Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
habHh1BC0L.dll

Overview

General Information

Sample name:habHh1BC0L.dll
renamed because original name is a hash value
Original sample name:a34d8bd7493c5f8c2bf381a0267de463.dll
Analysis ID:1591365
MD5:a34d8bd7493c5f8c2bf381a0267de463
SHA1:19326be1a905a053f95cef69a630d30cb298bd5b
SHA256:133e1d4c87a3728c2888997025565651e654f5af74c5428f822c9c058ec3b35e
Tags:dllexeuser-mentality
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7300 cmdline: loaddll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7352 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7372 cmdline: rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • mssecsvr.exe (PID: 7440 cmdline: C:\WINDOWS\mssecsvr.exe MD5: FF830E078CB269B709C952BDF1F34D24)
          • tasksche.exe (PID: 7700 cmdline: C:\WINDOWS\tasksche.exe /i MD5: CBB4BE2403D2BE4554AA9BE6B49A7B62)
    • rundll32.exe (PID: 7360 cmdline: rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7604 cmdline: rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvr.exe (PID: 7620 cmdline: C:\WINDOWS\mssecsvr.exe MD5: FF830E078CB269B709C952BDF1F34D24)
        • tasksche.exe (PID: 7904 cmdline: C:\WINDOWS\tasksche.exe /i MD5: CBB4BE2403D2BE4554AA9BE6B49A7B62)
  • mssecsvr.exe (PID: 7568 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: FF830E078CB269B709C952BDF1F34D24)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
habHh1BC0L.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    habHh1BC0L.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x353d0:$x3: tasksche.exe
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        00000006.00000000.1336734524.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          0000000A.00000002.1389292837.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            0000000A.00000000.1365918332.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              Click to see the 6 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.mssecsvr.exe.1e4d084.3.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
              • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
              • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
              8.2.mssecsvr.exe.23758c8.9.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
              • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
              • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
              10.2.mssecsvr.exe.400000.0.unpackJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
                10.2.mssecsvr.exe.400000.0.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
                • 0x3136c:$x3: tasksche.exe
                • 0x31344:$x8: C:\%s\qeriuwjhrf
                • 0x17338:$s1: C:\%s\%s
                • 0x31358:$s1: C:\%s\%s
                • 0x2e68c:$s5: \\192.168.56.20\IPC$
                • 0x1ba81:$s6: \\172.16.99.5\IPC$
                • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
                • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
                • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
                10.2.mssecsvr.exe.400000.0.unpackWannaCry_Ransomware_GenDetects WannaCry RansomwareFlorian Roth (based on rule by US CERT)
                • 0x1bacc:$s1: __TREEID__PLACEHOLDER__
                • 0x1bb68:$s1: __TREEID__PLACEHOLDER__
                • 0x1c3d4:$s1: __TREEID__PLACEHOLDER__
                • 0x1d439:$s1: __TREEID__PLACEHOLDER__
                • 0x1e4a0:$s1: __TREEID__PLACEHOLDER__
                • 0x1f508:$s1: __TREEID__PLACEHOLDER__
                • 0x20570:$s1: __TREEID__PLACEHOLDER__
                • 0x215d8:$s1: __TREEID__PLACEHOLDER__
                • 0x22640:$s1: __TREEID__PLACEHOLDER__
                • 0x236a8:$s1: __TREEID__PLACEHOLDER__
                • 0x24710:$s1: __TREEID__PLACEHOLDER__
                • 0x25778:$s1: __TREEID__PLACEHOLDER__
                • 0x267e0:$s1: __TREEID__PLACEHOLDER__
                • 0x27848:$s1: __TREEID__PLACEHOLDER__
                • 0x288b0:$s1: __TREEID__PLACEHOLDER__
                • 0x29918:$s1: __TREEID__PLACEHOLDER__
                • 0x2a980:$s1: __TREEID__PLACEHOLDER__
                • 0x2ab94:$s1: __TREEID__PLACEHOLDER__
                • 0x2abf4:$s1: __TREEID__PLACEHOLDER__
                • 0x2e2c4:$s1: __TREEID__PLACEHOLDER__
                • 0x2e340:$s1: __TREEID__PLACEHOLDER__
                Click to see the 35 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-14T22:43:00.434570+010028033043Unknown Traffic192.168.2.949727103.224.212.21580TCP
                2025-01-14T22:43:02.106468+010028033043Unknown Traffic192.168.2.949740103.224.212.21580TCP
                2025-01-14T22:45:08.618751+010028033043Unknown Traffic192.168.2.952883103.224.212.21580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-14T22:42:59.628747+010028300181A Network Trojan was detected192.168.2.9640511.1.1.153UDP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: habHh1BC0L.dllAvira: detected
                Antivirus detection for URL or domain
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/XAvira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5fAvira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e63794Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5fe8Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939b2Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=202Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0845-0884-8536-91f430fa231dAvira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e6379487Avira URL Cloud: Label: malware
                Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/AAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/Rasftuby.cpsmo
                Multi AV Scanner detection for dropped file
                Source: C:\WINDOWS\qeriuwjhrf (copy)ReversingLabs: Detection: 86%
                Source: C:\Windows\eee.exeReversingLabs: Detection: 12%
                Source: C:\Windows\tasksche.exeReversingLabs: Detection: 86%
                Multi AV Scanner detection for submitted file
                Source: habHh1BC0L.dllVirustotal: Detection: 95%Perma Link
                Source: habHh1BC0L.dllReversingLabs: Detection: 92%
                Machine Learning detection for dropped file
                Source: C:\Windows\eee.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: habHh1BC0L.dllJoe Sandbox ML: detected

