Edit tour

Windows Analysis Report
Busy2.0.exe

Overview

General Information

Sample name:	Busy2.0.exe
Analysis ID:	1639482
MD5:	6ee9b76d1bfd47a5b4c4ae58a293c05c
SHA1:	11564c7122e44a3c4da2afdd73cab6f53321508c
SHA256:	670d7d789fcfc13fca28cf4633543cfcfbd13183a5dedb1c3fa5709a5190cd33
Tags:	exeuser-2huMarisa
Infos:

Detection

Babadeda

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Babadeda

Changes the wallpaper picture

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Contains functionality to infect the boot sector

Disable Task Manager(disabletaskmgr)

Disables the Windows task manager (taskmgr)

Joe Sandbox ML detected suspicious sample

Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Writes directly to the primary disk partition (DR0)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Classification

Process Tree

System is w10x64

Busy2.0.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Busy2.0.exe" MD5: 6EE9B76D1BFD47A5B4C4AE58A293C05C)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5380 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp\2A90.bat C:\Users\user\Desktop\Busy2.0.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

timeout.exe (PID: 4960 cmdline: timeout /t 30 MD5: 100065E21CFBBDE57CBA2838921F84D6)

timeout.exe (PID: 7296 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)

timeout.exe (PID: 7324 cmdline: timeout /t 1 MD5: 100065E21CFBBDE57CBA2838921F84D6)

timeout.exe (PID: 7340 cmdline: timeout /t 1 MD5: 100065E21CFBBDE57CBA2838921F84D6)

timeout.exe (PID: 7364 cmdline: timeout /t 2 MD5: 100065E21CFBBDE57CBA2838921F84D6)

timeout.exe (PID: 7392 cmdline: timeout /t 4 MD5: 100065E21CFBBDE57CBA2838921F84D6)

reg.exe (PID: 7424 cmdline: reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t "REG_DWORD" /d "1" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

MBR.exe (PID: 7440 cmdline: MBR.exe MD5: 344C84937D34113C838494FBC6E9AC16)

schtasks.exe (PID: 7452 cmdline: schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7928 cmdline: timeout /t 1 MD5: 100065E21CFBBDE57CBA2838921F84D6)

reg.exe (PID: 8084 cmdline: reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

rundll32.exe (PID: 8156 cmdline: RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters MD5: EF3179D498793BF4234F708D3BE28633)

reg.exe (PID: 6644 cmdline: reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

rundll32.exe (PID: 5204 cmdline: RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters MD5: EF3179D498793BF4234F708D3BE28633)

reg.exe (PID: 5664 cmdline: reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

rundll32.exe (PID: 7136 cmdline: RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters MD5: EF3179D498793BF4234F708D3BE28633)

reg.exe (PID: 932 cmdline: reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f MD5: 227F63E1D9008B36BDBCC4B397780BE4)

rundll32.exe (PID: 7328 cmdline: RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters MD5: EF3179D498793BF4234F708D3BE28633)

timeout.exe (PID: 760 cmdline: timeout /t 4 MD5: 100065E21CFBBDE57CBA2838921F84D6)

IconDance.exe (PID: 1720 cmdline: IconDance.exe MD5: DD5D7042C222D232731C2E55182E5DFF)

runaway.exe (PID: 1152 cmdline: runaway.exe MD5: 979B597855746AEE2F30EE74F9D7C163)

Music.UI.exe (PID: 7576 cmdline: "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca MD5: F963F75C0AD152437E10D656A00793A3)

MBR.exe (PID: 7616 cmdline: C:\Users\user\Desktop\MBR.exe MD5: 344C84937D34113C838494FBC6E9AC16)

schtasks.exe (PID: 7656 cmdline: schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babadeda	According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.	No Attribution	https://blog.morphisec.com/the-babadeda-crypter-targeting-crypto-nft-defi-communities	https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Busy2.0.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\matrix.exe	JoeSecurity_Babadeda	Yara detected Babadeda	Joe Security

