Edit tour

Windows Analysis Report
qCc1a4w5YZ.exe

Overview

General Information

Sample name:	qCc1a4w5YZ.exe (renamed file extension from rl to exe, renamed because original name is a hash value)
Original sample name:	42ae1eabe02cf20ce21b32dc0f0f3a90206887a6.rl
Analysis ID:	1411680
MD5:	fb1c4d59adaf64a044dba323ea8fe6f0
SHA1:	42ae1eabe02cf20ce21b32dc0f0f3a90206887a6
SHA256:	8052e7b4b67c2cafa041fdc3b7daa5684d1a85ad9b1b5ca1b7beba8631bac062
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Connects to several IPs in different countries

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w7x64

qCc1a4w5YZ.exe (PID: 2680 cmdline: "C:\Users\user\Desktop\qCc1a4w5YZ.exe" MD5: FB1C4D59ADAF64A044DBA323EA8FE6F0)

tasksche.exe (PID: 3256 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 7F7CCAA16FB15EB1C7399D422F8363E8)

qCc1a4w5YZ.exe (PID: 3164 cmdline: C:\Users\user\Desktop\qCc1a4w5YZ.exe -m security MD5: FB1C4D59ADAF64A044DBA323EA8FE6F0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
qCc1a4w5YZ.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
qCc1a4w5YZ.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
qCc1a4w5YZ.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
qCc1a4w5YZ.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
qCc1a4w5YZ.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000000.338908311.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.340346288.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.335185624.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000000.338930451.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000000.338930451.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000002.476299865.000000000280B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.476299865.000000000280B000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000002.476242619.00000000022F3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.476242619.00000000022F3000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000000.335206533.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.335206533.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: qCc1a4w5YZ.exe PID: 2680	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: qCc1a4w5YZ.exe PID: 3164	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.qCc1a4w5YZ.exe.27fc8c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
4.2.qCc1a4w5YZ.exe.22e4084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
4.2.qCc1a4w5YZ.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.0.qCc1a4w5YZ.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.0.qCc1a4w5YZ.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.0.qCc1a4w5YZ.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.0.qCc1a4w5YZ.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.282e96c.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.282e96c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.282e96c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.282e96c.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.qCc1a4w5YZ.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.qCc1a4w5YZ.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.qCc1a4w5YZ.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.qCc1a4w5YZ.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.0.qCc1a4w5YZ.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
0.0.qCc1a4w5YZ.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.qCc1a4w5YZ.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
4.2.qCc1a4w5YZ.exe.22e4084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.22e4084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x27bde4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x26bbb0:$x3: tasksche.exe 0x27bdc0:$x3: tasksche.exe 0x27bd9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x27be14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x26bc1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x23626c:$x7: mssecsvc.exe 0x251b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x26bb88:$x8: C:\%s\qeriuwjhrf 0x27bde4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x236254:$s1: C:\%s\%s 0x251b7c:$s1: C:\%s\%s 0x26bb9c:$s1: C:\%s\%s 0x27bd14:$s3: cmd.exe /c "%s" 0x2ae268:$s4: msg/m_portuguese.wnry
4.2.qCc1a4w5YZ.exe.22e4084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
4.2.qCc1a4w5YZ.exe.22e4084.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x27bdc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x27bde8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.22e4084.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x26e8fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2428d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24425a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2740a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.2316128.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.2316128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.2316128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.2316128.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.280b948.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.280b948.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.280b948.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.qCc1a4w5YZ.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.qCc1a4w5YZ.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.qCc1a4w5YZ.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.qCc1a4w5YZ.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.22f3104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.22f3104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x5009ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5009d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50d2f5:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x50883a:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5063a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
4.2.qCc1a4w5YZ.exe.22f3104.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.0.qCc1a4w5YZ.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.0.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.0.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
4.0.qCc1a4w5YZ.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.0.qCc1a4w5YZ.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.qCc1a4w5YZ.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.2.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
0.2.qCc1a4w5YZ.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.2.qCc1a4w5YZ.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
4.2.qCc1a4w5YZ.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.qCc1a4w5YZ.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.qCc1a4w5YZ.exe.28078e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.qCc1a4w5YZ.exe.28078e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.qCc1a4w5YZ.exe.28078e8.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 101 entries

Sigma Signatures

System Summary

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\qCc1a4w5YZ.exe, ProcessId: 2680, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Snort Signatures

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.22 - Destination IP: 104.17.244.81

Timestamp:	03/19/24-12:59:26.731566
SID:	2024298
Source Port:	49161
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.17.244.81 - Destination IP: 192.168.2.22

Timestamp:	03/19/24-12:59:27.283141
SID:	2031515
Source Port:	80
Destination Port:	49162
Protocol:	TCP
Classtype:	Misc activity

ET TROJAN Possible WannaCry DNS Lookup 1 - Source IP: 192.168.2.22 - Destination IP: 8.8.8.8

Timestamp:	03/19/24-12:59:26.506948
SID:	2024291
Source Port:	54562
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 - Source IP: 192.168.2.22 - Destination IP: 104.17.244.81

Timestamp:	03/19/24-12:59:27.165393
SID:	2024298
Source Port:	49162
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Known Sinkhole Response Kryptos Logic - Source IP: 104.17.244.81 - Destination IP: 192.168.2.22

Timestamp:	03/19/24-12:59:26.837633
SID:	2031515
Source Port:	80
Destination Port:	49161
Protocol:	TCP
Classtype:	Misc activity

ET TROJAN Possible WannaCry DNS Lookup 1 - Source IP: 192.168.2.22 - Destination IP: 8.8.8.8

Timestamp:	03/19/24-12:59:26.963276
SID:	2024291
Source Port:	52917
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: qCc1a4w5YZ.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/AD.WannaCry.sewvt

Multi AV Scanner detection for domain / URL

Source: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Virustotal: Detection: 7%	Perma Link
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Virustotal: Detection: 7%	Perma Link
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\tasksche.exe	Virustotal: Detection: 92%			Perma Link

Multi AV Scanner detection for submitted file

Source: qCc1a4w5YZ.exe	ReversingLabs: Detection: 100%
Source: qCc1a4w5YZ.exe	Virustotal: Detection: 93%			Perma Link

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: qCc1a4w5YZ.exe

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 5_2_004018B9 CryptReleaseContext,

5_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.115:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.116:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.119:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.117:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.118:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: qCc1a4w5YZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.22:54562 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.22:49161 -> 104.17.244.81:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.17.244.81:80 -> 192.168.2.22:49161
Source: Traffic	Snort IDS: 2024291 ET TROJAN Possible WannaCry DNS Lookup 1 192.168.2.22:52917 -> 8.8.8.8:53
Source: Traffic	Snort IDS: 2024298 ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 192.168.2.22:49162 -> 104.17.244.81:80
Source: Traffic	Snort IDS: 2031515 ET TROJAN Known Sinkhole Response Kryptos Logic 104.17.244.81:80 -> 192.168.2.22:49162

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Mar 2024 11:59:26 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 866d4be05d6b5e86-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 19 Mar 2024 11:59:27 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 866d4be30cbc0f83-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: unknown

Network traffic detected: IP country count 20

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 214.137.245.2
Source: unknown	TCP traffic detected without corresponding DNS query: 203.79.193.247
Source: unknown	TCP traffic detected without corresponding DNS query: 120.15.162.62
Source: unknown	TCP traffic detected without corresponding DNS query: 141.67.174.208
Source: unknown	TCP traffic detected without corresponding DNS query: 143.98.163.93
Source: unknown	TCP traffic detected without corresponding DNS query: 211.233.9.32
Source: unknown	TCP traffic detected without corresponding DNS query: 200.171.37.34
Source: unknown	TCP traffic detected without corresponding DNS query: 82.147.32.72
Source: unknown	TCP traffic detected without corresponding DNS query: 59.78.128.44
Source: unknown	TCP traffic detected without corresponding DNS query: 184.90.137.138
Source: unknown	TCP traffic detected without corresponding DNS query: 49.149.212.33
Source: unknown	TCP traffic detected without corresponding DNS query: 157.87.74.109
Source: unknown	TCP traffic detected without corresponding DNS query: 134.46.137.214
Source: unknown	TCP traffic detected without corresponding DNS query: 92.85.153.197
Source: unknown	TCP traffic detected without corresponding DNS query: 223.117.141.206
Source: unknown	TCP traffic detected without corresponding DNS query: 205.170.59.230
Source: unknown	TCP traffic detected without corresponding DNS query: 167.202.20.98
Source: unknown	TCP traffic detected without corresponding DNS query: 215.232.13.19
Source: unknown	TCP traffic detected without corresponding DNS query: 106.225.177.219
Source: unknown	TCP traffic detected without corresponding DNS query: 120.31.152.218
Source: unknown	TCP traffic detected without corresponding DNS query: 102.6.66.108
Source: unknown	TCP traffic detected without corresponding DNS query: 74.72.249.143
Source: unknown	TCP traffic detected without corresponding DNS query: 24.108.26.189
Source: unknown	TCP traffic detected without corresponding DNS query: 77.103.225.161
Source: unknown	TCP traffic detected without corresponding DNS query: 61.131.243.6
Source: unknown	TCP traffic detected without corresponding DNS query: 223.223.204.191
Source: unknown	TCP traffic detected without corresponding DNS query: 66.58.6.205
Source: unknown	TCP traffic detected without corresponding DNS query: 148.235.105.203
Source: unknown	TCP traffic detected without corresponding DNS query: 63.253.202.201
Source: unknown	TCP traffic detected without corresponding DNS query: 152.160.70.29
Source: unknown	TCP traffic detected without corresponding DNS query: 161.132.93.183
Source: unknown	TCP traffic detected without corresponding DNS query: 138.106.27.189
Source: unknown	TCP traffic detected without corresponding DNS query: 136.62.32.195
Source: unknown	TCP traffic detected without corresponding DNS query: 174.237.224.230
Source: unknown	TCP traffic detected without corresponding DNS query: 97.103.153.59
Source: unknown	TCP traffic detected without corresponding DNS query: 196.152.41.222
Source: unknown	TCP traffic detected without corresponding DNS query: 136.81.3.67
Source: unknown	TCP traffic detected without corresponding DNS query: 114.71.66.208
Source: unknown	TCP traffic detected without corresponding DNS query: 162.53.105.46
Source: unknown	TCP traffic detected without corresponding DNS query: 176.74.29.67
Source: unknown	TCP traffic detected without corresponding DNS query: 119.35.93.148
Source: unknown	TCP traffic detected without corresponding DNS query: 204.249.107.70
Source: unknown	TCP traffic detected without corresponding DNS query: 46.174.180.99
Source: unknown	TCP traffic detected without corresponding DNS query: 146.29.152.53
Source: unknown	TCP traffic detected without corresponding DNS query: 222.34.195.17
Source: unknown	TCP traffic detected without corresponding DNS query: 137.157.60.35
Source: unknown	TCP traffic detected without corresponding DNS query: 135.39.29.27
Source: unknown	TCP traffic detected without corresponding DNS query: 198.104.2.29
Source: unknown	TCP traffic detected without corresponding DNS query: 75.16.253.158
Source: unknown	TCP traffic detected without corresponding DNS query: 24.120.0.173

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat

Jump to behavior

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: qCc1a4w5YZ.exe	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: qCc1a4w5YZ.exe, 00000000.00000002.342021975.0000000000BE4000.00000004.00000020.00020000.00000000.sdmp, qCc1a4w5YZ.exe, 00000004.00000002.476028521.00000000002D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: qCc1a4w5YZ.exe, 00000004.00000002.476019020.000000000018C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

5_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: qCc1a4w5YZ.exe, type: SAMPLE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.282e96c.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.2316128.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.280b948.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.22f3104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.qCc1a4w5YZ.exe.28078e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.338908311.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.335185624.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.338930451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476299865.000000000280B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476242619.00000000022F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.335206533.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: qCc1a4w5YZ.exe PID: 2680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: qCc1a4w5YZ.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.27fc8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.qCc1a4w5YZ.exe.28078e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.qCc1a4w5YZ.exe.28078e8.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.340346288.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000000.338930451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.476299865.000000000280B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.476242619.00000000022F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000000.335206533.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Memory allocated: 770B0000 page execute and read and write			Jump to behavior

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	File created: C:\WINDOWS\tasksche.exe			Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat			Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 5_2_00406C40	5_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 5_2_00402A76	5_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 5_2_00402E7E	5_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 5_2_0040350F	5_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 5_2_00404C19	5_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 5_2_0040541F	5_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 5_2_00403797	5_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 5_2_004043B7	5_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 5_2_004031BC	5_2_004031BC

Source: Joe Sandbox View

Dropped File: C:\Windows\tasksche.exe 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD

Source: qCc1a4w5YZ.exe	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.0.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: qCc1a4w5YZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: qCc1a4w5YZ.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.27fc8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.27fc8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.22e4084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.2316128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.22ef0a4.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.282e96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.280b948.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.qCc1a4w5YZ.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.2.qCc1a4w5YZ.exe.22f3104.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.qCc1a4w5YZ.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.qCc1a4w5YZ.exe.28078e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.qCc1a4w5YZ.exe.28078e8.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.340346288.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000000.338930451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.476299865.000000000280B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.476242619.00000000022F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000000.335206533.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 00000005.00000000.340346288.000000000040E000.00000008.00000001.01000000.00000005.sdmp, qCc1a4w5YZ.exe, tasksche.exe.0.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winEXE@4/1@2/100

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	0_2_00407C40
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	5_2_00401CE8

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Code function: 0_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

0_2_00407CE0

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Code function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		0_2_00408090
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Code function: 4_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		4_2_00408090

Source: qCc1a4w5YZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: qCc1a4w5YZ.exe	ReversingLabs: Detection: 100%
Source: qCc1a4w5YZ.exe	Virustotal: Detection: 93%

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

File read: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\qCc1a4w5YZ.exe "C:\Users\user\Desktop\qCc1a4w5YZ.exe"
Source: unknown	Process created: C:\Users\user\Desktop\qCc1a4w5YZ.exe C:\Users\user\Desktop\qCc1a4w5YZ.exe -m security
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32

Jump to behavior

Source: qCc1a4w5YZ.exe

Static file information: File size 3723264 > 1048576

Source: qCc1a4w5YZ.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000

Source: C:\Windows\tasksche.exe

Code function: 5_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 5_2_00407710 push eax; ret		5_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 5_2_004076C8 push eax; ret		5_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Executable created and started: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 2656	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 3208	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 3224	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 3224	Thread sleep time: -108000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 3228	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 3232	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 3228	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe TID: 3224	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\tasksche.exe

Code function: 5_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 5_2_004029CC free,GetProcessHeap,HeapFree,

5_2_004029CC

Source: C:\Users\user\Desktop\qCc1a4w5YZ.exe

Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
qCc1a4w5YZ.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
qCc1a4w5YZ.exe	93%	Virustotal		Browse
qCc1a4w5YZ.exe	100%	Avira	TR/AD.WannaCry.bqdjz
qCc1a4w5YZ.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Avira	TR/AD.WannaCry.sewvt
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	93%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	8%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	8%	Virustotal		Browse
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	8%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.17.244.81	true	true	8%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	qCc1a4w5YZ.exe	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	qCc1a4w5YZ.exe, 00000004.00000002.476019020.000000000018C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
95.157.0.161	unknown	Germany	35244	KMS-DE_ASDE	false
71.169.117.113	unknown	United States	701	UUNETUS	false
43.23.69.97	unknown	Japan	4249	LILLY-ASUS	false
177.202.247.211	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
77.191.157.219	unknown	Germany	6805	TDDE-ASN1DE	false
40.11.59.238	unknown	United States	4249	LILLY-ASUS	false
5.209.64.109	unknown	Iran (ISLAMIC Republic Of)	197207	MCCI-ASIR	false
98.134.15.119	unknown	United States	8473	BAHNHOFhttpwwwbahnhofnetSE	false
155.205.80.136	unknown	Australia	132321	NTG-ICT-AUNorthernTerritoryGovernmentAU	false
151.166.91.109	unknown	United States	385	AFCONC-BLOCK1-ASUS	false
208.211.82.17	unknown	United States	701	UUNETUS	false
122.31.109.40	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
158.149.160.8	unknown	Norway	29492	EIDSIVA-ASNNO	false
71.12.218.12	unknown	United States	20115	CHARTER-20115US	false
193.186.231.243	unknown	Austria	21039	E-STEIERMARK-ASNAT	false
84.89.111.38	unknown	Spain	13041	CESCA-ACES	false
205.202.243.57	unknown	United States	11714	NETWORKNEBRASKAUS	false
139.110.30.40	unknown	Norway	5619	EVRY-NO	false
63.1.216.84	unknown	United States	701	UUNETUS	false
195.30.246.218	unknown	Germany	5539	SPACENETSpaceNETAGDE	false
216.19.53.67	unknown	United States	64242	SPEEDCONNECTUS	false
140.36.107.72	unknown	United States	668	DNIC-AS-00668US	false
22.212.166.190	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
147.14.242.12	unknown	Sweden	41076	POSTDK-ASDK	false
135.82.150.58	unknown	United States	18676	AVAYAUS	false
59.106.164.161	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	false
154.49.193.47	unknown	United States	174	COGENT-174US	false
19.124.227.36	unknown	United States	3	MIT-GATEWAYSUS	false
81.196.137.227	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	false
92.85.153.197	unknown	Romania	9050	RTDBucharestRomaniaRO	false
97.103.153.59	unknown	United States	33363	BHN-33363US	false
184.159.80.182	unknown	United States	209	CENTURYLINK-US-LEGACY-QWESTUS	false
151.28.169.3	unknown	Italy	1267	ASN-WINDTREIUNETEU	false
180.217.111.193	unknown	Taiwan; Republic of China (ROC)	24157	VIBO-NET-ASTaiwanStarTelecomCorporationLimitedFormer	false
185.161.75.21	unknown	Hungary	206892	RENDSZERINFHU	false
139.30.212.105	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
185.111.218.21	unknown	Russian Federation	61400	NETRACK-ASRU	false
196.83.52.9	unknown	Morocco	6713	IAM-ASMA	false
135.25.143.106	unknown	United States	54614	CIKTELECOM-CABLECA	false
18.155.205.32	unknown	United States	16509	AMAZON-02US	false
46.16.225.155	unknown	Russian Federation	44391	ESD-ASRU	false
34.58.7.138	unknown	United States	2686	ATGS-MMD-ASUS	false
93.179.86.193	unknown	Russian Federation	59793	CISP-ASRU	false
63.26.237.88	unknown	United States	6984	NYNEX-ASUS	false
163.195.106.64	unknown	South Africa	37130	SITA-ASZA	false
191.229.51.95	unknown	Brazil	26615	TIMSABR	false
135.123.39.190	unknown	United States	18676	AVAYAUS	false
55.52.236.112	unknown	United States	358	DNIC-ASBLK-00306-00371US	false
222.34.195.17	unknown	China	134810	CMNET-JILIN-AS-APChinaMobileGroupJiLincommunicationsco	false
104.152.90.81	unknown	United States	11527	TCS-SOLUS	false
192.247.56.231	unknown	United States	394386	OCANCA	false
104.17.244.81	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	United States	13335	CLOUDFLARENETUS	true
158.226.220.137	unknown	Switzerland	9159	CreditAgricoleFR	false
199.125.6.193	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
54.89.240.53	unknown	United States	14618	AMAZON-AESUS	false
128.88.221.129	unknown	United States	7430	TANDEMUS	false
104.112.116.50	unknown	United States	28573	CLAROSABR	false
214.159.201.75	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
141.43.125.82	unknown	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.127
192.168.2.124
192.168.2.125
192.168.2.128
192.168.2.129
192.168.2.122
192.168.2.123
192.168.2.120
192.168.2.121
10.125.245.135
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.130

