b9273c GetVolumeInformationA 761->765 764->765 769 b93e1a-b93e20 765->769 770 b93e12-b93e18 765->770 771 b93e29-b93e36 769->771 772 b93e22 769->772 770->771 773 b93ebd 771->773 774 b93e3c-b93e60 call b93e4d 771->774 772->771 775 b93ec7 773->775 774->775 782 b93e62-b93e68 774->782 777 b93ec9-b93ee1 CreateThread CloseHandle 775->777 778 b93ee7-b93f54 call b93ef8 call b910ce call b93f27 call b910ce 775->778 777->778 797 b93f5a-b93f9d CreateThread CloseHandle CreateEventA 778->797 798 b9425f-b94261 RtlExitUserThread 778->798 784 b93e6a-b93e6f 782->784 785 b93e91-b93ea5 782->785 788 b93e98-b93ea5 784->788 789 b93e71-b93e90 784->789 791 b93eac-b93eb6 785->791 788->791 789->785 791->773 793 b93eb8 call b9339d 791->793 793->773 800 b93fa3-b93fbb call b93792 797->800 803 b93fbd-b93fc0 800->803 804 b93fc2-b93fd5 call b93b28 800->804 803->804 805 b93fdd-b93fe5 803->805 810 b93fdb 804->810 811 b9420d-b94214 804->811 807 b93fe7-b93ff4 lstrlen 805->807 808 b93ff6-b93fff 805->808 807->807 807->808 815 b94005-b9400c 808->815 816 b94254-b9425a 808->816 812 b94012-b94031 810->812 811->798 814 b94216-b9421d 811->814 812->811 820 b94037-b9404a 812->820 817 b9421f-b9422b SetEvent 814->817 818 b94231-b9424f Sleep ResetEvent 814->818 815->812 816->800 817->818 818->800 822 b94050-b94129 call b9273c call b92750 GetVersionExA call b92750 call b932f0 call b94109 call b932f0 820->822 823 b94206 820->823 839 b9412b-b94141 CreateThread CloseHandle 822->839 840 b94147 822->840 823->811 839->840 841 b9414d-b94163 840->841 841->823 843 b94169-b9416b 841->843 844 b9416d-b94185 843->844 845 b9418a-b94192 844->845 846 b94187 844->846 845->844 847 b94194 845->847 846->845 848 b9419a-b9419e 847->848 849 b941b0-b941b2 848->849 850 b941a0-b941a7 call b92f08 848->850 852 b941b4-b941be 849->852 850->823 855 b941a9 850->855 854 b941c3-b941d1 call b96480 call b9649a 852->854 854->841 861 b941d7-b941e1 Sleep 854->861 855->852 857 b941ab-b941ae 855->857 857->848 861->854 862 b941e3-b941f4 GetTickCount 861->862 862->841 863 b941fa-b94201 862->863 863->823 863->841
                                                                                                      APIs
                                                                                                      • lstrcat.KERNEL32(00B969E2,00B93CAA), ref: 00B93CB8
                                                                                                        • Part of subcall function 00B93CCE: LoadLibraryA.KERNEL32(00B93CC3), ref: 00B93CCE
                                                                                                        • Part of subcall function 00B93CCE: GetProcAddress.KERNEL32(00000000,00B93CD9), ref: 00B93CE4
                                                                                                        • Part of subcall function 00B93CCE: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93CF7
                                                                                                        • Part of subcall function 00B93CCE: GetTickCount.KERNEL32 ref: 00B93D2B
                                                                                                        • Part of subcall function 00B93CCE: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96E36,00000000,00000000,00000000,00000000), ref: 00B93DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 00B93CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$AddressCountInformationProcTickVolumelstrcat
                                                                                                      • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2038497427-2287716718
                                                                                                      • Opcode ID: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
                                                                                                      • Instruction ID: 306973a16181de277704e99c38c6501fe0fef32c7c3702d67adc05bf52c8b0fc
                                                                                                      • Opcode Fuzzy Hash: 6015bc910092ae8f3cfbb4603391d7f6777f93900d010c705f53bc10b9c9ab02
                                                                                                      • Instruction Fuzzy Hash: AED12371515258BFDF25AF34CC5ABEA3BECEF42700F0005A9E8499E082D7F45F4686A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93CCE Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 364libraryCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 864 b93cce-b93d58 LoadLibraryA call b93ce3 GetProcAddress LoadLibraryA call b910ce call b901cb GetTickCount call b93b0e 875 b93d5a 864->875 876 b93d60-b93d65 call b93b0e 864->876 875->876 879 b93d67-b93d7e 876->879 880 b93d80-b93d90 call b962df call b9273c 879->880 885 b93d92-b93d94 880->885 886 b93d96-b93db2 call b962df 880->886 887 b93db3-b93db4 885->887 886->887 887->880 889 b93db6-b93dbc 887->889 889->879 891 b93dbe-b93dc8 call b9273c 889->891 894 b93dca-b93dd2 call b92750 891->894 895 b93dd7-b93e10 call b9273c GetVolumeInformationA 891->895 894->895 899 b93e1a-b93e20 895->899 900 b93e12-b93e18 895->900 901 b93e29-b93e36 899->901 902 b93e22 899->902 900->901 903 b93ebd 901->903 904 b93e3c-b93e60 call b93e4d 901->904 902->901 905 b93ec7 903->905 904->905 912 b93e62-b93e68 904->912 907 b93ec9-b93ee1 CreateThread CloseHandle 905->907 908 b93ee7-b93f54 call b93ef8 call b910ce call b93f27 call b910ce 905->908 907->908 927 b93f5a-b93f9d CreateThread CloseHandle CreateEventA 908->927 928 b9425f-b94261 RtlExitUserThread 908->928 914 b93e6a-b93e6f 912->914 915 b93e91-b93ea5 912->915 918 b93e98-b93ea5 914->918 919 b93e71-b93e90 914->919 921 b93eac-b93eb6 915->921 918->921 919->915 921->903 923 b93eb8 call b9339d 921->923 923->903 930 b93fa3-b93fbb call b93792 927->930 933 b93fbd-b93fc0 930->933 934 