Sigma Signatures

System Summary

Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe", CommandLine: schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: MBR.exe, ParentImage: C:\Users\user\Desktop\MBR.exe, ParentProcessId: 7440, ParentProcessName: MBR.exe, ProcessCommandLine: schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe", ProcessId: 7452, ProcessName: schtasks.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\MBR.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\MBR.exe, ProcessId: 7440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update

Sigma detected: Potentially Suspicious Desktop Background Change Via Registry

Source: Registry Key set

Author: Nasreddine Bencherchali (Nextron Systems), Stephen Lincoln @slincoln-aiq (AttackIQ): Data: Details: C:\Users\userDesktop\YuuyaCat.bmp, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\reg.exe, ProcessId: 8084, TargetObject: HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Busy2.0.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\MBR.exe	Avira: detection malicious, Label: HEUR/AGEN.1330675
Source: C:\Users\user\Desktop\Melting.exe	Avira: detection malicious, Label: TR/BadJoke.U
Source: C:\Users\user\Desktop\Hydra.exe	Avira: detection malicious, Label: TR/BadJoke.gjdfh
Source: C:\Users\user\Desktop\IconDance.exe	Avira: detection malicious, Label: JOKE/Win32.IconDance

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\Hydra.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\IconDance.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\MBR.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\Melting.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\Desktop\matrix.exe	ReversingLabs: Detection: 27%
Source: C:\Users\user\Desktop\runaway.exe	ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: Busy2.0.exe	Virustotal: Detection: 66%			Perma Link
Source: Busy2.0.exe	ReversingLabs: Detection: 61%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Source: Busy2.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.219.148.9:443 -> 192.168.2.8:49692 version: TLS 1.2

Source:	Binary string: C:\Users\FlyTech\Documents\Visual Studio 2015\Projects\Messager\Messager\obj\Debug\Messager.pdb source: Busy2.0.exe, 00000000.00000003.1008656527.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp, runaway.exe, 0000002B.00000000.1531313090.0000000000112000.00000002.00000001.01000000.00000013.sdmp, runaway.exe.0.dr
Source:	Binary string: D:\Visual Studio Projects\Hydra\Hydra\obj\Release\Hydra.pdb source: Busy2.0.exe, 00000000.00000003.1008777841.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, Hydra.exe.0.dr
Source:	Binary string: C:\Users\Domas\Desktop\ScreenMelter\x64\Release\ScreenMelter.pdb source: Melting.exe.0.dr

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_004049A0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

19_2_004049A0

Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\Temp\2A8E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp\2A90.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp	Jump to behavior

Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	43_2_009E8360
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	43_2_009E8590
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-3Ch]	43_2_009E0AD8
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then push dword ptr [ebp-10h]	43_2_009E8CA0
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	43_2_009E94F0
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	43_2_009E8358
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	43_2_009E8470
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	43_2_009E8466
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-3Ch]	43_2_009E0AD1
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	43_2_009E93D0
Source: C:\Users\user\Desktop\runaway.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	43_2_009E94E4

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /XBLWinClient/v10_music/configuration.xml HTTP/1.1Accept: */*User-Agent: XBLWIN10.19071Accept-Language: en-CHAccept-Encoding: gzip, deflate, brHost: settings-ssl.xboxlive.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: settings-ssl.xboxlive.com