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1411680
Start date and time:	2024-03-19 12:58:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	qCc1a4w5YZ.exe (renamed file extension from rl to exe, renamed because original name is a hash value)
Original Sample Name:	42ae1eabe02cf20ce21b32dc0f0f3a90206887a6.rl
Detection:	MAL
Classification:	mal100.rans.expl.evad.winEXE@4/1@2/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Execution Graph export aborted for target tasksche.exe, PID 3256 because there are no executed function
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:59:24	API Interceptor	2388x Sleep call for process: qCc1a4w5YZ.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.17.244.81
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.173.80
	02353699.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	05894899.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	dNDbcC4Trx.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	tk6uE0LqBo.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	lioUeojCW0.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	hCg5azGZ3S.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	iWxJnG4tgQ.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	5KG3HopzFf.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KMS-DE_ASDE	skid.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	95.157.43.31
	t952M4QOm8.elf	Get hash	malicious	Mirai	Browse	95.157.1.168
	zOKUvUgL0n.elf	Get hash	malicious	Mirai	Browse	46.128.51.235
	r3fLoZrV7T.elf	Get hash	malicious	Mirai	Browse	77.47.23.65
	HROFrIvvVk.elf	Get hash	malicious	Mirai	Browse	46.128.51.218
	nnOhQG5PkE.elf	Get hash	malicious	Mirai	Browse	77.47.59.210
	flB6ygLzMc.elf	Get hash	malicious	Mirai	Browse	77.47.23.43
	dq0s72MFq3.elf	Get hash	malicious	Mirai	Browse	77.47.23.63
	CTRohfxuuX.elf	Get hash	malicious	Unknown	Browse	88.215.87.221
	sora.arm.elf	Get hash	malicious	Mirai	Browse	88.215.87.245
UUNETUS	https://u43046827.ct.sendgrid.net/ls/click?upn=u001.9VHLeMPT-2FpgU5o8m-2F14MwvUfe0bWbtnJUI8Zq0olKrWHB65SHPLEcoF8PygluFz3tM9xm-2BgSb-2FXs1hN955wBZg-3D-3DWQ1a_HugXHfUURLjio0NDJvkCDhedd6ryxBamWBqA3Uoq0PhwHvltbg0s-2F-2F3Syr-2B5YzCc9T1AL3nYX5XHvHAzVR7pEkVw-2FefYjfGAgXEHr-2Bxv8UN9-2B2uA7NfLReF-2FKHmdycojNEeIKFwihOeDc0oJ0-2Bond-2FRWOKrbFXDRmg4PoOeUaAOnlW0L18SBVAQx2xHhUr1yYvYxeh2DzHe1C-2BJui7zdrXDogBFLSn-2FGSyCqdJTxVpc-3D	Get hash	malicious	HTMLPhisher	Browse	146.190.129.51
	https://ijdusqwrohoiom.s3.ap-east-1.amazonaws.com/ijdusqwrohoiom.html#4KtZGW6879WyRf493mmiwohcsia1681GHZPKFDOZAMLFUH86446/733104j21#q0kvx6a1ntygndsvgojbwxcovs3k7p88g8y2izqgugrlx484ajg8j1c	Get hash	malicious	Phisher	Browse	146.190.102.210
	https://vghpsimdplmwc.s3.amazonaws.com/vghpsimdplmwc.html#4FRnVP6868zmfR493tnmwllyusk1585HHMTITXPKQQDUGQ18091/733104C21#c1p42w46m4kwzliliqghbluf3ezx6gf7ur7w1piqq0gw35fwp51s1ix	Get hash	malicious	Phisher	Browse	146.190.102.210
	TF2AD5Jnbu.elf	Get hash	malicious	Unknown	Browse	71.122.129.193
	yzIY5KFJSu.elf	Get hash	malicious	Mirai	Browse	108.41.160.15
	5dm0sjynSD.elf	Get hash	malicious	Unknown	Browse	63.23.174.162
	o7EitOEfWr.elf	Get hash	malicious	Unknown	Browse	65.198.205.241
	8B5NOWiWn8.elf	Get hash	malicious	Unknown	Browse	152.211.115.44
	bzVCvtoyIt.elf	Get hash	malicious	Mirai	Browse	149.230.227.62
	hyWl33Q2OI.elf	Get hash	malicious	Unknown	Browse	65.204.237.138
LILLY-ASUS	SecuriteInfo.com.Trojan.PWS.Siggen2.60328.11377.32540.exe	Get hash	malicious	Unknown	Browse	43.152.136.177
	8B5NOWiWn8.elf	Get hash	malicious	Unknown	Browse	40.244.34.105
	bzVCvtoyIt.elf	Get hash	malicious	Mirai	Browse	43.59.23.153
	hyWl33Q2OI.elf	Get hash	malicious	Unknown	Browse	43.56.38.242
	7p4wRYn0OK.elf	Get hash	malicious	Mirai	Browse	40.239.119.41
	usCv5xTgmC.elf	Get hash	malicious	Unknown	Browse	42.132.65.14
	FoDoFx0t5a.elf	Get hash	malicious	Mirai	Browse	43.63.117.142
	TduoIaOsBQ.elf	Get hash	malicious	Unknown	Browse	42.212.92.214
	xFe4GHvmqU.elf	Get hash	malicious	Unknown	Browse	43.127.208.187
	QEMy2mlwhJ.elf	Get hash	malicious	Mirai	Browse	43.73.22.157
BrasilTelecomSA-FilialDistritoFederalBR	yzIY5KFJSu.elf	Get hash	malicious	Mirai	Browse	179.253.102.23
	8B5NOWiWn8.elf	Get hash	malicious	Unknown	Browse	200.219.112.88
	bzVCvtoyIt.elf	Get hash	malicious	Mirai	Browse	177.3.42.41
	7InjeWQVHC.elf	Get hash	malicious	Unknown	Browse	201.89.39.9
	uA97EyP1li.elf	Get hash	malicious	Mirai	Browse	201.35.197.2
	wbHziCLDIg.elf	Get hash	malicious	Mirai	Browse	191.221.202.40
	ry3HbSIIPt.elf	Get hash	malicious	Mirai	Browse	200.103.157.246
	PPIQY37OuD.elf	Get hash	malicious	Unknown	Browse	179.255.153.159
	Jx14GO9SfG.elf	Get hash	malicious	Mirai	Browse	191.219.7.147
	1WqX6biryS.elf	Get hash	malicious	Mirai	Browse	201.67.164.120
TDDE-ASN1DE	yzIY5KFJSu.elf	Get hash	malicious	Mirai	Browse	2.211.128.245
	bzVCvtoyIt.elf	Get hash	malicious	Mirai	Browse	217.50.136.240
	PD1Afd15RS.elf	Get hash	malicious	Mirai	Browse	2.241.171.103
	QGN4hQprkC.elf	Get hash	malicious	Mirai	Browse	89.12.132.165
	RpjE7NostK.elf	Get hash	malicious	Mirai	Browse	77.190.53.65
	wbHziCLDIg.elf	Get hash	malicious	Mirai	Browse	92.230.179.166
	K3k8Tqy0DP.elf	Get hash	malicious	Mirai	Browse	2.246.191.60
	PPIQY37OuD.elf	Get hash	malicious	Unknown	Browse	92.231.75.12
	1PfkUPbqjw.elf	Get hash	malicious	Mirai	Browse	85.183.38.244
	ThOZWVZFbg.elf	Get hash	malicious	Mirai	Browse	77.179.204.62

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\tasksche.exe	stN592INV6.exe	Get hash	malicious	Wannacry	Browse
	onq54JS79W.exe	Get hash	malicious	Wannacry	Browse
	mbXvGlj2dR.dll	Get hash	malicious	Wannacry	Browse
	MSNRf9dZ63.exe	Get hash	malicious	Wannacry	Browse
	7Qu8thR7WW.dll	Get hash	malicious	Wannacry, Virut	Browse
	MSmReFKunQ.dll	Get hash	malicious	Wannacry	Browse
	kXpnLUmuU2.dll	Get hash	malicious	Wannacry	Browse
	TigrxMihsc.dll	Get hash	malicious	Wannacry	Browse
	iTQzi9bir4.dll	Get hash	malicious	Wannacry	Browse
	5nuyzrvshp.dll	Get hash	malicious	Virut, Wannacry	Browse

Created / dropped Files

C:\Windows\tasksche.exe

Download File

Process:	C:\Users\user\Desktop\qCc1a4w5YZ.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.996072890929898
Encrypted:	true
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QqPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	7F7CCAA16FB15EB1C7399D422F8363E8
SHA1:	BD44D0AB543BF814D93B719C24E90D8DD7111234
SHA-256:	2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
SHA-512:	83E334B80DE08903CFA9891A3FA349C1ECE7E19F8E62B74A017512FA9A7989A0FD31929BF1FC13847BEE04F2DA3DACF6BC3F5EE58F0E4B9D495F4B9AF12ED2B7
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97% Antivirus: Virustotal, Detection: 93%, Browse
Joe Sandbox View:	Filename: stN592INV6.exe, Detection: malicious, Browse Filename: onq54JS79W.exe, Detection: malicious, Browse Filename: mbXvGlj2dR.dll, Detection: malicious, Browse Filename: MSNRf9dZ63.exe, Detection: malicious, Browse Filename: 7Qu8thR7WW.dll, Detection: malicious, Browse Filename: MSmReFKunQ.dll, Detection: malicious, Browse Filename: kXpnLUmuU2.dll, Detection: malicious, Browse Filename: TigrxMihsc.dll, Detection: malicious, Browse Filename: iTQzi9bir4.dll, Detection: malicious, Browse Filename: 5nuyzrvshp.dll, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.965905229015079
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	qCc1a4w5YZ.exe
File size:	3'723'264 bytes
MD5:	fb1c4d59adaf64a044dba323ea8fe6f0
SHA1:	42ae1eabe02cf20ce21b32dc0f0f3a90206887a6
SHA256:	8052e7b4b67c2cafa041fdc3b7daa5684d1a85ad9b1b5ca1b7beba8631bac062
SHA512:	1d76ee4218592249536a09ee1b76b91939905e32d0ad0a53c7b92fb11b3d02e642a1c9ed484bffc123cf7f2501f1d780d1b2b7bb2a2404120efaa27c6c325f35
SSDEEP:	98304:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2HI:yDqPe1Cxcxk3ZAEUadzR8yc4HI
TLSH:	34063394612CB2FCF0440EB44473896AB7B33C69A7BA5E1F9BC086670D53B5BAFD0641
File Content Preview:	MZ......................@...............................................!..L.!This prolpem cannot be rua in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon


Icon Hash:	aaf3e3e3918382a0

Static PE Info

General

Entrypoint:	0x409a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78ECC [Sat Nov 20 09:03:08 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007FC740F7D791h
cmp dword ptr [00431410h], ebx
jne 00007FC740F7D67Eh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007FC740F7D763h
push 0040B010h
push 0040B00Ch
call 00007FC740F7D74Eh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h
push 0040B000h
call 00007FC740F7D71Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x310000	0x35a454	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8bca	0x9000	799fa6f54ef4176da2990896faea65d8	False	0.534423828125	data	6.1345234015658825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x998	0x1000	d8037d744b539326c06e897625751cc9	False	0.29345703125	data	3.503615586181224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x30489c	0x27000	22a8598dc29cad7078c291e94612ce26	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x310000	0x35a454	0x35b000	a19437cf29a158eae9109b8ecb75975d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
R	0x3100a4	0x35a000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States	0.9710664749145508
RT_VERSION	0x66a0a4	0x3b0	data	English	United States	1.0116525423728813