                Exploits

                barindex
                Connects to many different private IPs (likely to spread or exploit)
                Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                Connects to many different private IPs via SMB (likely to spread or exploit)
                Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
                Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
                Source: habHh1BC0L.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: tasksche.exe, 0000000B.00000000.1373149945.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmp, tasksche.exe, 0000000C.00000002.2589033370.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000000.1387882069.000000000042A000.00000002.00000001.01000000.00000007.sdmp, habHh1BC0L.dll, tasksche.exe.6.dr
                Source: C:\Windows\tasksche.exeCode function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,11_2_00409476
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040DE5E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,11_2_0040DE5E

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.9:64051 -> 1.1.1.1:53
                Source: global trafficTCP traffic: 192.168.2.9:52262 -> 1.1.1.1:53
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0843-0023-a483-adfaa7c939b2 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0843-0290-ac2b-9956998a5fe8 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890980.6404981
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0843-02ad-b855-1345e6379487 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=b07e05a2-6afb-4967-a1ef-8668f7ec5591
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0845-0884-8536-91f430fa231d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49740 -> 103.224.212.215:80
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49727 -> 103.224.212.215:80
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:52883 -> 103.224.212.215:80
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.11
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.227
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.227
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.227
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.1
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.227
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.1
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.1
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.1
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.1
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.1
                Source: unknownTCP traffic detected without corresponding DNS query: 100.186.60.1
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.207
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.207
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.207
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.1
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.207
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.1
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.1
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.1
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.1
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.1
                Source: unknownTCP traffic detected without corresponding DNS query: 99.38.44.1
                Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.209
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.167
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.167
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.167
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.167
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: unknownTCP traffic detected without corresponding DNS query: 77.201.178.1
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0843-0023-a483-adfaa7c939b2 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0843-0290-ac2b-9956998a5fe8 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890980.6404981
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0843-02ad-b855-1345e6379487 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=b07e05a2-6afb-4967-a1ef-8668f7ec5591
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0845-0884-8536-91f430fa231d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: global trafficDNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
                Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=202
                Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0
                Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0023-a483-adfaa7c939
                Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-0290-ac2b-9956998a5f
                Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0843-02ad-b855-1345e63794
                Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/A
                Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B2A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/X
                Source: habHh1BC0L.dllString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
                Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
                Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/$
                Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2f
                Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/g
                Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/l
                Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/ll)
                Source: mssecsvr.exe, 00000008.00000002.2014176011.000000000019D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
                Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comq
                Source: mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comsf:
                Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Yara detected Wannacry ransomware
                Source: Yara matchFile source: habHh1BC0L.dll, type: SAMPLE
                Source: Yara matchFile source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.1e580a4.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.1e5c104.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.23808e8.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.mssecsvr.exe.2384948.7.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000008.00000002.2014633028.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1373665187.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000000.1336734524.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.1389292837.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1365918332.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000000.1359729095.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2016361125.0000000002384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.2015998105.0000000001E5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 7440, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 7568, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 7620, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: habHh1BC0L.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.1e4d084.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.23758c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
                Source: 8.2.mssecsvr.exe.1e580a4.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.1e5c104.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.23808e8.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: 8.2.mssecsvr.exe.2384948.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040690A: __EH_prolog,_wcslen,_wcscpy,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,11_2_0040690A
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
                Source: C:\Windows\tasksche.exeFile created: C:\Windows\__tmp_rar_sfx_access_check_5077250Jump to behavior
                Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to behavior
                Source: C:\Windows\tasksche.exeFile created: C:\Windows\__tmp_rar_sfx_access_check_5078562Jump to behavior
                Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to behavior
                Source: C:\Windows\tasksche.exeFile deleted: C:\Windows\__tmp_rar_sfx_access_check_5077250Jump to behavior
                Source: C:\Windows\tasksche.exeCode function: 11_2_00402F2C11_2_00402F2C
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041B0D911_2_0041B0D9