Source: Music.UI.exe, 00000017.00000002.2323531952.0000013ECD186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Music.UI.exe, 00000017.00000002.2323531952.0000013ECD186000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/xsts.auth.xboxlive.com
Source: Music.UI.exe, 00000017.00000002.2322000807.0000013ECD0D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local
Source: Music.UI.exe, 00000017.00000002.2322000807.0000013ECD0D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local/
Source: Music.UI.exe, 00000017.00000002.2322000807.0000013ECD0D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net
Source: Music.UI.exe, 00000017.00000002.2322000807.0000013ECD0D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: Music.UI.exe, 00000017.00000002.2306720921.0000013ECC4D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://musicart.xboxlive.com/9/5c6a4700-0000-0000-0000-000000000002/504/image.jpg
Source: Music.UI.exe, 00000017.00000002.2306720921.0000013ECC4D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://musicart.xboxlive.com/9/e74d4600-0000-0000-0000-000000000002/504/image.jpg
Source: Music.UI.exe, 00000017.00000002.2305918447.0000013ECC41B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://musicimage.xboxlive.comtXBLWinClient/v10_music/configuration.xmlC:
Source: Music.UI.exe, 00000017.00000003.1492393080.0000013ECC461000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000017.00000002.2305918447.0000013ECC41B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com
Source: Music.UI.exe, 00000017.00000003.1492393080.0000013ECC461000.00000004.00000020.00020000.00000000.sdmp, Music.UI.exe, 00000017.00000002.2305918447.0000013ECC41B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/
Source: Music.UI.exe, 00000017.00000003.1492393080.0000013ECC461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xml
Source: Music.UI.exe, 00000017.00000003.1492393080.0000013ECC461000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://settings-ssl.xboxlive.com/XBLWinClient/v10_music/configuration.xmlC:
Source: Music.UI.exe, 00000017.00000002.2322000807.0000013ECD0D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com
Source: Music.UI.exe, 00000017.00000002.2322000807.0000013ECD0D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/p
Source: Music.UI.exe, 00000017.00000002.2306720921.0000013ECC536000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com5png

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443

Source: unknown

HTTPS traffic detected: 23.219.148.9:443 -> 192.168.2.8:49692 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Changes the wallpaper picture

Source: C:\Windows\System32\reg.exe

Key value created or modified: HKEY_CURRENT_USER\Control Panel\Desktop Wallpaper C:\Users\userDesktop\YuuyaCat.bmp

Jump to behavior

Operating System Destruction

Contains functionality to access PhysicalDrive, possible boot sector overwrite

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_00412DE0 CreateFileA on filename \\.\PhysicalDrive0

19_2_00412DE0

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_00412AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,

19_2_00412AF8

Source: C:\Users\user\Desktop\Busy2.0.exe	Code function: 0_2_00410C80	0_2_00410C80
Source: C:\Users\user\Desktop\Busy2.0.exe	Code function: 0_2_0040EFF0	0_2_0040EFF0
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040C336	19_2_0040C336
Source: C:\Users\user\Desktop\runaway.exe	Code function: 43_2_009E74F8	43_2_009E74F8
Source: C:\Users\user\Desktop\runaway.exe	Code function: 43_2_009E74E8	43_2_009E74E8

Source: Joe Sandbox View

Dropped File: C:\Users\user\Desktop\Hydra.exe 0B6C0AF51CDE971B3E5F8AA204F8205418AB8C180B79A5AC1C11A6E0676F0F7C

Source: C:\Users\user\Desktop\MBR.exe

Code function: String function: 00403A44 appears 53 times

Source: Busy2.0.exe, 00000000.00000003.1008656527.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMessager.exe4 vs Busy2.0.exe
Source: Busy2.0.exe, 00000000.00000003.1008777841.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHydra.exe, vs Busy2.0.exe
Source: Busy2.0.exe, 00000000.00000003.1009119771.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamematrix.exe6 vs Busy2.0.exe
Source: Busy2.0.exe, 00000000.00000003.1009119771.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename" vs Busy2.0.exe
Source: Busy2.0.exe	Binary or memory string: OriginalFilenameBusy2.00 vs Busy2.0.exe

Source: Busy2.0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t "REG_DWORD" /d "1" /f

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@98/31@1/1

Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00412888 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,		19_2_00412888
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00412AF8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,		19_2_00412AF8

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_00406F56 GetDiskFreeSpaceA,

19_2_00406F56

Source: C:\Users\user\Desktop\Busy2.0.exe

Code function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,

0_2_00402664

Source: C:\Users\user\Desktop\Busy2.0.exe

File created: C:\Users\user\Desktop\gg.wav

Jump to behavior

Source: C:\Users\user\Desktop\runaway.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Users\user\Desktop\Busy2.0.exe

File created: C:\Users\user\AppData\Local\Temp\2A8E.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Busy2.0.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp\2A90.bat C:\Users\user\Desktop\Busy2.0.exe"

Source: C:\Users\user\Desktop\MBR.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\IconDance.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\System32\cmd.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Busy2.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

Source: Busy2.0.exe	Virustotal: Detection: 66%
Source: Busy2.0.exe	ReversingLabs: Detection: 61%