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dll	StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dll	closesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll	??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dll	GetAdaptersInfo, GetPerAdapterInfo
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll	__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/19/24-12:59:26.731566	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49161	80	192.168.2.22	104.17.244.81
03/19/24-12:59:27.283141	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49162	104.17.244.81	192.168.2.22
03/19/24-12:59:26.506948	UDP	2024291	ET TROJAN Possible WannaCry DNS Lookup 1	54562	53	192.168.2.22	8.8.8.8
03/19/24-12:59:27.165393	TCP	2024298	ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	49162	80	192.168.2.22	104.17.244.81
03/19/24-12:59:26.837633	TCP	2031515	ET TROJAN Known Sinkhole Response Kryptos Logic	80	49161	104.17.244.81	192.168.2.22
03/19/24-12:59:26.963276	UDP	2024291	ET TROJAN Possible WannaCry DNS Lookup 1	52917	53	192.168.2.22	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2024 12:59:26.617815971 CET	49161	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:26.705202103 CET	80	49161	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:26.705302000 CET	49161	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:26.731565952 CET	49161	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:26.820549011 CET	80	49161	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:26.837632895 CET	80	49161	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:26.837806940 CET	49161	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:26.837909937 CET	49161	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:26.838219881 CET	80	49161	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:26.838269949 CET	49161	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:26.925255060 CET	80	49161	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:27.077778101 CET	49162	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:27.165178061 CET	80	49162	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:27.165236950 CET	49162	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:27.165393114 CET	49162	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:27.252794027 CET	80	49162	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:27.283140898 CET	80	49162	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:27.283190012 CET	49162	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:27.283262968 CET	49162	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:27.283427000 CET	80	49162	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:27.283469915 CET	49162	80	192.168.2.22	104.17.244.81
Mar 19, 2024 12:59:27.300116062 CET	49163	445	192.168.2.22	214.137.245.2
Mar 19, 2024 12:59:27.370548010 CET	80	49162	104.17.244.81	192.168.2.22
Mar 19, 2024 12:59:28.417207956 CET	49176	445	192.168.2.22	203.79.193.247
Mar 19, 2024 12:59:29.307251930 CET	49185	445	192.168.2.22	120.15.162.62
Mar 19, 2024 12:59:29.540601969 CET	49188	445	192.168.2.22	141.67.174.208
Mar 19, 2024 12:59:30.430104017 CET	49200	445	192.168.2.22	143.98.163.93
Mar 19, 2024 12:59:30.663769960 CET	49203	445	192.168.2.22	211.233.9.32
Mar 19, 2024 12:59:31.320486069 CET	49210	445	192.168.2.22	200.171.37.34
Mar 19, 2024 12:59:31.552793026 CET	49214	445	192.168.2.22	82.147.32.72
Mar 19, 2024 12:59:31.786947966 CET	49217	445	192.168.2.22	110.226.13.154
Mar 19, 2024 12:59:32.441983938 CET	49223	445	192.168.2.22	59.78.128.44
Mar 19, 2024 12:59:32.676071882 CET	49229	445	192.168.2.22	5.26.110.103
Mar 19, 2024 12:59:32.910182953 CET	49232	445	192.168.2.22	184.90.137.138
Mar 19, 2024 12:59:33.332968950 CET	49237	445	192.168.2.22	49.149.212.33
Mar 19, 2024 12:59:33.565248966 CET	49239	445	192.168.2.22	157.87.74.109
Mar 19, 2024 12:59:33.799272060 CET	49244	445	192.168.2.22	134.46.137.214
Mar 19, 2024 12:59:34.033356905 CET	49247	445	192.168.2.22	92.85.153.197
Mar 19, 2024 12:59:34.454447031 CET	49251	445	192.168.2.22	223.117.141.206
Mar 19, 2024 12:59:34.688580990 CET	49254	445	192.168.2.22	205.170.59.230
Mar 19, 2024 12:59:34.922548056 CET	49259	445	192.168.2.22	167.202.20.98
Mar 19, 2024 12:59:35.156481981 CET	49262	445	192.168.2.22	215.232.13.19
Mar 19, 2024 12:59:35.344440937 CET	49265	445	192.168.2.22	106.225.177.219
Mar 19, 2024 12:59:35.577620983 CET	49267	445	192.168.2.22	120.31.152.218
Mar 19, 2024 12:59:35.811815977 CET	49270	445	192.168.2.22	102.6.66.108
Mar 19, 2024 12:59:36.045749903 CET	49275	445	192.168.2.22	74.72.249.143
Mar 19, 2024 12:59:36.279599905 CET	49278	445	192.168.2.22	24.108.26.189
Mar 19, 2024 12:59:36.466783047 CET	49281	445	192.168.2.22	77.103.225.161
Mar 19, 2024 12:59:36.700823069 CET	49283	445	192.168.2.22	61.131.243.6
Mar 19, 2024 12:59:36.934916973 CET	49286	445	192.168.2.22	223.223.204.191
Mar 19, 2024 12:59:37.168937922 CET	49291	445	192.168.2.22	66.58.6.205
Mar 19, 2024 12:59:37.356981993 CET	49294	445	192.168.2.22	148.235.105.203
Mar 19, 2024 12:59:37.402921915 CET	49295	445	192.168.2.22	63.253.202.201
Mar 19, 2024 12:59:37.590080976 CET	49299	445	192.168.2.22	152.160.70.29
Mar 19, 2024 12:59:37.824191093 CET	49300	445	192.168.2.22	161.132.93.183
Mar 19, 2024 12:59:38.058177948 CET	49303	445	192.168.2.22	138.106.27.189
Mar 19, 2024 12:59:38.292238951 CET	49308	445	192.168.2.22	136.62.32.195
Mar 19, 2024 12:59:38.479232073 CET	49311	445	192.168.2.22	132.110.238.107
Mar 19, 2024 12:59:38.526160955 CET	49312	445	192.168.2.22	174.237.224.230
Mar 19, 2024 12:59:38.713352919 CET	49316	445	192.168.2.22	97.103.153.59
Mar 19, 2024 12:59:38.947369099 CET	49317	445	192.168.2.22	196.152.41.222
Mar 19, 2024 12:59:39.183029890 CET	49320	445	192.168.2.22	136.81.3.67
Mar 19, 2024 12:59:39.369081020 CET	49324	445	192.168.2.22	114.71.66.208
Mar 19, 2024 12:59:39.415273905 CET	49325	445	192.168.2.22	162.53.105.46
Mar 19, 2024 12:59:39.602384090 CET	49326	445	192.168.2.22	176.74.29.67
Mar 19, 2024 12:59:39.649144888 CET	49327	445	192.168.2.22	119.35.93.148
Mar 19, 2024 12:59:39.977391958 CET	49331	445	192.168.2.22	204.249.107.70
Mar 19, 2024 12:59:40.070523024 CET	49334	445	192.168.2.22	46.174.180.99
Mar 19, 2024 12:59:40.304596901 CET	49338	445	192.168.2.22	146.29.152.53
Mar 19, 2024 12:59:40.588669062 CET	49342	445	192.168.2.22	222.34.195.17
Mar 19, 2024 12:59:40.588826895 CET	49343	445	192.168.2.22	137.157.60.35
Mar 19, 2024 12:59:40.725613117 CET	49345	445	192.168.2.22	135.39.29.27
Mar 19, 2024 12:59:40.772562981 CET	49346	445	192.168.2.22	198.104.2.29
Mar 19, 2024 12:59:41.100188971 CET	49350	445	192.168.2.22	75.16.253.158
Mar 19, 2024 12:59:41.193625927 CET	49352	445	192.168.2.22	24.120.0.173
Mar 19, 2024 12:59:41.381006002 CET	49356	445	192.168.2.22	169.38.35.103
Mar 19, 2024 12:59:41.427711010 CET	49358	445	192.168.2.22	5.75.228.213
Mar 19, 2024 12:59:41.603502035 CET	445	49358	5.75.228.213	192.168.2.22
Mar 19, 2024 12:59:41.708488941 CET	49361	445	192.168.2.22	99.17.100.173
Mar 19, 2024 12:59:41.708507061 CET	49362	445	192.168.2.22	18.137.250.253
Mar 19, 2024 12:59:41.848864079 CET	49364	445	192.168.2.22	139.30.212.105
Mar 19, 2024 12:59:41.895603895 CET	49365	445	192.168.2.22	161.113.153.108
Mar 19, 2024 12:59:42.113979101 CET	49358	445	192.168.2.22	5.75.228.213
Mar 19, 2024 12:59:42.223409891 CET	49368	445	192.168.2.22	97.243.7.9
Mar 19, 2024 12:59:42.288445950 CET	445	49358	5.75.228.213	192.168.2.22
Mar 19, 2024 12:59:42.316785097 CET	49371	445	192.168.2.22	72.240.199.1
Mar 19, 2024 12:59:42.504060984 CET	49375	445	192.168.2.22	64.54.143.46
Mar 19, 2024 12:59:42.550882101 CET	49377	445	192.168.2.22	162.21.155.219
Mar 19, 2024 12:59:42.831667900 CET	49380	445	192.168.2.22	34.79.68.78
Mar 19, 2024 12:59:42.832103968 CET	49381	445	192.168.2.22	177.8.42.72
Mar 19, 2024 12:59:42.973748922 CET	49383	445	192.168.2.22	212.57.116.148
Mar 19, 2024 12:59:43.019054890 CET	49384	445	192.168.2.22	174.217.188.21
Mar 19, 2024 12:59:43.245457888 CET	445	49303	138.106.27.189	192.168.2.22
Mar 19, 2024 12:59:43.346551895 CET	49387	445	192.168.2.22	223.34.214.254
Mar 19, 2024 12:59:43.393544912 CET	49389	445	192.168.2.22	17.39.203.164
Mar 19, 2024 12:59:43.440156937 CET	49391	445	192.168.2.22	145.173.217.224
Mar 19, 2024 12:59:43.627238989 CET	49395	445	192.168.2.22	70.153.70.13
Mar 19, 2024 12:59:43.674024105 CET	49397	445	192.168.2.22	162.51.30.250
Mar 19, 2024 12:59:43.954986095 CET	49400	445	192.168.2.22	111.83.160.62
Mar 19, 2024 12:59:43.955244064 CET	49401	445	192.168.2.22	81.34.30.33
Mar 19, 2024 12:59:44.095314026 CET	49403	445	192.168.2.22	207.126.224.3
Mar 19, 2024 12:59:44.142471075 CET	49404	445	192.168.2.22	158.67.34.169
Mar 19, 2024 12:59:44.469849110 CET	49407	445	192.168.2.22	185.111.218.21
Mar 19, 2024 12:59:44.516338110 CET	49409	445	192.168.2.22	61.94.223.54
Mar 19, 2024 12:59:44.563302994 CET	49411	445	192.168.2.22	168.49.172.217
Mar 19, 2024 12:59:44.750462055 CET	49415	445	192.168.2.22	69.199.81.104
Mar 19, 2024 12:59:44.797400951 CET	49417	445	192.168.2.22	132.155.243.49
Mar 19, 2024 12:59:45.078097105 CET	49420	445	192.168.2.22	151.166.91.109
Mar 19, 2024 12:59:45.078233004 CET	49421	445	192.168.2.22	82.154.128.35
Mar 19, 2024 12:59:45.234035015 CET	49423	445	192.168.2.22	181.212.33.38
Mar 19, 2024 12:59:45.265261889 CET	49424	445	192.168.2.22	188.247.111.198
Mar 19, 2024 12:59:45.405925989 CET	49425	445	192.168.2.22	149.54.12.67
Mar 19, 2024 12:59:45.592961073 CET	49428	445	192.168.2.22	88.92.98.30
Mar 19, 2024 12:59:45.639672041 CET	49430	445	192.168.2.22	27.180.114.81
Mar 19, 2024 12:59:45.686820984 CET	49432	445	192.168.2.22	106.57.135.87
Mar 19, 2024 12:59:45.873759031 CET	49436	445	192.168.2.22	221.159.228.248
Mar 19, 2024 12:59:45.920386076 CET	49438	445	192.168.2.22	95.168.144.129
Mar 19, 2024 12:59:46.201459885 CET	49441	445	192.168.2.22	178.109.176.107
Mar 19, 2024 12:59:46.201803923 CET	49443	445	192.168.2.22	210.132.94.199
Mar 19, 2024 12:59:46.357723951 CET	49444	445	192.168.2.22	32.64.162.39
Mar 19, 2024 12:59:46.389888048 CET	49445	445	192.168.2.22	222.180.124.38
Mar 19, 2024 12:59:46.528992891 CET	49446	445	192.168.2.22	214.243.185.134
Mar 19, 2024 12:59:46.716425896 CET	49450	445	192.168.2.22	220.233.176.92
Mar 19, 2024 12:59:46.763000965 CET	49451	445	192.168.2.22	202.143.241.80
Mar 19, 2024 12:59:46.809842110 CET	49453	445	192.168.2.22	141.198.244.15
Mar 19, 2024 12:59:46.996777058 CET	49457	445	192.168.2.22	175.131.225.61
Mar 19, 2024 12:59:47.052099943 CET	49459	445	192.168.2.22	188.234.93.216
Mar 19, 2024 12:59:47.324448109 CET	49463	445	192.168.2.22	57.94.68.28
Mar 19, 2024 12:59:47.324456930 CET	49464	445	192.168.2.22	71.169.117.113
Mar 19, 2024 12:59:47.420629978 CET	49465	445	192.168.2.22	186.218.160.65
Mar 19, 2024 12:59:47.480787039 CET	49466	445	192.168.2.22	172.24.128.225
Mar 19, 2024 12:59:47.511733055 CET	49467	445	192.168.2.22	116.195.60.145
Mar 19, 2024 12:59:47.651993036 CET	49469	445	192.168.2.22	31.44.222.182
Mar 19, 2024 12:59:47.839243889 CET	49473	445	192.168.2.22	194.53.56.94
Mar 19, 2024 12:59:47.886008978 CET	49475	445	192.168.2.22	117.156.118.51
Mar 19, 2024 12:59:47.932868004 CET	49476	445	192.168.2.22	199.125.6.193
Mar 19, 2024 12:59:48.120079994 CET	49480	445	192.168.2.22	125.218.37.16
Mar 19, 2024 12:59:48.166908026 CET	49481	445	192.168.2.22	113.9.6.69
Mar 19, 2024 12:59:48.447699070 CET	49485	445	192.168.2.22	146.6.102.30
Mar 19, 2024 12:59:48.447829962 CET	49486	445	192.168.2.22	51.156.107.127
Mar 19, 2024 12:59:48.541511059 CET	49487	445	192.168.2.22	44.91.155.218
Mar 19, 2024 12:59:48.619709015 CET	49488	445	192.168.2.22	50.73.82.153
Mar 19, 2024 12:59:48.635294914 CET	49489	445	192.168.2.22	64.220.69.91
Mar 19, 2024 12:59:48.775463104 CET	49491	445	192.168.2.22	95.157.0.161
Mar 19, 2024 12:59:48.962441921 CET	49495	445	192.168.2.22	77.187.137.217
Mar 19, 2024 12:59:49.009462118 CET	49497	445	192.168.2.22	142.31.6.74
Mar 19, 2024 12:59:49.056421041 CET	49499	445	192.168.2.22	52.96.246.205
Mar 19, 2024 12:59:49.243541002 CET	49502	445	192.168.2.22	59.94.62.151
Mar 19, 2024 12:59:49.290296078 CET	49503	445	192.168.2.22	200.28.158.38
Mar 19, 2024 12:59:49.430620909 CET	49506	445	192.168.2.22	176.157.79.150
Mar 19, 2024 12:59:49.571058035 CET	49508	445	192.168.2.22	141.139.5.248
Mar 19, 2024 12:59:49.571360111 CET	49509	445	192.168.2.22	212.201.187.130
Mar 19, 2024 12:59:49.664365053 CET	49510	445	192.168.2.22	43.11.179.189
Mar 19, 2024 12:59:49.742527962 CET	49511	445	192.168.2.22	105.43.71.100
Mar 19, 2024 12:59:49.758258104 CET	49512	445	192.168.2.22	102.226.176.0
Mar 19, 2024 12:59:49.898513079 CET	49514	445	192.168.2.22	46.72.181.238
Mar 19, 2024 12:59:50.086090088 CET	49518	445	192.168.2.22	171.228.230.140
Mar 19, 2024 12:59:50.132497072 CET	49520	445	192.168.2.22	42.234.30.21
Mar 19, 2024 12:59:50.179481030 CET	49522	445	192.168.2.22	129.209.30.107
Mar 19, 2024 12:59:50.366589069 CET	49525	445	192.168.2.22	181.108.81.174
Mar 19, 2024 12:59:50.413330078 CET	49526	445	192.168.2.22	37.86.103.199
Mar 19, 2024 12:59:50.553647041 CET	49529	445	192.168.2.22	165.80.138.168
Mar 19, 2024 12:59:50.694113970 CET	49532	445	192.168.2.22	30.39.30.147