b93fc2-b93fd5 call b93b28 930->934 933->934 935 b93fdd-b93fe5 933->935 940 b93fdb 934->940 941 b9420d-b94214 934->941 937 b93fe7-b93ff4 lstrlen 935->937 938 b93ff6-b93fff 935->938 937->937 937->938 945 b94005-b9400c 938->945 946 b94254-b9425a 938->946 942 b94012-b94031 940->942 941->928 944 b94216-b9421d 941->944 942->941 950 b94037-b9404a 942->950 947 b9421f-b9422b SetEvent 944->947 948 b94231-b9424f Sleep ResetEvent 944->948 945->942 946->930 947->948 948->930 952 b94050-b94129 call b9273c call b92750 GetVersionExA call b92750 call b932f0 call b94109 call b932f0 950->952 953 b94206 950->953 969 b9412b-b94141 CreateThread CloseHandle 952->969 970 b94147 952->970 953->941 969->970 971 b9414d-b94163 970->971 971->953 973 b94169-b9416b 971->973 974 b9416d-b94185 973->974 975 b9418a-b94192 974->975 976 b94187 974->976 975->974 977 b94194 975->977 976->975 978 b9419a-b9419e 977->978 979 b941b0-b941b2 978->979 980 b941a0-b941a7 call b92f08 978->980 982 b941b4-b941be 979->982 980->953 985 b941a9 980->985 984 b941c3-b941d1 call b96480 call b9649a 982->984 984->971 991 b941d7-b941e1 Sleep 984->991 985->982 987 b941ab-b941ae 985->987 987->978 991->984 992 b941e3-b941f4 GetTickCount 991->992 992->971 993 b941fa-b94201 992->993 993->953 993->971
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00B93CC3), ref: 00B93CCE
                                                                                                        • Part of subcall function 00B93CE3: GetProcAddress.KERNEL32(00000000,00B93CD9), ref: 00B93CE4
                                                                                                        • Part of subcall function 00B93CE3: LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93CF7
                                                                                                        • Part of subcall function 00B93CE3: GetTickCount.KERNEL32 ref: 00B93D2B
                                                                                                        • Part of subcall function 00B93CE3: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96E36,00000000,00000000,00000000,00000000), ref: 00B93DFD
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 00B93CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: LibraryLoad$AddressCountInformationProcTickVolume
                                                                                                      • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3734769084-2287716718
                                                                                                      • Opcode ID: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
                                                                                                      • Instruction ID: 47f88a064ac9f54ec28fd067b2385f0f083036390a86e7f291b5b6cae8e7948b
                                                                                                      • Opcode Fuzzy Hash: 2493f2ca0a9d17d60b0ae92595658eb790e1a8e0bd0394b2349fd16cbfe48cab
                                                                                                      • Instruction Fuzzy Hash: A7D12371515258BEEF25AF34CC5ABEA3BECEF42700F0005A9E8499E082D7F45F4586A5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93CE3 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 371librarythreadsleepCOMMON
                                                                                                      Download Yara Rule

                                                                                                      Control-flow Graph

                                                                                                      • Executed
                                                                                                      • Not Executed
                                                                                                      control_flow_graph 994 b93ce3-b93d0a GetProcAddress LoadLibraryA 995 b93d15-b93d58 call b901cb GetTickCount call b93b0e 994->995 996 b93d10 call b910ce 994->996 1001 b93d5a 995->1001 1002 b93d60-b93d65 call b93b0e 995->1002 996->995 1001->1002 1005 b93d67-b93d7e 1002->1005 1006 b93d80-b93d90 call b962df call b9273c 1005->1006 1011 b93d92-b93d94 1006->1011 1012 b93d96-b93db2 call b962df 1006->1012 1013 b93db3-b93db4 1011->1013 1012->1013 1013->1006 1015 b93db6-b93dbc 1013->1015 1015->1005 1017 b93dbe-b93dc8 call b9273c 1015->1017 1020 b93dca-b93dd2 call b92750 1017->1020 1021 b93dd7-b93e10 call b9273c GetVolumeInformationA 1017->1021 1020->1021 1025 b93e1a-b93e20 1021->1025 1026 b93e12-b93e18 1021->1026 1027 b93e29-b93e36 1025->1027 1028 b93e22 1025->1028 1026->1027 1029 b93ebd 1027->1029 1030 b93e3c-b93e60 call b93e4d 1027->1030 1028->1027 1031 b93ec7 1029->1031 1030->1031 1038 b93e62-b93e68 1030->1038 1033 b93ec9-b93ee1 CreateThread CloseHandle 1031->1033 1034 b93ee7-b93f54 call b93ef8 call b910ce call b93f27 call b910ce 1031->1034 1033->1034 1053 b93f5a-b93f9d CreateThread CloseHandle CreateEventA 1034->1053 1054 b9425f-b94261 RtlExitUserThread 1034->1054 1040 b93e6a-b93e6f 1038->1040 1041 b93e91-b93ea5 1038->1041 1044 b93e98-b93ea5 1040->1044 1045 b93e71-b93e90 1040->1045 1047 b93eac-b93eb6 1041->1047 1044->1047 1045->1041 1047->1029 1049 b93eb8 call b9339d 1047->1049 1049->1029 1056 b93fa3-b93fbb call b93792 1053->1056 1059 b93fbd-b93fc0 1056->1059 1060 b93fc2-b93fd5 call b93b28 1056->1060 1059->1060 1061 b93fdd-b93fe5 1059->1061 1066 b93fdb 1060->1066 1067 b9420d-b94214 1060->1067 1063 b93fe7-b93ff4 lstrlen 1061->1063 1064 b93ff6-b93fff 1061->1064 1063->1063 1063->1064 1071 b94005-b9400c 1064->1071 1072 b94254-b9425a 1064->1072 1068 b94012-b94031 1066->1068 1067->1054 1070 b94216-b9421d 1067->1070 1068->1067 1076 b94037-b9404a 1068->1076 1073 b9421f-b9422b SetEvent 1070->1073 1074 b94231-b9424f