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041B8B911_2_0041B8B9
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041494611_2_00414946
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041017811_2_00410178
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040498611_2_00404986
                Source: C:\Windows\tasksche.exeCode function: 11_2_0042924111_2_00429241
                Source: C:\Windows\tasksche.exeCode function: 11_2_0042727C11_2_0042727C
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040CB2311_2_0040CB23
                Source: C:\Windows\tasksche.exeCode function: 11_2_004283FC11_2_004283FC
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041AC0411_2_0041AC04
                Source: C:\Windows\tasksche.exeCode function: 11_2_00416C3F11_2_00416C3F
                Source: C:\Windows\tasksche.exeCode function: 11_2_00401CC111_2_00401CC1
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041F4D411_2_0041F4D4
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041BCD911_2_0041BCD9
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040C4FF11_2_0040C4FF
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041B4AD11_2_0041B4AD
                Source: C:\Windows\tasksche.exeCode function: 11_2_00417D7811_2_00417D78
                Source: C:\Windows\tasksche.exeCode function: 11_2_00427D0411_2_00427D04
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041450F11_2_0041450F
                Source: C:\Windows\tasksche.exeCode function: 11_2_00415D9A11_2_00415D9A
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040561011_2_00405610
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041462B11_2_0041462B
                Source: C:\Windows\tasksche.exeCode function: 11_2_00413EE311_2_00413EE3
                Source: C:\Windows\tasksche.exeCode function: 11_2_004106F411_2_004106F4
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040C75611_2_0040C756
                Source: C:\Windows\tasksche.exeCode function: 11_2_004277C011_2_004277C0
                Source: Joe Sandbox ViewDropped File: C:\Windows\eee.exe 92B0BECA439DB25D7098379CEE580FA69F6F5E7271708BDEC03AB8FF526426D8
                Source: C:\Windows\tasksche.exeCode function: String function: 0041AAF0 appears 49 times
                Source: C:\Windows\tasksche.exeCode function: String function: 0041A4DC appears 37 times
                Source: C:\Windows\tasksche.exeCode function: String function: 0041FA9C appears 38 times
                Source: eee.exe.11.drStatic PE information: No import functions for PE file found
                Source: habHh1BC0L.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
                Source: habHh1BC0L.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.1e4d084.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.23758c8.9.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.1e4d084.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.2384948.7.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.23758c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.1e5c104.2.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
                Source: 8.2.mssecsvr.exe.1e580a4.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.1e5c104.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.23808e8.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: 8.2.mssecsvr.exe.2384948.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
                Source: classification engineClassification label: mal100.rans.expl.evad.winDLL@20/3@2/100
                Source: C:\Windows\tasksche.exeCode function: 11_2_00406553 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00406553
                Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
                Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,8_2_00407C40
                Source: C:\Windows\tasksche.exeCode function: 11_2_00419BB0 CoCreateInstance,11_2_00419BB0
                Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,6_2_00407CE0
                Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
                Source: C:\Windows\mssecsvr.exeCode function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,6_2_00408090
                Source: C:\Windows\mssecsvr.exeCode function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,8_2_00408090
                Source: C:\Windows\tasksche.exeFile created: C:\Users\user\New folderJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03
                Source: C:\Windows\tasksche.exeCommand line argument: sfxname11_2_0040FEF0
                Source: C:\Windows\tasksche.exeCommand line argument: sfxstime11_2_0040FEF0
                Source: C:\Windows\tasksche.exeCommand line argument: STARTDLG11_2_0040FEF0
                Source: C:\Windows\tasksche.exeCommand line argument: @CB11_2_00424290
                Source: habHh1BC0L.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\tasksche.exeFile read: C:\Windows\win.iniJump to behavior
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame
                Source: habHh1BC0L.dllVirustotal: Detection: 95%
                Source: habHh1BC0L.dllReversingLabs: Detection: 92%
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll"
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGame
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                Source: unknownProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",PlayGame
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
                Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
                Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\habHh1BC0L.dll,PlayGameJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",PlayGameJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
                Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: riched32.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: thumbcache.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: dataexchange.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: dcomp.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: networkexplorer.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: riched32.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: riched20.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: usp10.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: msls31.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: explorerframe.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: thumbcache.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: dataexchange.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: d3d11.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: dcomp.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: dxgi.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: twinapi.appcore.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: samlib.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: policymanager.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: msvcp110_win.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: networkexplorer.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\tasksche.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\mssecsvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeAutomated click: OK
                Source: C:\Windows\tasksche.exeFile opened: C:\Windows\SysWOW64\riched32.dllJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: habHh1BC0L.dllStatic file information: File size 5267459 > 1048576
                Source: habHh1BC0L.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000
                Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: tasksche.exe, 0000000B.00000000.1373149945.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.2589033974.000000000042A000.00000002.00000001.01000000.0000000C.sdmp, tasksche.exe, 0000000C.00000002.2589033370.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000000.1387882069.000000000042A000.00000002.00000001.01000000.00000007.sdmp, habHh1BC0L.dll, tasksche.exe.6.dr
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040CEB6 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,11_2_0040CEB6
                Source: C:\Windows\tasksche.exeFile created: C:\Windows\__tmp_rar_sfx_access_check_5077250Jump to behavior
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041FAE1 push ecx; ret 11_2_0041FAF4
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041A4DC push eax; ret 11_2_0041A4FA