Mar 19, 2024 12:59:50.694144011 CET	49531	445	192.168.2.22	18.11.29.180
Mar 19, 2024 12:59:50.787672043 CET	49533	445	192.168.2.22	205.247.171.169
Mar 19, 2024 12:59:50.865732908 CET	49534	445	192.168.2.22	34.58.7.138
Mar 19, 2024 12:59:50.881381035 CET	49535	445	192.168.2.22	177.39.82.178
Mar 19, 2024 12:59:51.021583080 CET	49537	445	192.168.2.22	21.126.169.110
Mar 19, 2024 12:59:51.209175110 CET	49541	445	192.168.2.22	61.50.224.158
Mar 19, 2024 12:59:51.255642891 CET	49543	445	192.168.2.22	53.182.115.237
Mar 19, 2024 12:59:51.303138971 CET	49544	445	192.168.2.22	75.131.56.237
Mar 19, 2024 12:59:51.443638086 CET	49548	445	192.168.2.22	184.117.235.162
Mar 19, 2024 12:59:51.490269899 CET	49549	445	192.168.2.22	65.94.71.141
Mar 19, 2024 12:59:51.536757946 CET	49550	445	192.168.2.22	73.125.199.200
Mar 19, 2024 12:59:51.677009106 CET	49553	445	192.168.2.22	14.100.150.241
Mar 19, 2024 12:59:51.817612886 CET	49555	445	192.168.2.22	104.17.108.132
Mar 19, 2024 12:59:51.817827940 CET	49556	445	192.168.2.22	71.12.218.12
Mar 19, 2024 12:59:51.910902977 CET	49557	445	192.168.2.22	108.57.167.191
Mar 19, 2024 12:59:51.989377975 CET	49558	445	192.168.2.22	94.238.9.124
Mar 19, 2024 12:59:52.004981041 CET	49559	445	192.168.2.22	176.62.12.77
Mar 19, 2024 12:59:52.145170927 CET	49561	445	192.168.2.22	208.211.82.17
Mar 19, 2024 12:59:52.332350969 CET	49565	445	192.168.2.22	17.215.250.142
Mar 19, 2024 12:59:52.379468918 CET	49567	445	192.168.2.22	57.191.64.216
Mar 19, 2024 12:59:52.426094055 CET	49568	445	192.168.2.22	100.101.13.179
Mar 19, 2024 12:59:52.566287994 CET	49572	445	192.168.2.22	90.236.148.172
Mar 19, 2024 12:59:52.612900019 CET	49573	445	192.168.2.22	170.109.103.226
Mar 19, 2024 12:59:52.659941912 CET	49575	445	192.168.2.22	176.159.42.99
Mar 19, 2024 12:59:52.800138950 CET	49577	445	192.168.2.22	179.209.54.172
Mar 19, 2024 12:59:52.940535069 CET	49580	445	192.168.2.22	20.71.50.94
Mar 19, 2024 12:59:52.942086935 CET	49579	445	192.168.2.22	165.239.107.176
Mar 19, 2024 12:59:53.034409046 CET	49582	445	192.168.2.22	199.159.238.94
Mar 19, 2024 12:59:53.112104893 CET	49583	445	192.168.2.22	74.231.185.198
Mar 19, 2024 12:59:53.127573967 CET	49584	445	192.168.2.22	158.119.52.124
Mar 19, 2024 12:59:53.280296087 CET	49585	445	192.168.2.22	8.238.189.234
Mar 19, 2024 12:59:53.455248117 CET	49589	445	192.168.2.22	86.189.77.142
Mar 19, 2024 12:59:53.455570936 CET	49590	445	192.168.2.22	85.167.8.93
Mar 19, 2024 12:59:53.502120972 CET	49591	445	192.168.2.22	186.148.8.36
Mar 19, 2024 12:59:53.548902988 CET	49592	445	192.168.2.22	166.229.45.96
Mar 19, 2024 12:59:53.689234018 CET	49593	445	192.168.2.22	94.202.220.239
Mar 19, 2024 12:59:53.736212015 CET	49594	445	192.168.2.22	20.1.54.11
Mar 19, 2024 12:59:53.783165932 CET	49595	445	192.168.2.22	131.170.47.20
Mar 19, 2024 12:59:53.923243046 CET	49596	445	192.168.2.22	194.57.140.191
Mar 19, 2024 12:59:54.063760042 CET	49597	445	192.168.2.22	15.110.97.169
Mar 19, 2024 12:59:54.063760042 CET	49598	445	192.168.2.22	125.155.72.194
Mar 19, 2024 12:59:54.157269955 CET	49599	445	192.168.2.22	176.220.195.122
Mar 19, 2024 12:59:54.235512972 CET	49600	445	192.168.2.22	107.32.195.247
Mar 19, 2024 12:59:54.250972033 CET	49601	445	192.168.2.22	191.229.51.95
Mar 19, 2024 12:59:54.391395092 CET	49602	445	192.168.2.22	212.139.44.172
Mar 19, 2024 12:59:54.578615904 CET	49603	445	192.168.2.22	221.183.86.175
Mar 19, 2024 12:59:54.582029104 CET	49604	445	192.168.2.22	154.249.38.166
Mar 19, 2024 12:59:54.625490904 CET	49605	445	192.168.2.22	147.80.60.47
Mar 19, 2024 12:59:54.672156096 CET	49606	445	192.168.2.22	30.66.84.19
Mar 19, 2024 12:59:54.789680958 CET	445	49604	154.249.38.166	192.168.2.22
Mar 19, 2024 12:59:54.812691927 CET	49607	445	192.168.2.22	85.124.108.140
Mar 19, 2024 12:59:54.859338045 CET	49608	445	192.168.2.22	187.217.33.119
Mar 19, 2024 12:59:54.906037092 CET	49609	445	192.168.2.22	161.204.48.16
Mar 19, 2024 12:59:55.046658039 CET	49610	445	192.168.2.22	2.110.90.46
Mar 19, 2024 12:59:55.187022924 CET	49611	445	192.168.2.22	44.17.153.153
Mar 19, 2024 12:59:55.187411070 CET	49612	445	192.168.2.22	122.80.204.119
Mar 19, 2024 12:59:55.280813932 CET	49613	445	192.168.2.22	184.159.80.182
Mar 19, 2024 12:59:55.296026945 CET	49604	445	192.168.2.22	154.249.38.166
Mar 19, 2024 12:59:55.374203920 CET	49614	445	192.168.2.22	215.211.20.137
Mar 19, 2024 12:59:55.374403954 CET	49615	445	192.168.2.22	58.91.218.108
Mar 19, 2024 12:59:55.467890024 CET	49616	445	192.168.2.22	202.158.247.182
Mar 19, 2024 12:59:55.503129959 CET	445	49604	154.249.38.166	192.168.2.22
Mar 19, 2024 12:59:55.514545918 CET	49617	445	192.168.2.22	178.18.39.27
Mar 19, 2024 12:59:55.701826096 CET	49618	445	192.168.2.22	140.156.139.139
Mar 19, 2024 12:59:55.701865911 CET	49619	445	192.168.2.22	39.130.209.92
Mar 19, 2024 12:59:55.748631954 CET	49620	445	192.168.2.22	64.55.251.213
Mar 19, 2024 12:59:55.795300007 CET	49621	445	192.168.2.22	129.85.252.133
Mar 19, 2024 12:59:55.796047926 CET	445	49616	202.158.247.182	192.168.2.22
Mar 19, 2024 12:59:55.951529980 CET	49622	445	192.168.2.22	183.158.47.201
Mar 19, 2024 12:59:55.982520103 CET	49623	445	192.168.2.22	21.151.31.205
Mar 19, 2024 12:59:56.032308102 CET	49624	445	192.168.2.22	132.74.149.245
Mar 19, 2024 12:59:56.169899940 CET	49625	445	192.168.2.22	212.177.70.229
Mar 19, 2024 12:59:56.309901953 CET	49616	445	192.168.2.22	202.158.247.182
Mar 19, 2024 12:59:56.535897970 CET	49626	445	192.168.2.22	170.131.124.206
Mar 19, 2024 12:59:56.536120892 CET	49627	445	192.168.2.22	132.37.27.147
Mar 19, 2024 12:59:56.637828112 CET	49628	445	192.168.2.22	154.51.10.47
Mar 19, 2024 12:59:56.637911081 CET	49629	445	192.168.2.22	113.239.2.121
Mar 19, 2024 12:59:56.638051987 CET	49630	445	192.168.2.22	116.35.107.200
Mar 19, 2024 12:59:56.638212919 CET	445	49616	202.158.247.182	192.168.2.22
Mar 19, 2024 12:59:56.732157946 CET	49631	445	192.168.2.22	151.14.50.42
Mar 19, 2024 12:59:56.732239008 CET	49632	445	192.168.2.22	158.226.220.137
Mar 19, 2024 12:59:56.840635061 CET	49633	445	192.168.2.22	48.94.176.35
Mar 19, 2024 12:59:57.011717081 CET	49634	445	192.168.2.22	133.158.40.48
Mar 19, 2024 12:59:57.096165895 CET	49635	445	192.168.2.22	201.242.74.131
Mar 19, 2024 12:59:57.096354961 CET	49636	445	192.168.2.22	203.171.114.130
Mar 19, 2024 12:59:57.105637074 CET	49637	445	192.168.2.22	85.132.142.119
Mar 19, 2024 12:59:57.199188948 CET	49638	445	192.168.2.22	162.164.12.31
Mar 19, 2024 12:59:57.199347973 CET	49639	445	192.168.2.22	72.31.99.189
Mar 19, 2024 12:59:57.292939901 CET	49640	445	192.168.2.22	123.174.233.12
Mar 19, 2024 12:59:57.389767885 CET	445	49636	203.171.114.130	192.168.2.22
Mar 19, 2024 12:59:57.480633974 CET	49641	445	192.168.2.22	62.104.233.177
Mar 19, 2024 12:59:57.651905060 CET	49642	445	192.168.2.22	81.62.36.165
Mar 19, 2024 12:59:57.651932001 CET	49643	445	192.168.2.22	162.27.135.93
Mar 19, 2024 12:59:57.761107922 CET	49644	445	192.168.2.22	158.61.92.35
Mar 19, 2024 12:59:57.761107922 CET	49645	445	192.168.2.22	97.100.26.53
Mar 19, 2024 12:59:57.761142969 CET	49646	445	192.168.2.22	192.142.45.6
Mar 19, 2024 12:59:57.854413033 CET	49647	445	192.168.2.22	37.220.88.46
Mar 19, 2024 12:59:57.854470968 CET	49648	445	192.168.2.22	6.73.76.69
Mar 19, 2024 12:59:57.901093006 CET	49636	445	192.168.2.22	203.171.114.130
Mar 19, 2024 12:59:57.963566065 CET	49649	445	192.168.2.22	91.36.12.140
Mar 19, 2024 12:59:58.119710922 CET	49650	445	192.168.2.22	112.72.148.96
Mar 19, 2024 12:59:58.195919037 CET	445	49636	203.171.114.130	192.168.2.22
Mar 19, 2024 12:59:58.213311911 CET	49651	445	192.168.2.22	143.95.129.224
Mar 19, 2024 12:59:58.213753939 CET	49652	445	192.168.2.22	176.28.118.232
Mar 19, 2024 12:59:58.228744030 CET	49653	445	192.168.2.22	136.159.215.0
Mar 19, 2024 12:59:58.322464943 CET	49654	445	192.168.2.22	129.242.93.34
Mar 19, 2024 12:59:58.322757006 CET	49655	445	192.168.2.22	37.48.90.207
Mar 19, 2024 12:59:58.416043043 CET	49656	445	192.168.2.22	153.174.7.1
Mar 19, 2024 12:59:58.603276014 CET	49657	445	192.168.2.22	196.113.21.142
Mar 19, 2024 12:59:58.785021067 CET	49658	445	192.168.2.22	147.14.242.12
Mar 19, 2024 12:59:58.785140991 CET	49659	445	192.168.2.22	28.6.239.213
Mar 19, 2024 12:59:58.884417057 CET	49660	445	192.168.2.22	201.129.102.147
Mar 19, 2024 12:59:58.884821892 CET	49661	445	192.168.2.22	216.19.53.67
Mar 19, 2024 12:59:58.885143995 CET	49662	445	192.168.2.22	106.165.33.38
Mar 19, 2024 12:59:58.977579117 CET	49663	445	192.168.2.22	29.139.183.139
Mar 19, 2024 12:59:58.977655888 CET	49664	445	192.168.2.22	148.20.47.185
Mar 19, 2024 12:59:59.086797953 CET	49665	445	192.168.2.22	213.17.237.37
Mar 19, 2024 12:59:59.242928028 CET	49666	445	192.168.2.22	87.46.190.0
Mar 19, 2024 12:59:59.336508036 CET	49667	445	192.168.2.22	214.226.39.253
Mar 19, 2024 12:59:59.336632013 CET	49668	445	192.168.2.22	27.191.167.194
Mar 19, 2024 12:59:59.352072954 CET	49669	445	192.168.2.22	135.222.6.77
Mar 19, 2024 12:59:59.445627928 CET	49670	445	192.168.2.22	91.165.222.113
Mar 19, 2024 12:59:59.446016073 CET	49671	445	192.168.2.22	40.187.230.167
Mar 19, 2024 12:59:59.492598057 CET	49672	445	192.168.2.22	87.216.160.164
Mar 19, 2024 12:59:59.539395094 CET	49673	445	192.168.2.22	42.148.15.90
Mar 19, 2024 12:59:59.726752996 CET	49674	445	192.168.2.22	91.187.42.135
Mar 19, 2024 12:59:59.898850918 CET	49675	445	192.168.2.22	106.157.92.218
Mar 19, 2024 12:59:59.899173021 CET	49676	445	192.168.2.22	219.76.4.79
Mar 19, 2024 13:00:00.007371902 CET	49677	445	192.168.2.22	205.206.53.56
Mar 19, 2024 13:00:00.007414103 CET	49678	445	192.168.2.22	149.188.194.77
Mar 19, 2024 13:00:00.007646084 CET	49679	445	192.168.2.22	129.168.118.9
Mar 19, 2024 13:00:00.100912094 CET	49681	445	192.168.2.22	142.28.123.129
Mar 19, 2024 13:00:00.100919962 CET	49680	445	192.168.2.22	149.231.84.234
Mar 19, 2024 13:00:00.210094929 CET	49682	445	192.168.2.22	222.153.210.102
Mar 19, 2024 13:00:00.366183996 CET	49683	445	192.168.2.22	64.123.217.99
Mar 19, 2024 13:00:00.459760904 CET	49684	445	192.168.2.22	61.5.56.98
Mar 19, 2024 13:00:00.459769011 CET	49685	445	192.168.2.22	49.47.136.204
Mar 19, 2024 13:00:00.475270033 CET	49686	445	192.168.2.22	5.193.22.125
Mar 19, 2024 13:00:00.568876982 CET	49687	445	192.168.2.22	80.120.103.102
Mar 19, 2024 13:00:00.569190979 CET	49688	445	192.168.2.22	64.254.249.189
Mar 19, 2024 13:00:00.615712881 CET	49689	445	192.168.2.22	118.221.182.236
Mar 19, 2024 13:00:00.662440062 CET	49690	445	192.168.2.22	180.164.71.7
Mar 19, 2024 13:00:00.851169109 CET	49691	445	192.168.2.22	119.71.205.231
Mar 19, 2024 13:00:01.021384001 CET	49692	445	192.168.2.22	185.171.145.224
Mar 19, 2024 13:00:01.021903992 CET	49693	445	192.168.2.22	20.130.16.226
Mar 19, 2024 13:00:01.130505085 CET	49694	445	192.168.2.22	139.96.26.201
Mar 19, 2024 13:00:01.130506039 CET	49695	445	192.168.2.22	188.182.177.110
Mar 19, 2024 13:00:01.130928993 CET	49696	445	192.168.2.22	131.37.229.158
Mar 19, 2024 13:00:01.224081993 CET	49697	445	192.168.2.22	159.226.252.149
Mar 19, 2024 13:00:01.224112034 CET	49698	445	192.168.2.22	110.174.178.174
Mar 19, 2024 13:00:01.333539009 CET	49699	445	192.168.2.22	115.212.175.79
Mar 19, 2024 13:00:01.489245892 CET	49700	445	192.168.2.22	190.213.32.37
Mar 19, 2024 13:00:01.505013943 CET	49701	445	192.168.2.22	173.186.164.4
Mar 19, 2024 13:00:01.583379030 CET	49703	445	192.168.2.22	215.242.160.1
Mar 19, 2024 13:00:01.598660946 CET	49704	445	192.168.2.22	71.170.251.169
Mar 19, 2024 13:00:01.691972971 CET	49705	445	192.168.2.22	98.40.229.82
Mar 19, 2024 13:00:01.692105055 CET	49706	445	192.168.2.22	14.218.218.74
Mar 19, 2024 13:00:01.739450932 CET	49707	445	192.168.2.22	35.160.146.149
Mar 19, 2024 13:00:01.785594940 CET	49708	445	192.168.2.22	94.35.174.226
Mar 19, 2024 13:00:01.972806931 CET	49709	445	192.168.2.22	112.119.8.65
Mar 19, 2024 13:00:02.144536018 CET	49710	445	192.168.2.22	177.2.160.134
Mar 19, 2024 13:00:02.144650936 CET	49711	445	192.168.2.22	125.220.152.17
Mar 19, 2024 13:00:02.253675938 CET	49712	445	192.168.2.22	147.70.80.199
Mar 19, 2024 13:00:02.253675938 CET	49713	445	192.168.2.22	198.25.218.232
Mar 19, 2024 13:00:02.253830910 CET	49714	445	192.168.2.22	71.100.202.250
Mar 19, 2024 13:00:02.347248077 CET	49715	445	192.168.2.22	2.40.218.113
Mar 19, 2024 13:00:02.347289085 CET	49716	445	192.168.2.22	18.76.155.175
Mar 19, 2024 13:00:02.456512928 CET	49717	445	192.168.2.22	140.253.98.249
Mar 19, 2024 13:00:02.612591028 CET	49718	445	192.168.2.22	3.239.24.217
Mar 19, 2024 13:00:02.628115892 CET	49719	445	192.168.2.22	68.161.147.73
Mar 19, 2024 13:00:02.706145048 CET	49720	445	192.168.2.22	123.159.142.114
Mar 19, 2024 13:00:02.706212997 CET	49721	445	192.168.2.22	197.204.215.103
Mar 19, 2024 13:00:02.721554995 CET	49722	445	192.168.2.22	67.54.254.150
Mar 19, 2024 13:00:02.815283060 CET	49723	445	192.168.2.22	12.165.139.53
Mar 19, 2024 13:00:02.815329075 CET	49724	445	192.168.2.22	170.76.69.88
Mar 19, 2024 13:00:02.862312078 CET	49725	445	192.168.2.22	54.229.52.9
Mar 19, 2024 13:00:02.908807993 CET	49726	445	192.168.2.22	69.155.30.244
Mar 19, 2024 13:00:03.096024036 CET	49727	445	192.168.2.22	198.134.147.252
Mar 19, 2024 13:00:03.270848989 CET	49728	445	192.168.2.22	118.90.2.158