Sleep ResetEvent 1070->1074 1071->1068 1072->1056 1073->1074 1074->1056 1078 b94050-b94129 call b9273c call b92750 GetVersionExA call b92750 call b932f0 call b94109 call b932f0 1076->1078 1079 b94206 1076->1079 1095 b9412b-b94141 CreateThread CloseHandle 1078->1095 1096 b94147 1078->1096 1079->1067 1095->1096 1097 b9414d-b94163 1096->1097 1097->1079 1099 b94169-b9416b 1097->1099 1100 b9416d-b94185 1099->1100 1101 b9418a-b94192 1100->1101 1102 b94187 1100->1102 1101->1100 1103 b94194 1101->1103 1102->1101 1104 b9419a-b9419e 1103->1104 1105 b941b0-b941b2 1104->1105 1106 b941a0-b941a7 call b92f08 1104->1106 1108 b941b4-b941be 1105->1108 1106->1079 1111 b941a9 1106->1111 1110 b941c3-b941d1 call b96480 call b9649a 1108->1110 1110->1097 1117 b941d7-b941e1 Sleep 1110->1117 1111->1108 1113 b941ab-b941ae 1111->1113 1113->1104 1117->1110 1118 b941e3-b941f4 GetTickCount 1117->1118 1118->1097 1119 b941fa-b94201 1118->1119 1119->1079 1119->1097
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(00000000,00B93CD9), ref: 00B93CE4
                                                                                                      • LoadLibraryA.KERNEL32(ADVAPI32.DLL), ref: 00B93CF7
                                                                                                      • GetTickCount.KERNEL32 ref: 00B93D2B
                                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00B96E36,00000000,00000000,00000000,00000000), ref: 00B93DFD
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,00B93629,00000000,00000000), ref: 00B93ED8
                                                                                                      • CloseHandle.KERNEL32(?,54521404), ref: 00B93EE1
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00B93F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00B93F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93F97
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B9408C
                                                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00B94225
                                                                                                      • Sleep.KERNEL32(00007530,?,00000000), ref: 00B94236
                                                                                                      • ResetEvent.KERNEL32(?,?,00000000), ref: 00B94249
                                                                                                      Strings
                                                                                                      • ADVAPI32.DLL, xrefs: 00B93CF6
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateEvent$CloseHandleThread$AddressCountInformationLibraryLoadProcResetSleepTickVersionVolume
                                                                                                      • String ID: ADVAPI32.DLL$SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 2334578396-2287716718
                                                                                                      • Opcode ID: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
                                                                                                      • Instruction ID: 21cebc7aab3096735b77ecfa4cc2e550bd7145f067ab73509cc4df337b4ce6f7
                                                                                                      • Opcode Fuzzy Hash: 947b9679796d591e9ada89db576f74309ff53d0a5c4f8047994469cffe21920d
                                                                                                      • Instruction Fuzzy Hash: CDD10371515258BEEF25AF34CC5ABEA3BECEF42700F0006A9E8499F082D7F45F4586A5
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93378 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 220filenativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B933E2
                                                                                                      • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B93401
                                                                                                      • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B9342B
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B93438
                                                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 00B93450
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                      • String ID: \Device\PhysicalMemory
                                                                                                      • API String ID: 2985292042-2007344781
                                                                                                      • Opcode ID: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
                                                                                                      • Instruction ID: 237baccaf2de8cab8354dc16bd9c9d419d4a29311ba5d125489f489da6152fc1
                                                                                                      • Opcode Fuzzy Hash: 561ceb251a9ee27251f20cf668687e795924f4ca3d2f92a1e9259e8415ac6dd8
                                                                                                      • Instruction Fuzzy Hash: 0D819D71500208FFEF249F14CC89ABA37ACEF48B11F114568ED199B291D7F0AF55CAA8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B9339D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61filenativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B933E2
                                                                                                      • NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B93401
                                                                                                      • MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B9342B