Source: unknown	Process created: C:\Users\user\Desktop\Busy2.0.exe "C:\Users\user\Desktop\Busy2.0.exe"
Source: C:\Users\user\Desktop\Busy2.0.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Busy2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp\2A90.bat C:\Users\user\Desktop\Busy2.0.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 30
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 4
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t "REG_DWORD" /d "1" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\MBR.exe MBR.exe
Source: C:\Users\user\Desktop\MBR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe "C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
Source: unknown	Process created: C:\Users\user\Desktop\MBR.exe C:\Users\user\Desktop\MBR.exe
Source: C:\Users\user\Desktop\MBR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 4
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\IconDance.exe IconDance.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\runaway.exe runaway.exe
Source: C:\Users\user\Desktop\Busy2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp\2A90.bat C:\Users\user\Desktop\Busy2.0.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 30	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t "REG_DWORD" /d "1" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\MBR.exe MBR.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\IconDance.exe IconDance.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\runaway.exe runaway.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe"	Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Busy2.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: twinui.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: sharedui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: concrt140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.system.profile.retailinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.applicationmodel.lockscreen.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: lockappbroker.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.ui.xaml.phone.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.playback.mediaplayer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rtworkq.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.mediacontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfmediaengine.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.devices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.media.playback.proxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: comppkgsup.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wpnapps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.web.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.devices.enumeration.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ddores.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: defaultdevicemanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wuceffects.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.networking.backgroundtransfer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: biwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: microsoftaccountwamextension.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: mfcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: ksuser.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: resampledmo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Section loaded: gnsdk_fp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\IconDance.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\IconDance.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\runaway.exe	Section loaded: wintypes.dll

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Busy2.0.exe

Static file information: File size 11605504 > 1048576

Source: Busy2.0.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xafb800

Source:	Binary string: C:\Users\FlyTech\Documents\Visual Studio 2015\Projects\Messager\Messager\obj\Debug\Messager.pdb source: Busy2.0.exe, 00000000.00000003.1008656527.0000000002ED2000.00000004.00000020.00020000.00000000.sdmp, runaway.exe, 0000002B.00000000.1531313090.0000000000112000.00000002.00000001.01000000.00000013.sdmp, runaway.exe.0.dr
Source:	Binary string: D:\Visual Studio Projects\Hydra\Hydra\obj\Release\Hydra.pdb source: Busy2.0.exe, 00000000.00000003.1008777841.0000000002DD3000.00000004.00000020.00020000.00000000.sdmp, Hydra.exe.0.dr
Source:	Binary string: C:\Users\Domas\Desktop\ScreenMelter\x64\Release\ScreenMelter.pdb source: Melting.exe.0.dr

Data Obfuscation

Yara detected Babadeda

Source: Yara match	File source: Busy2.0.exe, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\matrix.exe, type: DROPPED

Source: Hydra.exe.0.dr

Static PE information: 0xBFB48831 [Wed Dec 2 11:00:01 2071 UTC]

Source: C:\Users\user\Desktop\Busy2.0.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: Busy2.0.exe	Static PE information: section name: .code
Source: matrix.exe.0.dr	Static PE information: section name: .code

Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00405488 push 004054D9h; ret	19_2_004054D1
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00412848 push 00412874h; ret	19_2_0041286C
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040B86C push 0040B9E8h; ret	19_2_0040B9E0
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00412020 push 004120B0h; ret	19_2_004120A8
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_004120CB push 0041210Fh; ret	19_2_00412107
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_004120CC push 0041210Fh; ret	19_2_00412107
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00405900 push 0040592Ch; ret	19_2_00405924
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00405938 push 00405C34h; ret	19_2_00405C2C
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040E9CC push 0040EA42h; ret	19_2_0040EA3A
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040B9EA push 0040BA5Bh; ret	19_2_0040BA53
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040B9EC push 0040BA5Bh; ret	19_2_0040BA53
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040EA44 push 0040EAECh; ret	19_2_0040EAE4
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040BA64 push 0040BAA0h; ret	19_2_0040BA98
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040BA74 push 0040BAA0h; ret	19_2_0040BA98
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040B204 push ecx; mov dword ptr [esp], edx	19_2_0040B209
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040EAEE push 0040EB84h; ret	19_2_0040EB7C
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040C2A0 push 0040C2CCh; ret	19_2_0040C2C4
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040BAAC push 0040BAD8h; ret	19_2_0040BAD0
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040EB58 push 0040EB84h; ret	19_2_0040EB7C
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00402BC4 push eax; ret	19_2_00402C00
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040EBBB push 0040EC09h; ret	19_2_0040EC01
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040EBBC push 0040EC09h; ret	19_2_0040EC01
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00405C08 push 00405C34h; ret	19_2_00405C2C
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040EC0D push 0040EC40h; ret	19_2_0040EC38
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0040EC14 push 0040EC40h; ret	19_2_0040EC38
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0041251B push 0041255Fh; ret	19_2_00412557
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_0041251C push 0041255Fh; ret	19_2_00412557
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00412D20 push 00412D46h; ret	19_2_00412D3E
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_004056F0 push 0040571Ch; ret	19_2_00405714
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_004056B8 push 004056E4h; ret	19_2_004056DC
Source: C:\Users\user\Desktop\MBR.exe	Code function: 19_2_00410744 push ecx; mov dword ptr [esp], ecx	19_2_00410749

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\MBR.exe

Code function: EntryPoint,FindWindowA,PostMessageA,FindWindowA,PostMessageA,WinExec,CreateFileA,WriteFile,CloseHandle, \\.\PhysicalDrive0

19_2_00412DE0

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: reg.exe	Jump to behavior

Writes directly to the primary disk partition (DR0)

Source: C:\Users\user\Desktop\MBR.exe	File written: \Device\Harddisk0\DR0 offset: 12288 length: 12288			Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	File written: \Device\Harddisk0\DR0 offset: 12288 length: 12288			Jump to behavior

Source: C:\Users\user\Desktop\Busy2.0.exe	File created: C:\Users\user\Desktop\MBR.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Busy2.0.exe	File created: C:\Users\user\Desktop\Hydra.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Busy2.0.exe	File created: C:\Users\user\Desktop\matrix.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Busy2.0.exe	File created: C:\Users\user\Desktop\Melting.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Busy2.0.exe	File created: C:\Users\user\Desktop\runaway.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Busy2.0.exe	File created: C:\Users\user\Desktop\IconDance.exe	Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\MBR.exe

Code function: EntryPoint,FindWindowA,PostMessageA,FindWindowA,PostMessageA,WinExec,CreateFileA,WriteFile,CloseHandle, \\.\PhysicalDrive0

19_2_00412DE0

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\IconDance.exe

Window found: window name: progman

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\MBR.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\user\Desktop\MBR.exe"

Source: C:\Users\user\Desktop\MBR.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior
Source: C:\Users\user\Desktop\MBR.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Windows Update	Jump to behavior

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_0041256C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_0041256C

Source: C:\Users\user\Desktop\Busy2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\runaway.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\runaway.exe	Memory allocated: 960000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\runaway.exe	Memory allocated: 2400000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\runaway.exe	Memory allocated: 21C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\Busy2.0.exe

Window / User API: threadDelayed 5573

Jump to behavior

Source: C:\Users\user\Desktop\Busy2.0.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Hydra.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Busy2.0.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\matrix.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Busy2.0.exe	Dropped PE file which has not been started: C:\Users\user\Desktop\Melting.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Busy2.0.exe TID: 6488	Thread sleep time: -55730s >= -30000s	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 3912	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Windows\System32\timeout.exe TID: 7300	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 7668	Thread sleep time: -4233600000s >= -30000s	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe TID: 7668	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\MBR.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000807	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000407	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000807
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000407
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000807
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000407
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000807
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\00000407

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Busy2.0.exe

Thread sleep count: Count: 5573 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_004049A0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

19_2_004049A0

Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\Temp\2A8E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp\2A90.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Busy2.0.exe	File opened: C:\Users\user\AppData\Local\Temp\2A8E.tmp\2A8F.tmp	Jump to behavior

Source: Music.UI.exe, 00000017.00000002.2308008252.0000013ECC581000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Busy2.0.exe

Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,

0_2_0040ADD6

Source: C:\Users\user\Desktop\Busy2.0.exe	Code function: 0_2_00409FD0 SetUnhandledExceptionFilter,		0_2_00409FD0
Source: C:\Users\user\Desktop\Busy2.0.exe	Code function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,		0_2_00409FB0

Source: C:\Users\user\Desktop\runaway.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_00412C00 ShellExecuteEx,

19_2_00412C00

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 30	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t "REG_DWORD" /d "1" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\MBR.exe MBR.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 4	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\IconDance.exe IconDance.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\runaway.exe runaway.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "Wallpaper" /t REG_SZ /d "C:\Users\userDesktop\YuuyaCat.bmp" /f	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_00412BA4 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

19_2_00412BA4

Source: Busy2.0.exe, 00000000.00000003.1008532988.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp, MBR.exe, MBR.exe, 00000013.00000000.1440878627.0000000000401000.00000020.00000001.01000000.00000007.sdmp, MBR.exe, 00000018.00000000.1446991933.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: Shell_TrayWnd
Source: IconDance.exe, 0000002A.00000002.2243380828.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: progmanyK
Source: Busy2.0.exe, 00000000.00000003.1008532988.0000000002DCF000.00000004.00000020.00020000.00000000.sdmp, MBR.exe, 00000013.00000000.1440878627.0000000000401000.00000020.00000001.01000000.00000007.sdmp, MBR.exe, 00000018.00000000.1446991933.0000000000401000.00000020.00000001.01000000.00000007.sdmp	Binary or memory string: Windows UpdateShell_TrayWnd
Source: Busy2.0.exe, 00000000.00000003.1009119771.0000000002E09000.00000004.00000020.00020000.00000000.sdmp, IconDance.exe, 0000002A.00000000.1530907222.0000000000401000.00000020.00000001.01000000.00000012.sdmp, IconDance.exe.0.dr	Binary or memory string: progman

Source: C:\Users\user\Desktop\MBR.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	19_2_00404B58
Source: C:\Users\user\Desktop\MBR.exe	Code function: GetLocaleInfoA,GetACP,	19_2_0040AA6C
Source: C:\Users\user\Desktop\MBR.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	19_2_00404C64
Source: C:\Users\user\Desktop\MBR.exe	Code function: GetLocaleInfoA,	19_2_00405412
Source: C:\Users\user\Desktop\MBR.exe	Code function: GetLocaleInfoA,	19_2_00405414
Source: C:\Users\user\Desktop\MBR.exe	Code function: GetLocaleInfoA,	19_2_00409664
Source: C:\Users\user\Desktop\MBR.exe	Code function: GetLocaleInfoA,	19_2_00409618

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbtmp.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00001.jrs VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edbres00002.jrs VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.log VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\edb.chk VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.jfm VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\EntClientDb.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\Database\anonymous\tmp.edb VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\SRPData.xml VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\runaway.exe	Queries volume information: C:\Users\user\Desktop\runaway.exe VolumeInformation
Source: C:\Users\user\Desktop\runaway.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\runaway.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation

Source: C:\Users\user\Desktop\MBR.exe

Code function: 19_2_00408118 GetLocalTime,

19_2_00408118

Source: C:\Users\user\Desktop\Busy2.0.exe

Code function: 0_2_00405573 GetVersionExW,GetVersionExW,

0_2_00405573

Lowering of HIPS / PFW / Operating System Security Settings

Disable Task Manager(disabletaskmgr)

Source: C:\Windows\System32\reg.exe

Registry value created: DisableTaskMgr 1

Jump to behavior

Disables the Windows task manager (taskmgr)

Source: C:\Windows\System32\reg.exe

Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgr

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Native API	1 Scripting	1 Exploitation for Privilege Escalation	21 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Access Token Manipulation	3 Obfuscated Files or Information	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Timestomp	NTDS	211 Security Software Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	3 Bootkit	1 Scheduled Task/Job	1 DLL Side-Loading	LSA Secrets	4 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	1 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	3 Bootkit	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Rundll32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Busy2.0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Spam, unwanted Advertisements and Ransom Demands

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Busy2.0.exe