Mar 19, 2024 13:00:03.270966053 CET	49729	445	192.168.2.22	204.126.37.4
Mar 19, 2024 13:00:03.376971960 CET	49730	445	192.168.2.22	176.46.4.121
Mar 19, 2024 13:00:03.377089024 CET	49731	445	192.168.2.22	198.254.37.18
Mar 19, 2024 13:00:03.377170086 CET	49732	445	192.168.2.22	106.106.74.71
Mar 19, 2024 13:00:03.377289057 CET	49733	445	192.168.2.22	164.143.13.49
Mar 19, 2024 13:00:03.470710993 CET	49734	445	192.168.2.22	120.236.194.52
Mar 19, 2024 13:00:03.471163988 CET	49735	445	192.168.2.22	136.169.212.0
Mar 19, 2024 13:00:03.580173016 CET	49736	445	192.168.2.22	132.243.77.99
Mar 19, 2024 13:00:03.736011028 CET	49737	445	192.168.2.22	175.154.24.244
Mar 19, 2024 13:00:03.751565933 CET	49738	445	192.168.2.22	27.215.228.95
Mar 19, 2024 13:00:03.829440117 CET	49739	445	192.168.2.22	176.243.101.64
Mar 19, 2024 13:00:03.829822063 CET	49740	445	192.168.2.22	65.189.166.92
Mar 19, 2024 13:00:03.844763041 CET	49741	445	192.168.2.22	169.56.106.90
Mar 19, 2024 13:00:03.938496113 CET	49742	445	192.168.2.22	116.42.71.36
Mar 19, 2024 13:00:03.938592911 CET	49743	445	192.168.2.22	188.248.218.30
Mar 19, 2024 13:00:03.985194921 CET	49744	445	192.168.2.22	197.38.104.23
Mar 19, 2024 13:00:04.032012939 CET	49745	445	192.168.2.22	36.128.200.136
Mar 19, 2024 13:00:04.219455004 CET	49746	445	192.168.2.22	198.122.228.181
Mar 19, 2024 13:00:04.391585112 CET	49747	445	192.168.2.22	174.89.235.13
Mar 19, 2024 13:00:04.391932964 CET	49748	445	192.168.2.22	18.143.85.11
Mar 19, 2024 13:00:04.499993086 CET	49749	445	192.168.2.22	12.1.106.149
Mar 19, 2024 13:00:04.500262976 CET	49750	445	192.168.2.22	105.163.36.208
Mar 19, 2024 13:00:04.500603914 CET	49751	445	192.168.2.22	128.13.176.228
Mar 19, 2024 13:00:04.500925064 CET	49752	445	192.168.2.22	97.93.75.193
Mar 19, 2024 13:00:04.593630075 CET	49753	445	192.168.2.22	68.14.229.153
Mar 19, 2024 13:00:04.593719006 CET	49754	445	192.168.2.22	101.234.226.3
Mar 19, 2024 13:00:04.702954054 CET	49755	445	192.168.2.22	138.44.154.38
Mar 19, 2024 13:00:04.858916998 CET	49756	445	192.168.2.22	219.172.167.154
Mar 19, 2024 13:00:04.874386072 CET	49757	445	192.168.2.22	220.32.79.137
Mar 19, 2024 13:00:04.952491045 CET	49758	445	192.168.2.22	2.121.138.26
Mar 19, 2024 13:00:04.952625990 CET	49759	445	192.168.2.22	9.96.238.236
Mar 19, 2024 13:00:04.968143940 CET	49760	445	192.168.2.22	107.14.139.224
Mar 19, 2024 13:00:05.061582088 CET	49761	445	192.168.2.22	26.205.175.224
Mar 19, 2024 13:00:05.061732054 CET	49762	445	192.168.2.22	147.164.247.100
Mar 19, 2024 13:00:05.108403921 CET	49763	445	192.168.2.22	136.75.115.59
Mar 19, 2024 13:00:05.124792099 CET	49764	445	192.168.2.22	59.196.215.236
Mar 19, 2024 13:00:05.155184984 CET	49765	445	192.168.2.22	26.37.225.237
Mar 19, 2024 13:00:05.342474937 CET	49766	445	192.168.2.22	115.54.121.80
Mar 19, 2024 13:00:05.514182091 CET	49767	445	192.168.2.22	88.116.56.48
Mar 19, 2024 13:00:05.514229059 CET	49768	445	192.168.2.22	42.83.208.175
Mar 19, 2024 13:00:05.623209000 CET	49769	445	192.168.2.22	102.51.11.165
Mar 19, 2024 13:00:05.623374939 CET	49770	445	192.168.2.22	199.172.246.202
Mar 19, 2024 13:00:05.623467922 CET	49772	445	192.168.2.22	216.91.216.92
Mar 19, 2024 13:00:05.623469114 CET	49771	445	192.168.2.22	21.72.200.48
Mar 19, 2024 13:00:05.718297958 CET	49773	445	192.168.2.22	200.11.231.254
Mar 19, 2024 13:00:05.718400002 CET	49774	445	192.168.2.22	138.140.209.170
Mar 19, 2024 13:00:05.826061010 CET	49775	445	192.168.2.22	39.93.97.244
Mar 19, 2024 13:00:05.982192039 CET	49776	445	192.168.2.22	57.104.217.184
Mar 19, 2024 13:00:05.997587919 CET	49777	445	192.168.2.22	122.191.234.206
Mar 19, 2024 13:00:06.076474905 CET	49778	445	192.168.2.22	205.27.71.224
Mar 19, 2024 13:00:06.076622963 CET	49779	445	192.168.2.22	185.22.159.186
Mar 19, 2024 13:00:06.091219902 CET	49780	445	192.168.2.22	180.217.111.193
Mar 19, 2024 13:00:06.185142994 CET	49781	445	192.168.2.22	152.109.38.26
Mar 19, 2024 13:00:06.185265064 CET	49782	445	192.168.2.22	152.206.234.248
Mar 19, 2024 13:00:06.231812000 CET	49783	445	192.168.2.22	27.24.172.27
Mar 19, 2024 13:00:06.247423887 CET	49784	445	192.168.2.22	148.17.170.250
Mar 19, 2024 13:00:06.278754950 CET	49785	445	192.168.2.22	29.175.48.22
Mar 19, 2024 13:00:06.465926886 CET	49786	445	192.168.2.22	19.243.49.171
Mar 19, 2024 13:00:06.637821913 CET	49787	445	192.168.2.22	106.212.73.219
Mar 19, 2024 13:00:06.637891054 CET	49788	445	192.168.2.22	147.246.139.59
Mar 19, 2024 13:00:06.746711969 CET	49789	445	192.168.2.22	6.8.153.55
Mar 19, 2024 13:00:06.747081995 CET	49791	445	192.168.2.22	161.147.235.198
Mar 19, 2024 13:00:06.747503042 CET	49792	445	192.168.2.22	190.231.7.196
Mar 19, 2024 13:00:06.747503996 CET	49790	445	192.168.2.22	219.36.107.216
Mar 19, 2024 13:00:06.762984991 CET	49793	445	192.168.2.22	214.159.201.75
Mar 19, 2024 13:00:06.840192080 CET	49794	445	192.168.2.22	76.124.122.223
Mar 19, 2024 13:00:06.840405941 CET	49795	445	192.168.2.22	160.85.166.139
Mar 19, 2024 13:00:06.949680090 CET	49796	445	192.168.2.22	165.142.245.220
Mar 19, 2024 13:00:07.105701923 CET	49797	445	192.168.2.22	135.123.39.190
Mar 19, 2024 13:00:07.121129036 CET	49798	445	192.168.2.22	78.35.7.169
Mar 19, 2024 13:00:07.199481010 CET	49800	445	192.168.2.22	76.188.114.184
Mar 19, 2024 13:00:07.199528933 CET	49799	445	192.168.2.22	177.223.53.224
Mar 19, 2024 13:00:07.214610100 CET	49801	445	192.168.2.22	156.94.216.243
Mar 19, 2024 13:00:07.308320045 CET	49802	445	192.168.2.22	66.31.151.211
Mar 19, 2024 13:00:07.308610916 CET	49803	445	192.168.2.22	109.155.105.122
Mar 19, 2024 13:00:07.355084896 CET	49804	445	192.168.2.22	74.145.197.25
Mar 19, 2024 13:00:07.370435953 CET	49805	445	192.168.2.22	56.163.2.100
Mar 19, 2024 13:00:07.401736021 CET	49806	445	192.168.2.22	183.3.178.100
Mar 19, 2024 13:00:07.589083910 CET	49807	445	192.168.2.22	138.243.55.41
Mar 19, 2024 13:00:07.760696888 CET	49808	445	192.168.2.22	189.0.242.44
Mar 19, 2024 13:00:07.776137114 CET	49809	445	192.168.2.22	139.63.116.81
Mar 19, 2024 13:00:07.869627953 CET	49810	445	192.168.2.22	149.136.216.70
Mar 19, 2024 13:00:07.869854927 CET	49811	445	192.168.2.22	36.135.36.7
Mar 19, 2024 13:00:07.870069027 CET	49812	445	192.168.2.22	150.170.164.117
Mar 19, 2024 13:00:07.885215998 CET	49813	445	192.168.2.22	34.147.91.142
Mar 19, 2024 13:00:07.885412931 CET	49814	445	192.168.2.22	78.167.157.40
Mar 19, 2024 13:00:07.963172913 CET	49815	445	192.168.2.22	1.170.135.252
Mar 19, 2024 13:00:07.963253021 CET	49816	445	192.168.2.22	99.214.113.187
Mar 19, 2024 13:00:08.072443008 CET	49817	445	192.168.2.22	174.143.252.156
Mar 19, 2024 13:00:08.228528023 CET	49818	445	192.168.2.22	204.127.189.71
Mar 19, 2024 13:00:08.244194031 CET	49819	445	192.168.2.22	143.50.52.46
Mar 19, 2024 13:00:08.291352987 CET	49820	445	192.168.2.22	91.79.50.50
Mar 19, 2024 13:00:08.322052002 CET	49821	445	192.168.2.22	86.168.76.45
Mar 19, 2024 13:00:08.322499990 CET	49822	445	192.168.2.22	154.25.120.225
Mar 19, 2024 13:00:08.337783098 CET	49823	445	192.168.2.22	18.188.84.117
Mar 19, 2024 13:00:08.431349039 CET	49824	445	192.168.2.22	219.241.141.204
Mar 19, 2024 13:00:08.431353092 CET	49825	445	192.168.2.22	23.89.55.92
Mar 19, 2024 13:00:08.478125095 CET	49826	445	192.168.2.22	31.141.116.235
Mar 19, 2024 13:00:08.493594885 CET	49827	445	192.168.2.22	77.191.157.219
Mar 19, 2024 13:00:08.524838924 CET	49828	445	192.168.2.22	129.154.186.116
Mar 19, 2024 13:00:08.712214947 CET	49829	445	192.168.2.22	46.28.216.35
Mar 19, 2024 13:00:08.884268045 CET	49830	445	192.168.2.22	56.103.73.203
Mar 19, 2024 13:00:08.899383068 CET	49831	445	192.168.2.22	193.224.14.113
Mar 19, 2024 13:00:08.993041992 CET	49832	445	192.168.2.22	113.161.74.198
Mar 19, 2024 13:00:08.993181944 CET	49833	445	192.168.2.22	158.149.160.8
Mar 19, 2024 13:00:09.008433104 CET	49834	445	192.168.2.22	22.94.129.209
Mar 19, 2024 13:00:09.008594990 CET	49835	445	192.168.2.22	164.175.23.251
Mar 19, 2024 13:00:09.008980989 CET	49836	445	192.168.2.22	178.93.136.97
Mar 19, 2024 13:00:09.087642908 CET	49837	445	192.168.2.22	85.93.150.186
Mar 19, 2024 13:00:09.087704897 CET	49838	445	192.168.2.22	101.55.158.105
Mar 19, 2024 13:00:09.196014881 CET	49839	445	192.168.2.22	49.24.189.209
Mar 19, 2024 13:00:09.291017056 CET	445	49837	85.93.150.186	192.168.2.22
Mar 19, 2024 13:00:09.352236032 CET	49840	445	192.168.2.22	43.64.93.207
Mar 19, 2024 13:00:09.367897987 CET	49841	445	192.168.2.22	57.43.210.149
Mar 19, 2024 13:00:09.415339947 CET	49842	445	192.168.2.22	169.107.235.152
Mar 19, 2024 13:00:09.445302010 CET	49843	445	192.168.2.22	64.112.144.196
Mar 19, 2024 13:00:09.445394039 CET	49844	445	192.168.2.22	43.53.66.113
Mar 19, 2024 13:00:09.461177111 CET	49845	445	192.168.2.22	58.123.78.126
Mar 19, 2024 13:00:09.554608107 CET	49846	445	192.168.2.22	117.41.81.110
Mar 19, 2024 13:00:09.554830074 CET	49847	445	192.168.2.22	96.72.23.9
Mar 19, 2024 13:00:09.601363897 CET	49848	445	192.168.2.22	80.41.161.241
Mar 19, 2024 13:00:09.617017031 CET	49849	445	192.168.2.22	130.51.237.124
Mar 19, 2024 13:00:09.648013115 CET	49850	445	192.168.2.22	101.83.135.132
Mar 19, 2024 13:00:09.711276054 CET	49851	445	192.168.2.22	72.219.198.47
Mar 19, 2024 13:00:09.803906918 CET	49837	445	192.168.2.22	85.93.150.186
Mar 19, 2024 13:00:09.835525036 CET	49852	445	192.168.2.22	148.241.67.94
Mar 19, 2024 13:00:10.006954908 CET	49853	445	192.168.2.22	81.13.102.164
Mar 19, 2024 13:00:10.008765936 CET	445	49837	85.93.150.186	192.168.2.22
Mar 19, 2024 13:00:10.022618055 CET	49854	445	192.168.2.22	82.235.37.139
Mar 19, 2024 13:00:10.116164923 CET	49855	445	192.168.2.22	87.213.145.215
Mar 19, 2024 13:00:10.131742954 CET	49856	445	192.168.2.22	87.52.236.18
Mar 19, 2024 13:00:10.131865025 CET	49857	445	192.168.2.22	216.177.48.252
Mar 19, 2024 13:00:10.131894112 CET	49858	445	192.168.2.22	110.33.225.204
Mar 19, 2024 13:00:10.132061958 CET	49859	445	192.168.2.22	49.210.68.56
Mar 19, 2024 13:00:10.209973097 CET	49860	445	192.168.2.22	40.137.151.117
Mar 19, 2024 13:00:10.319025040 CET	49862	445	192.168.2.22	107.3.40.45
Mar 19, 2024 13:00:10.475187063 CET	49863	445	192.168.2.22	158.143.19.97
Mar 19, 2024 13:00:10.490483999 CET	49864	445	192.168.2.22	66.21.114.26
Mar 19, 2024 13:00:10.537847996 CET	49865	445	192.168.2.22	38.109.226.240
Mar 19, 2024 13:00:10.569317102 CET	49866	445	192.168.2.22	115.32.225.65
Mar 19, 2024 13:00:10.569550037 CET	49867	445	192.168.2.22	70.192.7.142
Mar 19, 2024 13:00:10.584222078 CET	49868	445	192.168.2.22	209.119.240.196
Mar 19, 2024 13:00:10.677937031 CET	49869	445	192.168.2.22	58.43.140.35
Mar 19, 2024 13:00:10.678395033 CET	49870	445	192.168.2.22	89.72.30.172
Mar 19, 2024 13:00:10.724730015 CET	49871	445	192.168.2.22	167.149.245.132
Mar 19, 2024 13:00:10.740428925 CET	49872	445	192.168.2.22	194.4.17.188
Mar 19, 2024 13:00:10.771656036 CET	49873	445	192.168.2.22	151.49.64.247
Mar 19, 2024 13:00:10.833868980 CET	49874	445	192.168.2.22	76.253.205.230
Mar 19, 2024 13:00:10.958456039 CET	49875	445	192.168.2.22	75.108.168.203
Mar 19, 2024 13:00:11.037240982 CET	49876	445	192.168.2.22	184.202.235.59
Mar 19, 2024 13:00:11.149970055 CET	49877	445	192.168.2.22	183.178.42.245
Mar 19, 2024 13:00:11.150068045 CET	49878	445	192.168.2.22	4.91.53.110
Mar 19, 2024 13:00:11.254837036 CET	49879	445	192.168.2.22	93.179.86.193
Mar 19, 2024 13:00:11.254893064 CET	49880	445	192.168.2.22	157.146.82.133
Mar 19, 2024 13:00:11.254935980 CET	49881	445	192.168.2.22	154.110.19.252
Mar 19, 2024 13:00:11.255101919 CET	49882	445	192.168.2.22	220.156.123.118
Mar 19, 2024 13:00:11.255403996 CET	49883	445	192.168.2.22	207.124.181.122
Mar 19, 2024 13:00:11.332844019 CET	49884	445	192.168.2.22	161.222.15.152
Mar 19, 2024 13:00:11.332942963 CET	49885	445	192.168.2.22	219.225.188.194
Mar 19, 2024 13:00:11.442208052 CET	49886	445	192.168.2.22	34.153.232.22
Mar 19, 2024 13:00:11.598557949 CET	49887	445	192.168.2.22	151.220.107.22
Mar 19, 2024 13:00:11.613852024 CET	49888	445	192.168.2.22	128.218.137.166
Mar 19, 2024 13:00:11.660569906 CET	49889	445	192.168.2.22	210.42.45.139
Mar 19, 2024 13:00:11.691803932 CET	49890	445	192.168.2.22	98.22.18.81
Mar 19, 2024 13:00:11.691946983 CET	49891	445	192.168.2.22	185.161.75.21
Mar 19, 2024 13:00:11.707215071 CET	49892	445	192.168.2.22	58.228.118.103
Mar 19, 2024 13:00:11.800899029 CET	49893	445	192.168.2.22	161.179.168.184
Mar 19, 2024 13:00:11.800987959 CET	49894	445	192.168.2.22	72.193.178.235
Mar 19, 2024 13:00:11.848505974 CET	49895	445	192.168.2.22	72.77.103.32
Mar 19, 2024 13:00:11.863935947 CET	49896	445	192.168.2.22	178.168.168.36
Mar 19, 2024 13:00:11.894666910 CET	49897	445	192.168.2.22	161.241.138.204
Mar 19, 2024 13:00:11.956804991 CET	49898	445	192.168.2.22	89.55.127.215
Mar 19, 2024 13:00:12.082000971 CET	49899	445	192.168.2.22	11.25.244.199
Mar 19, 2024 13:00:12.160243034 CET	49900	445	192.168.2.22	27.118.41.77
Mar 19, 2024 13:00:12.269254923 CET	49901	445	192.168.2.22	139.110.30.40
Mar 19, 2024 13:00:12.269510031 CET	49902	445	192.168.2.22	63.26.237.88
Mar 19, 2024 13:00:12.284995079 CET	49903	445	192.168.2.22	45.214.149.37
Mar 19, 2024 13:00:12.378243923 CET	49904	445	192.168.2.22	52.219.132.31
Mar 19, 2024 13:00:12.378478050 CET	49906	445	192.168.2.22	197.222.140.238