                                                                                                      • CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B93438
                                                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 00B93450
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: FileView$CloseHandleInformationOpenQuerySectionSystemUnmap
                                                                                                      • String ID: ysic
                                                                                                      • API String ID: 2985292042-20973071
                                                                                                      • Opcode ID: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
                                                                                                      • Instruction ID: c407c6b32d0cea5e3b99d20dd3ea92ef52d201df83196300d593a91073923c7c
                                                                                                      • Opcode Fuzzy Hash: 83cfc29f16e685118e4cac80380ae0b62c24e54c169c44b406135decc174f522
                                                                                                      • Instruction Fuzzy Hash: DA118271540609FBEB349F14CC56FAB36BCEF88B10F104528EA199B2D0D7F46F148668
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B924AE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46stringnativeCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • lstrcpyW.KERNEL32(?,\BaseNamedObjects\whptVt), ref: 00B924BA
                                                                                                      • lstrlenW.KERNEL32(?), ref: 00B924C1
                                                                                                      • NtCreateSection.NTDLL(?,0000000E,?,?,00000040,08000000,00000000), ref: 00B92516
                                                                                                      Strings
                                                                                                      • \BaseNamedObjects\whptVt, xrefs: 00B924B8
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateSectionlstrcpylstrlen
                                                                                                      • String ID: \BaseNamedObjects\whptVt
                                                                                                      • API String ID: 2597515329-1729277563
                                                                                                      • Opcode ID: 6df0d3fc1f16acd4470fa2c95d69911b6900c7005e3f5048832692c16ca5b6c3
                                                                                                      • Instruction ID: 1d9a2fe98837634da8107fabe165021395c62558a86072c1177b1417ea6ebf35
                                                                                                      • Opcode Fuzzy Hash: 6df0d3fc1f16acd4470fa2c95d69911b6900c7005e3f5048832692c16ca5b6c3
                                                                                                      • Instruction Fuzzy Hash: DD01F4B0781304BBF7305B29CC4BF5F3969CF81B50F448054F708AE1C4DAB89A0483A9
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93F27 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205threadlibrarystringCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00B93F1B), ref: 00B93F27
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00B93F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00B93F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93F97
                                                                                                      • lstrlen.KERNEL32(src.gide.at,?,00000000), ref: 00B93FE8
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B9408C
                                                                                                      • CreateThread.KERNEL32(?,?,Function_000037B1,63727305), ref: 00B94138
                                                                                                      • CloseHandle.KERNEL32(?,?,Function_000037B1,63727305,?,?,00000023,00B96E36,00000000,63727305,63727305,00B93AEA,00000014,00000000), ref: 00B94141
                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 00B94261
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateThread$CloseHandle$EventExitLibraryLoadUserVersionlstrlen
                                                                                                      • String ID: src.gide.at
                                                                                                      • API String ID: 3753104081-1863607250
                                                                                                      • Opcode ID: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
                                                                                                      • Instruction ID: 964933fe1f4c8852f5a9cd5a6f6f2fc2f8adcfc89c6605ae39ddf6b95f37a01b
                                                                                                      • Opcode Fuzzy Hash: cd3075aa6ac5a1b2a324a193c1ece853ea8a8685f00cea4c4ff8086d10106105
                                                                                                      • Instruction Fuzzy Hash: 1381BF71519249BFDF219F24C85AFEA7BECEF42700F0405A8E8599E081C7F49F468B69
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93E64 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 246threadlibraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetProcAddress.KERNEL32(00000000,00B93E58), ref: 00B93E65
                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00B969E2,000000C8), ref: 00B93E7A