                Persistence and Installation Behavior

                barindex
                Drops executables to the windows directory (C:\Windows) and starts them
                Source: C:\Windows\mssecsvr.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvr.exeJump to behavior
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\qeriuwjhrf (copy)Jump to dropped file
                Source: C:\Windows\tasksche.exeFile created: C:\Windows\eee.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
                Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\tasksche.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
                Source: C:\Windows\tasksche.exeDropped PE file which has not been started: C:\Windows\eee.exeJump to dropped file
                Source: C:\Windows\tasksche.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-19226
                Source: C:\Windows\tasksche.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_11-19426
                Source: C:\Windows\mssecsvr.exe TID: 7680Thread sleep count: 91 > 30Jump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 7680Thread sleep time: -182000s >= -30000sJump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 7684Thread sleep count: 127 > 30Jump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 7684Thread sleep count: 36 > 30Jump to behavior
                Source: C:\Windows\mssecsvr.exe TID: 7680Thread sleep time: -86400000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\tasksche.exeCode function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,11_2_00409476
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040DE5E SendDlgItemMessageW,DestroyIcon,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SHGetFileInfoW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,11_2_0040DE5E
                Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
                Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
                Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
                Source: tasksche.exe, 0000000C.00000002.2590376299.00000000056E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
                Source: tasksche.exe, 0000000C.00000003.2439818918.0000000005713000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N1
                Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\^
                Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y{
                Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: tasksche.exe, 0000000C.00000002.2590376299.0000000005716000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: tasksche.exe, 0000000C.00000003.1976698073.0000000005716000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}77
                Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: tasksche.exe, 0000000C.00000002.2590376299.00000000056E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
                Source: mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW$7
                Source: tasksche.exe, 0000000C.00000003.1778936718.00000000007FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: G|3c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}77
                Source: tasksche.exe, 0000000C.00000002.2589335405.00000000007DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\UUU
                Source: mssecsvr.exe, 00000006.00000002.1374237333.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1374237333.0000000000C58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2015365691.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2015365691.0000000000B4D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C89000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1390445468.0000000000C38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: tasksche.exe, 0000000C.00000003.1777199303.0000000000830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                Source: tasksche.exe, 0000000C.00000003.1778350015.0000000000830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}42??
                Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
                Source: tasksche.exe, 0000000C.00000003.1778350015.0000000000830000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{55630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18xn
                Source: tasksche.exe, 0000000C.00000002.2589335405.000000000077D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y,
                Source: tasksche.exe, 0000000B.00000002.2589312577.000000000070C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: tasksche.exe, 0000000C.00000002.2590376299.00000000056E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD0
                Source: C:\Windows\tasksche.exeAPI call chain: ExitProcess graph end nodegraph_11-19228
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041E6DE
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040CEB6 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,11_2_0040CEB6
                Source: C:\Windows\tasksche.exeCode function: 11_2_004234CE SetUnhandledExceptionFilter,11_2_004234CE
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041E6DE
                Source: C:\Windows\tasksche.exeCode function: 11_2_0041FFDB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041FFDB
                Source: C:\Windows\tasksche.exeCode function: 11_2_00423F89 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,11_2_00423F89
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\habHh1BC0L.dll",#1Jump to behavior
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040CA52 cpuid 11_2_0040CA52
                Source: C:\Windows\tasksche.exeCode function: GetLocaleInfoW,GetNumberFormatW,11_2_0040D155
                Source: C:\Windows\tasksche.exeCode function: GetLocaleInfoA,11_2_00425EF0
                Source: C:\Windows\tasksche.exeCode function: 11_2_0040FEF0 OleInitialize,_memset,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,DeleteObject,DeleteObject,DeleteObject,CloseHandle,Sleep,OleUninitialize,11_2_0040FEF0
                Source: C:\Windows\tasksche.exeCode function: 11_2_00409C06 GetVersionExW,11_2_00409C06
                Source: C:\Windows\tasksche.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Windows\tasksche.exeDirectory queried: C:\Users\user\DocumentsJump to behavior