Mar 19, 2024 13:00:12.378556967 CET	49905	445	192.168.2.22	94.167.25.193
Mar 19, 2024 13:00:12.378798008 CET	49907	445	192.168.2.22	93.224.212.50
Mar 19, 2024 13:00:12.378973007 CET	49908	445	192.168.2.22	212.141.103.197
Mar 19, 2024 13:00:12.456357956 CET	49909	445	192.168.2.22	142.246.97.110
Mar 19, 2024 13:00:12.456562996 CET	49910	445	192.168.2.22	27.199.60.46
Mar 19, 2024 13:00:12.565468073 CET	49911	445	192.168.2.22	207.22.133.235
Mar 19, 2024 13:00:12.721849918 CET	49912	445	192.168.2.22	218.95.210.45
Mar 19, 2024 13:00:12.737140894 CET	49913	445	192.168.2.22	99.86.180.201
Mar 19, 2024 13:00:12.783862114 CET	49914	445	192.168.2.22	179.86.49.183
Mar 19, 2024 13:00:12.815043926 CET	49915	445	192.168.2.22	22.212.166.190
Mar 19, 2024 13:00:12.815197945 CET	49916	445	192.168.2.22	138.0.183.163
Mar 19, 2024 13:00:12.830718040 CET	49917	445	192.168.2.22	75.70.62.251
Mar 19, 2024 13:00:12.924245119 CET	49918	445	192.168.2.22	64.131.217.28
Mar 19, 2024 13:00:12.924612045 CET	49919	445	192.168.2.22	50.161.20.194
Mar 19, 2024 13:00:12.971326113 CET	49920	445	192.168.2.22	183.135.45.82
Mar 19, 2024 13:00:12.986685991 CET	49921	445	192.168.2.22	106.128.95.181
Mar 19, 2024 13:00:13.017663956 CET	49922	445	192.168.2.22	178.163.116.148
Mar 19, 2024 13:00:13.080184937 CET	49923	445	192.168.2.22	142.68.192.178
Mar 19, 2024 13:00:13.204925060 CET	49924	445	192.168.2.22	124.77.168.22
Mar 19, 2024 13:00:13.283008099 CET	49925	445	192.168.2.22	181.87.171.89
Mar 19, 2024 13:00:13.392371893 CET	49926	445	192.168.2.22	57.91.132.16
Mar 19, 2024 13:00:13.392739058 CET	49927	445	192.168.2.22	175.46.11.117
Mar 19, 2024 13:00:13.407655001 CET	49928	445	192.168.2.22	128.88.221.129
Mar 19, 2024 13:00:13.439152002 CET	49929	445	192.168.2.22	121.107.219.89
Mar 19, 2024 13:00:13.501202106 CET	49930	445	192.168.2.22	168.236.242.61
Mar 19, 2024 13:00:13.501288891 CET	49931	445	192.168.2.22	17.118.0.188
Mar 19, 2024 13:00:13.501296043 CET	49932	445	192.168.2.22	19.124.227.36
Mar 19, 2024 13:00:13.501471043 CET	49933	445	192.168.2.22	146.15.222.137
Mar 19, 2024 13:00:13.501612902 CET	49934	445	192.168.2.22	202.232.133.126
Mar 19, 2024 13:00:13.579313993 CET	49935	445	192.168.2.22	119.189.170.27
Mar 19, 2024 13:00:13.579411030 CET	49936	445	192.168.2.22	168.49.112.209
Mar 19, 2024 13:00:13.688635111 CET	49937	445	192.168.2.22	30.105.213.66
Mar 19, 2024 13:00:13.845000982 CET	49938	445	192.168.2.22	58.154.140.71
Mar 19, 2024 13:00:13.860013008 CET	49939	445	192.168.2.22	47.90.173.150
Mar 19, 2024 13:00:13.911473036 CET	49940	445	192.168.2.22	33.83.51.103
Mar 19, 2024 13:00:13.938153028 CET	49941	445	192.168.2.22	189.17.172.53
Mar 19, 2024 13:00:13.938311100 CET	49942	445	192.168.2.22	64.33.132.237
Mar 19, 2024 13:00:13.953660011 CET	49943	445	192.168.2.22	101.97.15.203
Mar 19, 2024 13:00:14.047311068 CET	49944	445	192.168.2.22	196.83.52.9
Mar 19, 2024 13:00:14.047338009 CET	49945	445	192.168.2.22	182.175.89.36
Mar 19, 2024 13:00:14.094078064 CET	49946	445	192.168.2.22	110.26.166.155
Mar 19, 2024 13:00:14.109899998 CET	49947	445	192.168.2.22	199.32.139.77
Mar 19, 2024 13:00:14.141124010 CET	49948	445	192.168.2.22	147.177.56.64
Mar 19, 2024 13:00:14.203243017 CET	49949	445	192.168.2.22	117.77.126.0
Mar 19, 2024 13:00:14.328298092 CET	49950	445	192.168.2.22	86.221.65.237
Mar 19, 2024 13:00:14.406155109 CET	49951	445	192.168.2.22	100.115.189.197
Mar 19, 2024 13:00:14.515511990 CET	49952	445	192.168.2.22	86.174.193.206
Mar 19, 2024 13:00:14.515650034 CET	49953	445	192.168.2.22	112.112.101.108
Mar 19, 2024 13:00:14.515795946 CET	49954	445	192.168.2.22	203.119.76.53
Mar 19, 2024 13:00:14.530853033 CET	49955	445	192.168.2.22	188.107.91.2
Mar 19, 2024 13:00:14.562048912 CET	49956	445	192.168.2.22	46.183.92.6
Mar 19, 2024 13:00:14.624428988 CET	49957	445	192.168.2.22	99.190.207.228
Mar 19, 2024 13:00:14.624500990 CET	49958	445	192.168.2.22	102.231.220.238
Mar 19, 2024 13:00:14.624660969 CET	49959	445	192.168.2.22	167.209.146.183
Mar 19, 2024 13:00:14.624738932 CET	49961	445	192.168.2.22	105.224.244.150
Mar 19, 2024 13:00:14.624818087 CET	49960	445	192.168.2.22	90.206.241.66
Mar 19, 2024 13:00:14.702605009 CET	49962	445	192.168.2.22	6.93.67.237
Mar 19, 2024 13:00:14.702646017 CET	49963	445	192.168.2.22	121.181.181.204
Mar 19, 2024 13:00:14.812036991 CET	49964	445	192.168.2.22	221.152.165.133
Mar 19, 2024 13:00:14.967745066 CET	49965	445	192.168.2.22	61.54.68.247
Mar 19, 2024 13:00:14.983575106 CET	49966	445	192.168.2.22	163.195.106.64
Mar 19, 2024 13:00:15.030236006 CET	49967	445	192.168.2.22	34.237.180.249
Mar 19, 2024 13:00:15.061363935 CET	49968	445	192.168.2.22	101.213.66.159
Mar 19, 2024 13:00:15.061527014 CET	49969	445	192.168.2.22	69.95.207.41
Mar 19, 2024 13:00:15.077126980 CET	49970	445	192.168.2.22	130.38.145.204
Mar 19, 2024 13:00:15.170711040 CET	49971	445	192.168.2.22	206.1.225.51
Mar 19, 2024 13:00:15.170782089 CET	49972	445	192.168.2.22	52.30.49.140
Mar 19, 2024 13:00:15.217448950 CET	49973	445	192.168.2.22	180.161.139.237
Mar 19, 2024 13:00:15.233079910 CET	49974	445	192.168.2.22	61.171.13.198
Mar 19, 2024 13:00:15.264477015 CET	49975	445	192.168.2.22	33.170.117.111
Mar 19, 2024 13:00:15.326673031 CET	49976	445	192.168.2.22	131.85.119.123
Mar 19, 2024 13:00:15.451556921 CET	49977	445	192.168.2.22	152.235.16.168
Mar 19, 2024 13:00:15.529457092 CET	49978	445	192.168.2.22	210.34.9.152
Mar 19, 2024 13:00:15.529664993 CET	49979	445	192.168.2.22	54.191.179.140
Mar 19, 2024 13:00:15.638686895 CET	49980	445	192.168.2.22	196.90.219.34
Mar 19, 2024 13:00:15.638791084 CET	49981	445	192.168.2.22	49.237.91.104
Mar 19, 2024 13:00:15.638798952 CET	49982	445	192.168.2.22	54.89.240.53
Mar 19, 2024 13:00:15.653991938 CET	49983	445	192.168.2.22	11.186.11.228
Mar 19, 2024 13:00:15.685484886 CET	49984	445	192.168.2.22	207.160.185.179
Mar 19, 2024 13:00:15.747608900 CET	49985	445	192.168.2.22	157.100.236.129
Mar 19, 2024 13:00:15.747674942 CET	49986	445	192.168.2.22	110.6.252.204
Mar 19, 2024 13:00:15.748331070 CET	49987	445	192.168.2.22	77.146.32.152
Mar 19, 2024 13:00:15.748584032 CET	49988	445	192.168.2.22	171.17.252.147
Mar 19, 2024 13:00:15.748919964 CET	49989	445	192.168.2.22	40.11.59.238
Mar 19, 2024 13:00:15.825558901 CET	49990	445	192.168.2.22	71.233.130.239
Mar 19, 2024 13:00:15.825661898 CET	49991	445	192.168.2.22	220.30.200.57
Mar 19, 2024 13:00:15.934803009 CET	49992	445	192.168.2.22	158.40.209.204
Mar 19, 2024 13:00:16.106528997 CET	49993	445	192.168.2.22	208.48.66.48
Mar 19, 2024 13:00:16.106596947 CET	49994	445	192.168.2.22	176.124.123.173
Mar 19, 2024 13:00:16.153306007 CET	49995	445	192.168.2.22	128.82.204.87
Mar 19, 2024 13:00:16.184627056 CET	49996	445	192.168.2.22	6.89.158.47
Mar 19, 2024 13:00:16.191751003 CET	49997	445	192.168.2.22	71.97.19.6
Mar 19, 2024 13:00:16.200273991 CET	49998	445	192.168.2.22	86.162.209.62
Mar 19, 2024 13:00:16.293723106 CET	49999	445	192.168.2.22	126.64.63.217
Mar 19, 2024 13:00:16.293911934 CET	50000	445	192.168.2.22	90.149.131.142
Mar 19, 2024 13:00:16.340656996 CET	50001	445	192.168.2.22	35.32.22.127
Mar 19, 2024 13:00:16.356570959 CET	50002	445	192.168.2.22	97.101.233.64
Mar 19, 2024 13:00:16.387389898 CET	50003	445	192.168.2.22	11.43.23.171
Mar 19, 2024 13:00:16.449610949 CET	50004	445	192.168.2.22	204.124.143.193
Mar 19, 2024 13:00:16.465486050 CET	50005	445	192.168.2.22	115.218.172.188
Mar 19, 2024 13:00:16.574562073 CET	50006	445	192.168.2.22	173.83.173.82
Mar 19, 2024 13:00:16.582463980 CET	445	50000	90.149.131.142	192.168.2.22
Mar 19, 2024 13:00:16.652540922 CET	50007	445	192.168.2.22	104.152.90.81
Mar 19, 2024 13:00:16.652606010 CET	50008	445	192.168.2.22	199.96.146.93
Mar 19, 2024 13:00:16.761648893 CET	50009	445	192.168.2.22	135.196.19.109
Mar 19, 2024 13:00:16.762337923 CET	50010	445	192.168.2.22	85.226.160.56
Mar 19, 2024 13:00:16.762715101 CET	50011	445	192.168.2.22	93.87.15.208
Mar 19, 2024 13:00:16.777188063 CET	50012	445	192.168.2.22	88.150.97.33
Mar 19, 2024 13:00:16.808443069 CET	50013	445	192.168.2.22	37.52.184.198
Mar 19, 2024 13:00:16.870786905 CET	50014	445	192.168.2.22	141.166.102.166
Mar 19, 2024 13:00:16.870857000 CET	50015	445	192.168.2.22	160.27.167.251
Mar 19, 2024 13:00:16.871131897 CET	50016	445	192.168.2.22	89.41.150.236
Mar 19, 2024 13:00:16.871370077 CET	50017	445	192.168.2.22	171.41.7.225
Mar 19, 2024 13:00:16.871690989 CET	50018	445	192.168.2.22	195.30.246.218
Mar 19, 2024 13:00:16.948765039 CET	50019	445	192.168.2.22	36.149.133.146
Mar 19, 2024 13:00:16.948841095 CET	50020	445	192.168.2.22	43.23.69.97
Mar 19, 2024 13:00:17.058254957 CET	50021	445	192.168.2.22	133.79.51.173
Mar 19, 2024 13:00:17.104922056 CET	50000	445	192.168.2.22	90.149.131.142
Mar 19, 2024 13:00:17.229691029 CET	50022	445	192.168.2.22	148.98.127.231
Mar 19, 2024 13:00:17.229835987 CET	50023	445	192.168.2.22	166.116.116.182
Mar 19, 2024 13:00:17.276684999 CET	50024	445	192.168.2.22	61.3.109.130
Mar 19, 2024 13:00:17.307948112 CET	50025	445	192.168.2.22	58.144.15.207
Mar 19, 2024 13:00:17.307952881 CET	50026	445	192.168.2.22	52.156.238.132
Mar 19, 2024 13:00:17.323227882 CET	50027	445	192.168.2.22	10.208.152.54
Mar 19, 2024 13:00:17.354646921 CET	50028	445	192.168.2.22	121.240.110.84
Mar 19, 2024 13:00:17.392846107 CET	445	50000	90.149.131.142	192.168.2.22
Mar 19, 2024 13:00:17.416804075 CET	50029	445	192.168.2.22	42.139.62.119
Mar 19, 2024 13:00:17.416966915 CET	50030	445	192.168.2.22	35.112.224.155
Mar 19, 2024 13:00:17.463697910 CET	50031	445	192.168.2.22	218.118.177.86
Mar 19, 2024 13:00:17.479474068 CET	50032	445	192.168.2.22	47.84.202.141
Mar 19, 2024 13:00:17.510593891 CET	50033	445	192.168.2.22	144.141.68.86
Mar 19, 2024 13:00:17.572828054 CET	50034	445	192.168.2.22	52.228.144.173
Mar 19, 2024 13:00:17.588438988 CET	50035	445	192.168.2.22	6.72.189.117
Mar 19, 2024 13:00:17.698014021 CET	50036	445	192.168.2.22	194.215.104.24
Mar 19, 2024 13:00:17.775772095 CET	50037	445	192.168.2.22	6.58.239.56
Mar 19, 2024 13:00:17.776087999 CET	50038	445	192.168.2.22	214.109.206.173
Mar 19, 2024 13:00:17.884929895 CET	50039	445	192.168.2.22	157.219.184.131
Mar 19, 2024 13:00:17.885251045 CET	50040	445	192.168.2.22	90.132.165.114
Mar 19, 2024 13:00:17.885636091 CET	50041	445	192.168.2.22	163.203.29.193
Mar 19, 2024 13:00:17.900408030 CET	50042	445	192.168.2.22	104.112.116.50
Mar 19, 2024 13:00:17.931832075 CET	50043	445	192.168.2.22	31.166.234.134
Mar 19, 2024 13:00:17.993985891 CET	50044	445	192.168.2.22	147.220.51.249
Mar 19, 2024 13:00:17.994048119 CET	50045	445	192.168.2.22	107.57.80.43
Mar 19, 2024 13:00:17.994602919 CET	50046	445	192.168.2.22	203.52.89.98
Mar 19, 2024 13:00:17.994942904 CET	50047	445	192.168.2.22	58.173.197.164
Mar 19, 2024 13:00:17.995142937 CET	50048	445	192.168.2.22	115.228.109.156
Mar 19, 2024 13:00:18.072046041 CET	50049	445	192.168.2.22	5.71.254.163
Mar 19, 2024 13:00:18.072124958 CET	50050	445	192.168.2.22	219.238.17.175
Mar 19, 2024 13:00:18.181504965 CET	50051	445	192.168.2.22	69.200.247.65
Mar 19, 2024 13:00:18.181663990 CET	50052	445	192.168.2.22	54.120.65.100
Mar 19, 2024 13:00:18.352900982 CET	50053	445	192.168.2.22	58.21.17.83
Mar 19, 2024 13:00:18.352969885 CET	50054	445	192.168.2.22	108.178.214.41
Mar 19, 2024 13:00:18.399682045 CET	50055	445	192.168.2.22	95.8.216.173
Mar 19, 2024 13:00:18.433425903 CET	50056	445	192.168.2.22	214.73.44.109
Mar 19, 2024 13:00:18.433530092 CET	50057	445	192.168.2.22	50.113.97.195
Mar 19, 2024 13:00:18.446474075 CET	50058	445	192.168.2.22	4.228.132.145
Mar 19, 2024 13:00:18.477583885 CET	50059	445	192.168.2.22	125.237.23.160
Mar 19, 2024 13:00:18.540115118 CET	50060	445	192.168.2.22	82.159.46.49
Mar 19, 2024 13:00:18.540201902 CET	50061	445	192.168.2.22	203.112.151.160
Mar 19, 2024 13:00:18.586884975 CET	50062	445	192.168.2.22	74.48.19.199
Mar 19, 2024 13:00:18.602438927 CET	50063	445	192.168.2.22	100.42.20.206
Mar 19, 2024 13:00:18.633598089 CET	50064	445	192.168.2.22	220.41.36.67
Mar 19, 2024 13:00:18.696014881 CET	50065	445	192.168.2.22	206.58.94.161
Mar 19, 2024 13:00:18.715931892 CET	50066	445	192.168.2.22	43.58.219.179
Mar 19, 2024 13:00:18.749269009 CET	445	50062	74.48.19.199	192.168.2.22
Mar 19, 2024 13:00:18.821063042 CET	50067	445	192.168.2.22	85.74.135.115
Mar 19, 2024 13:00:18.899008036 CET	50068	445	192.168.2.22	67.187.26.49
Mar 19, 2024 13:00:18.899077892 CET	50069	445	192.168.2.22	144.26.38.145
Mar 19, 2024 13:00:18.946047068 CET	50070	445	192.168.2.22	122.31.109.40
Mar 19, 2024 13:00:19.008071899 CET	50071	445	192.168.2.22	130.144.95.82
Mar 19, 2024 13:00:19.008362055 CET	50072	445	192.168.2.22	81.196.137.227
Mar 19, 2024 13:00:19.008820057 CET	50073	445	192.168.2.22	79.118.208.36
Mar 19, 2024 13:00:19.023590088 CET	50074	445	192.168.2.22	84.11.70.7
Mar 19, 2024 13:00:19.054852962 CET	50075	445	192.168.2.22	24.103.61.201
Mar 19, 2024 13:00:19.117270947 CET	50076	445	192.168.2.22	72.135.14.144
Mar 19, 2024 13:00:19.117356062 CET	50077	445	192.168.2.22	40.113.67.151
Mar 19, 2024 13:00:19.117357016 CET	50078	445	192.168.2.22	203.43.2.205
Mar 19, 2024 13:00:19.117383957 CET	50079	445	192.168.2.22	210.109.175.78
Mar 19, 2024 13:00:19.117458105 CET	50080	445	192.168.2.22	183.193.108.16