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,00B93629,00000000,00000000), ref: 00B93ED8
                                                                                                      • CloseHandle.KERNEL32(?,54521404), ref: 00B93EE1
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00B93F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00B93F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93F97
                                                                                                        • Part of subcall function 00B9339D: NtOpenSection.NTDLL(?,00000006,?,00000018,?,?,00000040,?,?,63697379), ref: 00B933E2
                                                                                                        • Part of subcall function 00B9339D: NtQuerySystemInformation.NTDLL(0000000B,?,00000120,00000000), ref: 00B93401
                                                                                                        • Part of subcall function 00B9339D: MapViewOfFile.KERNEL32(?,00000006,00000000,?,?,?,00000120,00000000), ref: 00B9342B
                                                                                                        • Part of subcall function 00B9339D: CloseHandle.KERNEL32(?,00000000,?,00000120,00000000), ref: 00B93438
                                                                                                        • Part of subcall function 00B9339D: UnmapViewOfFile.KERNEL32(?), ref: 00B93450
                                                                                                      Strings
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CloseCreateFileHandle$ThreadView$AddressEventInformationModuleNameOpenProcQuerySectionSystemUnmap
                                                                                                      • String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 3400179232-621207024
                                                                                                      • Opcode ID: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
                                                                                                      • Instruction ID: d83c064f44f57010f608f3009dab9fbd143f85635a05407bbac6e323ea98af61
                                                                                                      • Opcode Fuzzy Hash: 3b4c00c77de353b703b27fe9e0b05dac0049b0b034d594c042b1972db7874499
                                                                                                      • Instruction Fuzzy Hash: 3391D071519258BFDF21AF24CC4AFEA7BACEF42300F0006A9F8595E081D7F05F4686A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93E4D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 262librarythreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00B93E41), ref: 00B93E4D
                                                                                                        • Part of subcall function 00B93E64: GetProcAddress.KERNEL32(00000000,00B93E58), ref: 00B93E65
                                                                                                        • Part of subcall function 00B93E64: GetModuleFileNameA.KERNEL32(00000000,00B969E2,000000C8), ref: 00B93E7A
                                                                                                        • Part of subcall function 00B93E64: CreateThread.KERNEL32(00000000,00000000,00B93629,00000000,00000000), ref: 00B93ED8
                                                                                                        • Part of subcall function 00B93E64: CloseHandle.KERNEL32(?,54521404), ref: 00B93EE1
                                                                                                      • CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00B93F81
                                                                                                      • CloseHandle.KERNEL32(?,00000000), ref: 00B93F8A
                                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93F97
                                                                                                      • GetVersionExA.KERNEL32(?,?,00000000), ref: 00B9408C
                                                                                                      Strings
                                                                                                      • SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List, xrefs: 00B93EA4
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: Create$CloseHandleThread$AddressEventFileLibraryLoadModuleNameProcVersion
                                                                                                      • String ID: SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
                                                                                                      • API String ID: 4113580538-621207024
                                                                                                      • Opcode ID: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
                                                                                                      • Instruction ID: cb26a6ee2c2aa37dadd6873211ac1e25325a1b788898ad7ff6dfc83ddd17e925
                                                                                                      • Opcode Fuzzy Hash: 87f197dd41939147b2960925833c34f02f8e43997e3fe373c143eff21418308d
                                                                                                      • Instruction Fuzzy Hash: 8B910471519244BEDF21AF24CC5ABEA7BECEF42300F0405A9F8599E082C6F45F0686A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B94109 Relevance: 12.2, APIs: 8, Instructions: 178sleepthreadCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • CreateThread.KERNEL32(?,?,Function_000037B1,63727305), ref: 00B94138