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		4
                Windows Service                		1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		LSASS Memory12
                File and Directory Discovery                		Remote Desktop Protocol1
                Data from Local System                		12
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)4
                Windows Service                		1
                Software Packing                		Security Account Manager23
                System Information Discovery                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
                Process Injection                		1
                DLL Side-Loading                		NTDS1
                Network Share Discovery                		Distributed Component Object ModelInput Capture3
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                File Deletion                		LSA Secrets111
                Security Software Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts121
                Masquerading                		Cached Domain Credentials21
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                Virtualization/Sandbox Evasion                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Access Token Manipulation                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                Process Injection                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Rundll32                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591365 Sample: habHh1BC0L.dll Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 46 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->46 48 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->48 50 77026.bodis.com 2->50 60 Suricata IDS alerts for network traffic 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 6 other signatures 2->66 10 loaddll32.exe 1 2->10         started        12 mssecsvr.exe 12 2->12         started        signatures3 process4 dnsIp5 16 cmd.exe 1 10->16         started        18 rundll32.exe 10->18         started        21 conhost.exe 10->21         started        23 rundll32.exe 1 10->23         started        52 192.168.2.100 unknown unknown 12->52 54 192.168.2.101 unknown unknown 12->54 56 98 other IPs or domains 12->56 74 Connects to many different private IPs via SMB (likely to spread or exploit) 12->74 76 Connects to many different private IPs (likely to spread or exploit) 12->76 signatures6 process7 signatures8 25 rundll32.exe 16->25         started        58 Drops executables to the windows directory (C:\Windows) and starts them 18->58 27 mssecsvr.exe 13 18->27         started        process9 file10 31 mssecsvr.exe 13 25->31         started        42 C:\WINDOWS\qeriuwjhrf (copy), PE32 27->42 dropped 72 Drops executables to the windows directory (C:\Windows) and starts them 27->72 34 tasksche.exe 8 19 27->34         started        signatures11 process12 file13 44 C:\Windows\tasksche.exe, PE32 31->44 dropped 36 tasksche.exe 3 12 31->36         started        process14 file15 40 C:\Windows\eee.exe, PE32 36->40 dropped 68 Antivirus detection for dropped file 36->68 70 Multi AV Scanner detection for dropped file 36->70 signatures16

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.