Mar 19, 2024 13:00:19.195369959 CET	50081	445	192.168.2.22	129.131.159.126
Mar 19, 2024 13:00:19.195463896 CET	50082	445	192.168.2.22	87.202.106.19
Mar 19, 2024 13:00:19.203063011 CET	445	50073	79.118.208.36	192.168.2.22
Mar 19, 2024 13:00:19.218050003 CET	445	50072	81.196.137.227	192.168.2.22
Mar 19, 2024 13:00:19.257533073 CET	50062	445	192.168.2.22	74.48.19.199
Mar 19, 2024 13:00:19.304425955 CET	50083	445	192.168.2.22	116.219.185.147
Mar 19, 2024 13:00:19.304826975 CET	50084	445	192.168.2.22	201.186.204.171
Mar 19, 2024 13:00:19.416481972 CET	445	50062	74.48.19.199	192.168.2.22
Mar 19, 2024 13:00:19.491908073 CET	50085	445	192.168.2.22	11.242.67.92
Mar 19, 2024 13:00:19.492289066 CET	50086	445	192.168.2.22	154.167.77.119
Mar 19, 2024 13:00:19.523092031 CET	50087	445	192.168.2.22	105.187.154.163
Mar 19, 2024 13:00:19.554145098 CET	50088	445	192.168.2.22	3.80.70.80
Mar 19, 2024 13:00:19.554260969 CET	50089	445	192.168.2.22	150.45.247.198
Mar 19, 2024 13:00:19.569731951 CET	50090	445	192.168.2.22	191.65.35.144
Mar 19, 2024 13:00:19.600930929 CET	50091	445	192.168.2.22	167.180.168.144
Mar 19, 2024 13:00:19.663218975 CET	50092	445	192.168.2.22	34.142.89.161
Mar 19, 2024 13:00:19.663439989 CET	50093	445	192.168.2.22	123.199.103.154
Mar 19, 2024 13:00:19.710072041 CET	50095	445	192.168.2.22	198.178.65.218
Mar 19, 2024 13:00:19.725517988 CET	50073	445	192.168.2.22	79.118.208.36
Mar 19, 2024 13:00:19.727938890 CET	50072	445	192.168.2.22	81.196.137.227
Mar 19, 2024 13:00:19.731769085 CET	50096	445	192.168.2.22	115.239.72.210
Mar 19, 2024 13:00:19.756838083 CET	50097	445	192.168.2.22	174.5.98.126
Mar 19, 2024 13:00:19.819220066 CET	50098	445	192.168.2.22	138.238.1.70
Mar 19, 2024 13:00:19.834827900 CET	50099	445	192.168.2.22	115.231.67.202
Mar 19, 2024 13:00:19.920824051 CET	445	50073	79.118.208.36	192.168.2.22
Mar 19, 2024 13:00:19.937808037 CET	445	50072	81.196.137.227	192.168.2.22
Mar 19, 2024 13:00:19.944024086 CET	50100	445	192.168.2.22	179.86.11.155
Mar 19, 2024 13:00:20.022130966 CET	50101	445	192.168.2.22	154.226.222.185
Mar 19, 2024 13:00:20.022197962 CET	50102	445	192.168.2.22	192.226.36.235
Mar 19, 2024 13:00:20.068916082 CET	50103	445	192.168.2.22	164.81.116.59
Mar 19, 2024 13:00:20.131313086 CET	50104	445	192.168.2.22	30.58.250.141
Mar 19, 2024 13:00:20.132018089 CET	50105	445	192.168.2.22	206.197.8.29
Mar 19, 2024 13:00:20.132395029 CET	50106	445	192.168.2.22	184.157.169.173
Mar 19, 2024 13:00:20.146883965 CET	50107	445	192.168.2.22	55.52.236.112
Mar 19, 2024 13:00:20.178040028 CET	50108	445	192.168.2.22	219.70.107.151
Mar 19, 2024 13:00:20.240407944 CET	50109	445	192.168.2.22	170.37.125.10
Mar 19, 2024 13:00:20.240468979 CET	50110	445	192.168.2.22	175.86.231.49
Mar 19, 2024 13:00:20.240544081 CET	50111	445	192.168.2.22	119.96.117.238
Mar 19, 2024 13:00:20.240695000 CET	50112	445	192.168.2.22	199.168.120.200
Mar 19, 2024 13:00:20.240839958 CET	50113	445	192.168.2.22	24.220.63.20
Mar 19, 2024 13:00:20.318532944 CET	50114	445	192.168.2.22	140.78.108.154
Mar 19, 2024 13:00:20.318764925 CET	50115	445	192.168.2.22	155.205.80.136
Mar 19, 2024 13:00:20.372840881 CET	445	50113	24.220.63.20	192.168.2.22
Mar 19, 2024 13:00:20.399698973 CET	445	50112	199.168.120.200	192.168.2.22
Mar 19, 2024 13:00:20.427625895 CET	50117	445	192.168.2.22	74.225.203.243
Mar 19, 2024 13:00:20.427681923 CET	50118	445	192.168.2.22	108.135.38.219
Mar 19, 2024 13:00:20.614984989 CET	50119	445	192.168.2.22	176.55.233.163
Mar 19, 2024 13:00:20.615283966 CET	50120	445	192.168.2.22	172.28.91.199
Mar 19, 2024 13:00:20.646353006 CET	50121	445	192.168.2.22	114.7.107.169
Mar 19, 2024 13:00:20.677280903 CET	50122	445	192.168.2.22	81.83.50.155
Mar 19, 2024 13:00:20.677326918 CET	50123	445	192.168.2.22	215.45.232.178
Mar 19, 2024 13:00:20.692807913 CET	50124	445	192.168.2.22	136.241.197.23
Mar 19, 2024 13:00:20.724021912 CET	50125	445	192.168.2.22	170.190.27.40
Mar 19, 2024 13:00:20.786436081 CET	50126	445	192.168.2.22	43.22.136.73
Mar 19, 2024 13:00:20.786498070 CET	50127	445	192.168.2.22	21.79.156.199
Mar 19, 2024 13:00:20.833220959 CET	50129	445	192.168.2.22	50.199.209.42
Mar 19, 2024 13:00:20.848812103 CET	50130	445	192.168.2.22	177.202.247.211
Mar 19, 2024 13:00:20.864322901 CET	50113	445	192.168.2.22	24.220.63.20
Mar 19, 2024 13:00:20.880054951 CET	50131	445	192.168.2.22	51.149.73.188
Mar 19, 2024 13:00:20.895534039 CET	50112	445	192.168.2.22	199.168.120.200
Mar 19, 2024 13:00:20.942400932 CET	50132	445	192.168.2.22	46.16.225.155
Mar 19, 2024 13:00:20.957984924 CET	50133	445	192.168.2.22	135.25.143.106
Mar 19, 2024 13:00:20.996068954 CET	445	50113	24.220.63.20	192.168.2.22
Mar 19, 2024 13:00:21.054157972 CET	445	50112	199.168.120.200	192.168.2.22
Mar 19, 2024 13:00:21.067199945 CET	50135	445	192.168.2.22	56.231.194.168
Mar 19, 2024 13:00:21.147418022 CET	50136	445	192.168.2.22	147.108.155.243
Mar 19, 2024 13:00:21.147506952 CET	50137	445	192.168.2.22	93.185.247.237
Mar 19, 2024 13:00:21.192071915 CET	50138	445	192.168.2.22	140.187.234.251
Mar 19, 2024 13:00:21.254477978 CET	50139	445	192.168.2.22	117.193.157.196
Mar 19, 2024 13:00:21.254692078 CET	50140	445	192.168.2.22	192.247.56.231
Mar 19, 2024 13:00:21.255089998 CET	50141	445	192.168.2.22	49.189.189.237
Mar 19, 2024 13:00:21.270116091 CET	50142	445	192.168.2.22	98.140.192.55
Mar 19, 2024 13:00:21.301218033 CET	50143	445	192.168.2.22	184.196.136.250
Mar 19, 2024 13:00:21.363616943 CET	50144	445	192.168.2.22	140.36.107.72
Mar 19, 2024 13:00:21.363682032 CET	50145	445	192.168.2.22	134.21.79.65
Mar 19, 2024 13:00:21.363936901 CET	50146	445	192.168.2.22	5.110.254.69
Mar 19, 2024 13:00:21.364178896 CET	50147	445	192.168.2.22	6.77.112.63
Mar 19, 2024 13:00:21.364500046 CET	50148	445	192.168.2.22	98.27.83.30
Mar 19, 2024 13:00:21.441627026 CET	50149	445	192.168.2.22	110.75.244.243
Mar 19, 2024 13:00:21.441692114 CET	50150	445	192.168.2.22	66.188.159.228
Mar 19, 2024 13:00:21.550865889 CET	50153	445	192.168.2.22	176.128.218.254
Mar 19, 2024 13:00:21.551069021 CET	50154	445	192.168.2.22	115.47.233.106
Mar 19, 2024 13:00:21.738349915 CET	50155	445	192.168.2.22	121.199.94.250
Mar 19, 2024 13:00:21.738754988 CET	50156	445	192.168.2.22	34.57.69.185
Mar 19, 2024 13:00:21.784640074 CET	50157	445	192.168.2.22	13.205.102.110
Mar 19, 2024 13:00:21.800518990 CET	50158	445	192.168.2.22	95.7.211.18
Mar 19, 2024 13:00:21.800555944 CET	50159	445	192.168.2.22	193.186.231.243
Mar 19, 2024 13:00:21.816078901 CET	50160	445	192.168.2.22	180.53.225.50
Mar 19, 2024 13:00:21.847664118 CET	50161	445	192.168.2.22	16.71.150.63
Mar 19, 2024 13:00:21.909888029 CET	50163	445	192.168.2.22	84.214.164.209
Mar 19, 2024 13:00:21.909981012 CET	50164	445	192.168.2.22	99.29.234.125
Mar 19, 2024 13:00:21.956536055 CET	50165	445	192.168.2.22	146.31.159.69
Mar 19, 2024 13:00:21.972116947 CET	50166	445	192.168.2.22	102.21.121.245
Mar 19, 2024 13:00:22.003351927 CET	50167	445	192.168.2.22	168.20.86.80
Mar 19, 2024 13:00:22.065656900 CET	50168	445	192.168.2.22	106.185.247.21
Mar 19, 2024 13:00:22.081178904 CET	50169	445	192.168.2.22	135.1.186.55
Mar 19, 2024 13:00:22.190546989 CET	50172	445	192.168.2.22	83.49.245.121
Mar 19, 2024 13:00:22.268546104 CET	50173	445	192.168.2.22	193.117.91.29
Mar 19, 2024 13:00:22.268631935 CET	50174	445	192.168.2.22	47.174.193.243
Mar 19, 2024 13:00:22.315234900 CET	50175	445	192.168.2.22	135.82.150.58
Mar 19, 2024 13:00:22.377690077 CET	50176	445	192.168.2.22	214.58.153.92
Mar 19, 2024 13:00:22.378420115 CET	50177	445	192.168.2.22	74.86.45.127
Mar 19, 2024 13:00:22.378773928 CET	50178	445	192.168.2.22	195.218.59.84
Mar 19, 2024 13:00:22.393253088 CET	50179	445	192.168.2.22	193.93.4.247
Mar 19, 2024 13:00:22.424390078 CET	50180	445	192.168.2.22	141.223.209.208
Mar 19, 2024 13:00:22.486861944 CET	50181	445	192.168.2.22	50.84.237.128
Mar 19, 2024 13:00:22.486942053 CET	50182	445	192.168.2.22	28.84.244.167
Mar 19, 2024 13:00:22.487046003 CET	50183	445	192.168.2.22	18.65.42.28
Mar 19, 2024 13:00:22.487076044 CET	50184	445	192.168.2.22	154.54.86.11
Mar 19, 2024 13:00:22.502428055 CET	50185	445	192.168.2.22	205.50.184.80
Mar 19, 2024 13:00:22.565248966 CET	50186	445	192.168.2.22	4.246.109.13
Mar 19, 2024 13:00:22.565488100 CET	50187	445	192.168.2.22	77.152.71.131
Mar 19, 2024 13:00:22.674010038 CET	50191	445	192.168.2.22	142.65.170.59
Mar 19, 2024 13:00:22.674381018 CET	50192	445	192.168.2.22	197.81.32.168
Mar 19, 2024 13:00:22.861263990 CET	50193	445	192.168.2.22	160.163.85.69
Mar 19, 2024 13:00:22.861390114 CET	50194	445	192.168.2.22	208.60.175.26
Mar 19, 2024 13:00:22.892457008 CET	50195	445	192.168.2.22	22.111.196.15
Mar 19, 2024 13:00:22.923682928 CET	50196	445	192.168.2.22	65.44.46.212
Mar 19, 2024 13:00:22.923815966 CET	50197	445	192.168.2.22	24.176.87.199
Mar 19, 2024 13:00:22.939574957 CET	50198	445	192.168.2.22	158.20.53.32
Mar 19, 2024 13:00:22.970771074 CET	50199	445	192.168.2.22	142.183.72.246
Mar 19, 2024 13:00:23.032809973 CET	50200	445	192.168.2.22	109.168.93.89
Mar 19, 2024 13:00:23.033480883 CET	50202	445	192.168.2.22	108.78.158.25
Mar 19, 2024 13:00:23.095216990 CET	50205	445	192.168.2.22	113.162.26.61
Mar 19, 2024 13:00:23.126446009 CET	50206	445	192.168.2.22	141.43.125.82
Mar 19, 2024 13:00:23.189040899 CET	50207	445	192.168.2.22	191.212.127.159
Mar 19, 2024 13:00:23.204444885 CET	50208	445	192.168.2.22	143.202.90.161
Mar 19, 2024 13:00:23.313630104 CET	50211	445	192.168.2.22	10.125.245.135
Mar 19, 2024 13:00:23.391818047 CET	50212	445	192.168.2.22	146.159.223.22
Mar 19, 2024 13:00:23.391849995 CET	50213	445	192.168.2.22	18.155.205.32
Mar 19, 2024 13:00:23.438467979 CET	50214	445	192.168.2.22	103.232.169.229
Mar 19, 2024 13:00:23.500889063 CET	50215	445	192.168.2.22	205.202.243.57
Mar 19, 2024 13:00:23.501127958 CET	50216	445	192.168.2.22	140.183.220.154
Mar 19, 2024 13:00:23.501235962 CET	50217	445	192.168.2.22	126.168.254.181
Mar 19, 2024 13:00:23.516462088 CET	50218	445	192.168.2.22	164.235.221.114
Mar 19, 2024 13:00:23.547653913 CET	50220	445	192.168.2.22	41.38.198.60
Mar 19, 2024 13:00:23.610140085 CET	50221	445	192.168.2.22	173.34.110.125
Mar 19, 2024 13:00:23.610141993 CET	50222	445	192.168.2.22	166.72.60.208
Mar 19, 2024 13:00:23.610203028 CET	50223	445	192.168.2.22	23.232.162.154
Mar 19, 2024 13:00:23.610629082 CET	50224	445	192.168.2.22	90.188.69.100
Mar 19, 2024 13:00:23.625715017 CET	50225	445	192.168.2.22	94.162.67.171
Mar 19, 2024 13:00:23.688097000 CET	50226	445	192.168.2.22	108.49.81.23
Mar 19, 2024 13:00:23.688168049 CET	50227	445	192.168.2.22	11.52.174.14
Mar 19, 2024 13:00:23.797211885 CET	50231	445	192.168.2.22	55.254.104.110
Mar 19, 2024 13:00:23.797568083 CET	50232	445	192.168.2.22	59.106.164.161
Mar 19, 2024 13:00:23.984519005 CET	50234	445	192.168.2.22	59.42.237.147
Mar 19, 2024 13:00:23.984877110 CET	50235	445	192.168.2.22	56.82.11.117
Mar 19, 2024 13:00:24.015837908 CET	50236	445	192.168.2.22	122.203.113.90
Mar 19, 2024 13:00:24.047019005 CET	50237	445	192.168.2.22	141.0.57.115
Mar 19, 2024 13:00:24.047148943 CET	50238	445	192.168.2.22	84.89.111.38
Mar 19, 2024 13:00:24.062452078 CET	50239	445	192.168.2.22	155.132.147.24
Mar 19, 2024 13:00:24.093889952 CET	50240	445	192.168.2.22	54.138.140.2
Mar 19, 2024 13:00:24.156472921 CET	50242	445	192.168.2.22	94.167.213.128
Mar 19, 2024 13:00:24.156687021 CET	50241	445	192.168.2.22	163.219.58.47
Mar 19, 2024 13:00:24.206531048 CET	50244	445	192.168.2.22	122.111.73.2
Mar 19, 2024 13:00:24.218772888 CET	50246	445	192.168.2.22	161.192.15.145
Mar 19, 2024 13:00:24.249831915 CET	50247	445	192.168.2.22	73.11.244.39
Mar 19, 2024 13:00:24.312155008 CET	50248	445	192.168.2.22	85.170.60.0
Mar 19, 2024 13:00:24.327734947 CET	50249	445	192.168.2.22	43.202.230.41
Mar 19, 2024 13:00:24.437365055 CET	50253	445	192.168.2.22	164.140.124.179
Mar 19, 2024 13:00:24.515547037 CET	50254	445	192.168.2.22	75.157.166.191
Mar 19, 2024 13:00:24.515769958 CET	50255	445	192.168.2.22	57.141.138.238
Mar 19, 2024 13:00:24.561687946 CET	50256	445	192.168.2.22	151.28.169.3
Mar 19, 2024 13:00:24.624526978 CET	50257	445	192.168.2.22	178.202.228.86
Mar 19, 2024 13:00:24.624737024 CET	50258	445	192.168.2.22	109.215.136.14
Mar 19, 2024 13:00:24.625077009 CET	50259	445	192.168.2.22	104.77.46.103
Mar 19, 2024 13:00:24.639991045 CET	50260	445	192.168.2.22	167.4.105.94
Mar 19, 2024 13:00:24.733546972 CET	50264	445	192.168.2.22	9.63.170.82
Mar 19, 2024 13:00:24.733818054 CET	50266	445	192.168.2.22	25.132.30.168
Mar 19, 2024 13:00:24.733891964 CET	50265	445	192.168.2.22	96.175.132.232
Mar 19, 2024 13:00:24.734097958 CET	50267	445	192.168.2.22	203.148.116.42
Mar 19, 2024 13:00:24.749461889 CET	50268	445	192.168.2.22	92.197.190.211
Mar 19, 2024 13:00:24.754686117 CET	445	50256	151.28.169.3	192.168.2.22
Mar 19, 2024 13:00:24.811285019 CET	50269	445	192.168.2.22	140.180.66.176
Mar 19, 2024 13:00:24.811391115 CET	50270	445	192.168.2.22	148.64.200.59
Mar 19, 2024 13:00:24.920460939 CET	50274	445	192.168.2.22	96.55.221.207
Mar 19, 2024 13:00:24.925529957 CET	50275	445	192.168.2.22	77.96.90.223
Mar 19, 2024 13:00:25.108764887 CET	50278	445	192.168.2.22	125.45.204.69
Mar 19, 2024 13:00:25.108822107 CET	50279	445	192.168.2.22	66.82.202.0