                                                                                                      • CloseHandle.KERNEL32(?,?,Function_000037B1,63727305,?,?,00000023,00B96E36,00000000,63727305,63727305,00B93AEA,00000014,00000000), ref: 00B94141
                                                                                                      • Sleep.KERNEL32(00000064,?,?,?,Function_000037B1,63727305,?,?,00000023,00B96E36,00000000,63727305,63727305,00B93AEA,00000014,00000000), ref: 00B941DA
                                                                                                      • GetTickCount.KERNEL32 ref: 00B941E3
                                                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00B94225
                                                                                                      • Sleep.KERNEL32(00007530,?,00000000), ref: 00B94236
                                                                                                      • ResetEvent.KERNEL32(?,?,00000000), ref: 00B94249
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: EventSleep$CloseCountCreateHandleResetThreadTick
                                                                                                      • String ID:
                                                                                                      • API String ID: 1870499893-0
                                                                                                      • Opcode ID: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
                                                                                                      • Instruction ID: f494a5dc3412224112fac7638019df45ce83c6e83da13d5d1a9e2fd4fdb50c2c
                                                                                                      • Opcode Fuzzy Hash: fc55b44dffeed9f0fa34af6d0f9333e7e97c5298c09aa9a8cf59fe694ab0a9b6
                                                                                                      • Instruction Fuzzy Hash: B1611471518259BADF219F24C81AFDE7FECEF42700F1405A8E8596E081C3F49F428769
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B93EF8 Relevance: 10.7, APIs: 7, Instructions: 192libraryCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • LoadLibraryA.KERNEL32(00B93EEC), ref: 00B93EF8
                                                                                                        • Part of subcall function 00B93F27: LoadLibraryA.KERNEL32(00B93F1B), ref: 00B93F27
                                                                                                        • Part of subcall function 00B93F27: CreateThread.KERNEL32(00000000,00000000,Function_00003820,00000000,00000000), ref: 00B93F81
                                                                                                        • Part of subcall function 00B93F27: CloseHandle.KERNEL32(?,00000000), ref: 00B93F8A
                                                                                                        • Part of subcall function 00B93F27: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000), ref: 00B93F97
                                                                                                        • Part of subcall function 00B93F27: GetVersionExA.KERNEL32(?,?,00000000), ref: 00B9408C
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: CreateLibraryLoad$CloseEventHandleThreadVersion
                                                                                                      • String ID:
                                                                                                      • API String ID: 4090826934-0
                                                                                                      • Opcode ID: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
                                                                                                      • Instruction ID: e6021ba5a7e6944ceeca23986e34b42041923e82b4ee327422a38f8f2431591e
                                                                                                      • Opcode Fuzzy Hash: 25854abc98b3accc8cf8ec0414aa342a2e8bceb29aad210d583b08b6067569f1
                                                                                                      • Instruction Fuzzy Hash: CB61C371519259BEDF21AF24CC5ABEA7BECEF42300F0406A9F8595E081C3F45F4687A6
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B92768 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTempPathA.KERNEL32(00000104), ref: 00B9278C
                                                                                                        • Part of subcall function 00B927A7: GetTempFileNameA.KERNEL32(?,00B927A3,00000000,?), ref: 00B927A8
                                                                                                        • Part of subcall function 00B927A7: CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00B927A3,00000000,?), ref: 00B927C3
                                                                                                        • Part of subcall function 00B927A7: WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927F3
                                                                                                        • Part of subcall function 00B927A7: CloseHandle.KERNEL32(?,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927FF
                                                                                                        • Part of subcall function 00B927A7: CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00B927A3), ref: 00B92823
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$CreateTemp$CloseHandleNamePathProcessWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 3982275768-0
                                                                                                      • Opcode ID: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
                                                                                                      • Instruction ID: 78ae9dc6ef911018332577c6170a18bf8862225060bc200ef901366bd4b18b7c
                                                                                                      • Opcode Fuzzy Hash: 9442bed387485dd5c6208b040b775dce7909e05c58a4aabe22b0929d4f7f6822
                                                                                                      • Instruction Fuzzy Hash: 9921C0B1145205BFEB215B20DC8EFFF3A6CEF95B10F000129FA4499091D7B59E058676
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B927A7 Relevance: 7.6, APIs: 5, Instructions: 65fileprocessCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetTempFileNameA.KERNEL32(?,00B927A3,00000000,?), ref: 00B927A8
                                                                                                      • CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000,?,00B927A3,00000000,?), ref: 00B927C3
                                                                                                      • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927F3
                                                                                                      • CloseHandle.KERNEL32(?,00000104,?,00000000,?,00B927A3,00000000,?), ref: 00B927FF
                                                                                                      • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00000104,?,00000000,?,00B927A3), ref: 00B92823
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: File$Create$CloseHandleNameProcessTempWrite
                                                                                                      • String ID:
                                                                                                      • API String ID: 463619559-0
                                                                                                      • Opcode ID: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
                                                                                                      • Instruction ID: 23e62b59c0cf0b9dc5bb4bcabfe735fd93577630fa4e74804dee52a4e29cfed7
                                                                                                      • Opcode Fuzzy Hash: 79ba4446e2a00169ac63f746143a5fe332799a213c8ddaac65906699330d25c2
                                                                                                      • Instruction Fuzzy Hash: 50116DB1101605FBEB254B20DC4AFFB7A6DEF88B10F004529FA0599090DBF49E5096A8
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%

                                                                                                      Function 00B910CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54libraryloaderCOMMON
                                                                                                      Download Yara Rule
                                                                                                      APIs
                                                                                                      • GetModuleHandleA.KERNEL32(0019FF1C), ref: 00B9113D
                                                                                                      • GetProcAddress.KERNEL32(00000000,00B911D6), ref: 00B91148
                                                                                                      Strings
                                                                                                      Memory Dump Source
                                                                                                      • Source File: 00000009.00000002.522605251.0000000000B90000.00000040.10000000.00040000.00000000.sdmp, Offset: 00B90000, based on PE: false
                                                                                                      Joe Sandbox IDA Plugin
                                                                                                      • Snapshot File: hcaresult_9_2_b90000_mssecsvc.jbxd
                                                                                                      Similarity
                                                                                                      • API ID: AddressHandleModuleProc
                                                                                                      • String ID: .DLL
                                                                                                      • API String ID: 1646373207-899428287
                                                                                                      • Opcode ID: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
                                                                                                      • Instruction ID: 5f4d99885677d4cb9b890cf5298660691b26be162054dd98857753839a41481e
                                                                                                      • Opcode Fuzzy Hash: 10ee03f602b6349dc7cedc8c09501795956ad4c0f43e49632d56126e52950066
                                                                                                      • Instruction Fuzzy Hash: 7601D630215117FACF659E2CC8496EA3BECEF05341F0049B4EA1A9B156C770DE80E695
                                                                                                      Uniqueness

                                                                                                      Uniqueness Score: -1.00%