Mar 19, 2024 13:00:25.147875071 CET	50280	445	192.168.2.22	182.90.160.59
Mar 19, 2024 13:00:25.170236111 CET	50281	445	192.168.2.22	209.103.29.87
Mar 19, 2024 13:00:25.170377970 CET	50282	445	192.168.2.22	211.203.36.107
Mar 19, 2024 13:00:25.191801071 CET	50283	445	192.168.2.22	175.26.160.231
Mar 19, 2024 13:00:25.222274065 CET	50284	445	192.168.2.22	9.144.61.137
Mar 19, 2024 13:00:25.279483080 CET	50286	445	192.168.2.22	214.67.216.109
Mar 19, 2024 13:00:25.279596090 CET	50287	445	192.168.2.22	201.133.125.19
Mar 19, 2024 13:00:25.325928926 CET	50256	445	192.168.2.22	151.28.169.3
Mar 19, 2024 13:00:25.326086044 CET	50288	445	192.168.2.22	152.165.22.28
Mar 19, 2024 13:00:25.344865084 CET	50290	445	192.168.2.22	210.42.213.185
Mar 19, 2024 13:00:25.373266935 CET	50292	445	192.168.2.22	40.195.67.143
Mar 19, 2024 13:00:25.435237885 CET	50293	445	192.168.2.22	49.35.128.117
Mar 19, 2024 13:00:25.450828075 CET	50294	445	192.168.2.22	24.205.71.79
Mar 19, 2024 13:00:25.517750978 CET	445	50256	151.28.169.3	192.168.2.22
Mar 19, 2024 13:00:25.564254045 CET	50298	445	192.168.2.22	75.37.119.78
Mar 19, 2024 13:00:25.605274916 CET	445	50288	152.165.22.28	192.168.2.22
Mar 19, 2024 13:00:25.638196945 CET	50299	445	192.168.2.22	133.138.81.159
Mar 19, 2024 13:00:25.638283014 CET	50300	445	192.168.2.22	178.218.81.120
Mar 19, 2024 13:00:25.684844971 CET	50302	445	192.168.2.22	177.210.174.244
Mar 19, 2024 13:00:25.747479916 CET	50303	445	192.168.2.22	76.146.219.219
Mar 19, 2024 13:00:25.747633934 CET	50304	445	192.168.2.22	110.113.53.18
Mar 19, 2024 13:00:25.747807026 CET	50305	445	192.168.2.22	47.161.240.240
Mar 19, 2024 13:00:25.762850046 CET	50306	445	192.168.2.22	209.23.249.224
Mar 19, 2024 13:00:25.794852972 CET	50308	445	192.168.2.22	110.15.211.240
Mar 19, 2024 13:00:25.856451035 CET	50310	445	192.168.2.22	24.144.46.99
Mar 19, 2024 13:00:25.856471062 CET	50311	445	192.168.2.22	115.241.215.84
Mar 19, 2024 13:00:25.856547117 CET	50312	445	192.168.2.22	30.39.168.11
Mar 19, 2024 13:00:25.856616020 CET	50313	445	192.168.2.22	159.205.199.159
Mar 19, 2024 13:00:25.872237921 CET	50314	445	192.168.2.22	157.107.226.35
Mar 19, 2024 13:00:25.934525967 CET	50315	445	192.168.2.22	221.58.74.177
Mar 19, 2024 13:00:25.934619904 CET	50316	445	192.168.2.22	139.243.59.116
Mar 19, 2024 13:00:26.043632984 CET	50321	445	192.168.2.22	222.125.28.112
Mar 19, 2024 13:00:26.043920994 CET	50322	445	192.168.2.22	42.142.148.141
Mar 19, 2024 13:00:26.121527910 CET	50288	445	192.168.2.22	152.165.22.28
Mar 19, 2024 13:00:26.231122971 CET	50326	445	192.168.2.22	152.148.56.120
Mar 19, 2024 13:00:26.231205940 CET	50327	445	192.168.2.22	152.42.63.251
Mar 19, 2024 13:00:26.262038946 CET	50328	445	192.168.2.22	154.49.193.47
Mar 19, 2024 13:00:26.293286085 CET	50329	445	192.168.2.22	98.149.152.13
Mar 19, 2024 13:00:26.293313026 CET	50330	445	192.168.2.22	181.29.116.116
Mar 19, 2024 13:00:26.309024096 CET	50331	445	192.168.2.22	88.217.41.203
Mar 19, 2024 13:00:26.340156078 CET	50332	445	192.168.2.22	36.151.190.102
Mar 19, 2024 13:00:26.401770115 CET	445	50288	152.165.22.28	192.168.2.22
Mar 19, 2024 13:00:26.402465105 CET	50333	445	192.168.2.22	167.27.147.216
Mar 19, 2024 13:00:26.402626038 CET	50335	445	192.168.2.22	211.211.11.34
Mar 19, 2024 13:00:26.449300051 CET	50336	445	192.168.2.22	218.31.187.159
Mar 19, 2024 13:00:26.464844942 CET	50339	445	192.168.2.22	211.211.241.225
Mar 19, 2024 13:00:26.495985985 CET	50341	445	192.168.2.22	138.246.217.105
Mar 19, 2024 13:00:26.558499098 CET	50342	445	192.168.2.22	192.106.78.117
Mar 19, 2024 13:00:26.574115038 CET	50343	445	192.168.2.22	132.254.99.45
Mar 19, 2024 13:00:26.683324099 CET	50347	445	192.168.2.22	13.214.240.95
Mar 19, 2024 13:00:26.761326075 CET	50349	445	192.168.2.22	219.177.136.19
Mar 19, 2024 13:00:26.761385918 CET	50350	445	192.168.2.22	48.21.174.59
Mar 19, 2024 13:00:26.808046103 CET	50352	445	192.168.2.22	2.105.142.208
Mar 19, 2024 13:00:26.870589972 CET	50353	445	192.168.2.22	44.15.43.94
Mar 19, 2024 13:00:26.870719910 CET	50354	445	192.168.2.22	174.64.243.114
Mar 19, 2024 13:00:26.870757103 CET	50355	445	192.168.2.22	105.69.49.143
Mar 19, 2024 13:00:26.886023998 CET	50356	445	192.168.2.22	67.56.107.68
Mar 19, 2024 13:00:26.917298079 CET	50359	445	192.168.2.22	115.70.18.211
Mar 19, 2024 13:00:26.979681015 CET	50361	445	192.168.2.22	101.111.17.226
Mar 19, 2024 13:00:26.979757071 CET	50362	445	192.168.2.22	205.37.141.98
Mar 19, 2024 13:00:26.979799032 CET	50363	445	192.168.2.22	51.244.235.31
Mar 19, 2024 13:00:26.979839087 CET	50364	445	192.168.2.22	162.174.20.104
Mar 19, 2024 13:00:26.995254993 CET	50365	445	192.168.2.22	192.123.103.148
Mar 19, 2024 13:00:27.057661057 CET	50366	445	192.168.2.22	193.41.33.63
Mar 19, 2024 13:00:27.057737112 CET	50367	445	192.168.2.22	159.234.64.150
Mar 19, 2024 13:00:27.166834116 CET	50373	445	192.168.2.22	129.80.239.22
Mar 19, 2024 13:00:27.166857958 CET	50374	445	192.168.2.22	57.99.198.43
Mar 19, 2024 13:00:27.354298115 CET	50379	445	192.168.2.22	220.148.16.176
Mar 19, 2024 13:00:27.354361057 CET	50380	445	192.168.2.22	175.223.241.199
Mar 19, 2024 13:00:27.422395945 CET	50381	445	192.168.2.22	18.13.160.153
Mar 19, 2024 13:00:27.431981087 CET	50382	445	192.168.2.22	176.87.141.234
Mar 19, 2024 13:00:27.433760881 CET	50383	445	192.168.2.22	19.124.93.203
Mar 19, 2024 13:00:27.433892965 CET	50384	445	192.168.2.22	63.1.216.84
Mar 19, 2024 13:00:27.463298082 CET	50385	445	192.168.2.22	223.82.58.120
Mar 19, 2024 13:00:27.588108063 CET	50387	445	192.168.2.22	74.221.139.85
Mar 19, 2024 13:00:27.625379086 CET	50388	445	192.168.2.22	152.63.199.165
Mar 19, 2024 13:00:27.626080990 CET	50389	445	192.168.2.22	176.104.249.16
Mar 19, 2024 13:00:27.626277924 CET	50391	445	192.168.2.22	46.94.136.47
Mar 19, 2024 13:00:27.972405910 CET	50396	445	192.168.2.22	161.211.55.73
Mar 19, 2024 13:00:27.972537994 CET	50398	445	192.168.2.22	38.144.11.67
Mar 19, 2024 13:00:27.972670078 CET	50401	445	192.168.2.22	87.131.77.235
Mar 19, 2024 13:00:27.976320028 CET	50403	445	192.168.2.22	114.119.213.7
Mar 19, 2024 13:00:28.071811914 CET	50405	445	192.168.2.22	43.10.21.120
Mar 19, 2024 13:00:28.071885109 CET	50406	445	192.168.2.22	174.145.206.164
Mar 19, 2024 13:00:28.071963072 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:00:28.072060108 CET	50410	445	192.168.2.22	188.178.112.15
Mar 19, 2024 13:00:28.072278023 CET	50413	445	192.168.2.22	125.83.101.170
Mar 19, 2024 13:00:28.072331905 CET	50414	445	192.168.2.22	152.38.166.139
Mar 19, 2024 13:00:28.087266922 CET	50415	445	192.168.2.22	131.234.70.159
Mar 19, 2024 13:00:28.087353945 CET	50416	445	192.168.2.22	178.2.244.48
Mar 19, 2024 13:00:28.102961063 CET	50417	445	192.168.2.22	112.77.50.39
Mar 19, 2024 13:00:28.103005886 CET	50418	445	192.168.2.22	84.242.178.131
Mar 19, 2024 13:00:28.103054047 CET	50419	445	192.168.2.22	51.70.40.117
Mar 19, 2024 13:00:28.103101969 CET	50420	445	192.168.2.22	55.36.108.250
Mar 19, 2024 13:00:28.118424892 CET	50422	445	192.168.2.22	220.77.103.18
Mar 19, 2024 13:00:28.329832077 CET	445	50408	5.209.64.109	192.168.2.22
Mar 19, 2024 13:00:28.329907894 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:00:28.386318922 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:00:28.386404991 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:28.386605978 CET	50429	445	192.168.2.22	61.49.91.181
Mar 19, 2024 13:00:28.447774887 CET	50431	445	192.168.2.22	17.62.61.173
Mar 19, 2024 13:00:28.447844028 CET	50432	445	192.168.2.22	167.203.175.140
Mar 19, 2024 13:00:28.537437916 CET	50436	445	192.168.2.22	214.29.115.68
Mar 19, 2024 13:00:28.537550926 CET	50437	445	192.168.2.22	211.218.132.242
Mar 19, 2024 13:00:28.539632082 CET	50439	445	192.168.2.22	181.217.208.27
Mar 19, 2024 13:00:28.555232048 CET	50440	445	192.168.2.22	194.39.227.240
Mar 19, 2024 13:00:28.555555105 CET	50441	445	192.168.2.22	137.193.148.143
Mar 19, 2024 13:00:28.555696964 CET	50442	445	192.168.2.22	85.212.254.179
Mar 19, 2024 13:00:28.556091070 CET	50445	445	192.168.2.22	18.188.130.253
Mar 19, 2024 13:00:28.586456060 CET	50447	445	192.168.2.22	40.107.10.188
Mar 19, 2024 13:00:28.633141041 CET	445	50427	5.209.64.1	192.168.2.22
Mar 19, 2024 13:00:28.633205891 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:28.633327961 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:28.633517027 CET	50448	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:28.711239100 CET	50450	445	192.168.2.22	120.114.18.216
Mar 19, 2024 13:00:28.742607117 CET	50452	445	192.168.2.22	7.217.145.17
Mar 19, 2024 13:00:28.742608070 CET	50453	445	192.168.2.22	159.119.148.78
Mar 19, 2024 13:00:28.742727995 CET	50455	445	192.168.2.22	199.253.145.237
Mar 19, 2024 13:00:28.891783953 CET	445	50448	5.209.64.1	192.168.2.22
Mar 19, 2024 13:00:28.891855955 CET	50448	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:28.891891003 CET	50448	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:29.085948944 CET	50462	445	192.168.2.22	97.135.89.245
Mar 19, 2024 13:00:29.086062908 CET	50466	445	192.168.2.22	103.102.125.187
Mar 19, 2024 13:00:29.086132050 CET	50468	445	192.168.2.22	45.157.240.74
Mar 19, 2024 13:00:29.086225033 CET	50471	445	192.168.2.22	181.226.57.41
Mar 19, 2024 13:00:29.163546085 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:00:29.194823027 CET	50474	445	192.168.2.22	168.161.136.12
Mar 19, 2024 13:00:29.194972992 CET	50479	445	192.168.2.22	86.202.153.140
Mar 19, 2024 13:00:29.195023060 CET	50480	445	192.168.2.22	23.172.213.144
Mar 19, 2024 13:00:29.195040941 CET	50481	445	192.168.2.22	104.26.173.67
Mar 19, 2024 13:00:29.195106983 CET	50482	445	192.168.2.22	65.182.187.235
Mar 19, 2024 13:00:29.210484982 CET	50483	445	192.168.2.22	217.86.165.3
Mar 19, 2024 13:00:29.210550070 CET	50484	445	192.168.2.22	24.47.43.76
Mar 19, 2024 13:00:29.226022959 CET	50485	445	192.168.2.22	109.44.233.43
Mar 19, 2024 13:00:29.226048946 CET	50486	445	192.168.2.22	141.110.208.172
Mar 19, 2024 13:00:29.226125002 CET	50487	445	192.168.2.22	67.149.136.221
Mar 19, 2024 13:00:29.226129055 CET	50488	445	192.168.2.22	40.244.54.136
Mar 19, 2024 13:00:29.241771936 CET	50490	445	192.168.2.22	27.87.72.94
Mar 19, 2024 13:00:29.351682901 CET	445	50471	181.226.57.41	192.168.2.22
Mar 19, 2024 13:00:29.397547960 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:29.418198109 CET	445	50483	217.86.165.3	192.168.2.22
Mar 19, 2024 13:00:29.506875038 CET	50501	445	192.168.2.22	84.251.48.96
Mar 19, 2024 13:00:29.569657087 CET	50504	445	192.168.2.22	66.96.158.211
Mar 19, 2024 13:00:29.569719076 CET	50505	445	192.168.2.22	147.214.219.82
Mar 19, 2024 13:00:29.647146940 CET	50448	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:29.647399902 CET	50511	445	192.168.2.22	179.243.231.245
Mar 19, 2024 13:00:29.647501945 CET	50513	445	192.168.2.22	185.21.203.29
Mar 19, 2024 13:00:29.662842035 CET	50514	445	192.168.2.22	71.150.1.14
Mar 19, 2024 13:00:29.678433895 CET	50515	445	192.168.2.22	73.107.70.97
Mar 19, 2024 13:00:29.678563118 CET	50516	445	192.168.2.22	165.89.226.233
Mar 19, 2024 13:00:29.678596020 CET	50517	445	192.168.2.22	23.174.125.232
Mar 19, 2024 13:00:29.678699017 CET	50520	445	192.168.2.22	12.141.108.176
Mar 19, 2024 13:00:29.696506023 CET	445	50501	84.251.48.96	192.168.2.22
Mar 19, 2024 13:00:29.709893942 CET	50523	445	192.168.2.22	75.100.136.2
Mar 19, 2024 13:00:29.834449053 CET	50528	445	192.168.2.22	196.37.137.56
Mar 19, 2024 13:00:29.850055933 CET	50471	445	192.168.2.22	181.226.57.41
Mar 19, 2024 13:00:29.865704060 CET	50530	445	192.168.2.22	76.201.108.57
Mar 19, 2024 13:00:29.865892887 CET	50532	445	192.168.2.22	117.221.222.120
Mar 19, 2024 13:00:29.865940094 CET	50534	445	192.168.2.22	1.170.254.212
Mar 19, 2024 13:00:29.927937984 CET	50483	445	192.168.2.22	217.86.165.3
Mar 19, 2024 13:00:30.119142056 CET	445	50471	181.226.57.41	192.168.2.22
Mar 19, 2024 13:00:30.135710955 CET	445	50483	217.86.165.3	192.168.2.22
Mar 19, 2024 13:00:30.208781958 CET	50501	445	192.168.2.22	84.251.48.96
Mar 19, 2024 13:00:30.209193945 CET	50557	445	192.168.2.22	54.122.35.122
Mar 19, 2024 13:00:30.209248066 CET	50559	445	192.168.2.22	93.116.86.104
Mar 19, 2024 13:00:30.209388018 CET	50563	445	192.168.2.22	5.202.243.83
Mar 19, 2024 13:00:30.209443092 CET	50565	445	192.168.2.22	172.144.35.42
Mar 19, 2024 13:00:30.318185091 CET	50579	445	192.168.2.22	113.25.247.88
Mar 19, 2024 13:00:30.318188906 CET	50577	445	192.168.2.22	60.63.47.193
Mar 19, 2024 13:00:30.318188906 CET	50578	445	192.168.2.22	10.200.112.8
Mar 19, 2024 13:00:30.318231106 CET	50582	445	192.168.2.22	51.183.183.107
Mar 19, 2024 13:00:30.318253994 CET	50583	445	192.168.2.22	29.104.94.101
Mar 19, 2024 13:00:30.333645105 CET	50585	445	192.168.2.22	106.159.23.200
Mar 19, 2024 13:00:30.333857059 CET	50586	445	192.168.2.22	197.250.99.109
Mar 19, 2024 13:00:30.349248886 CET	50588	445	192.168.2.22	194.31.220.0
Mar 19, 2024 13:00:30.349309921 CET	50589	445	192.168.2.22	51.197.132.180
Mar 19, 2024 13:00:30.349507093 CET	50591	445	192.168.2.22	98.134.15.119
Mar 19, 2024 13:00:30.349709988 CET	50592	445	192.168.2.22	137.43.130.10
Mar 19, 2024 13:00:30.365037918 CET	50595	445	192.168.2.22	65.88.116.47
Mar 19, 2024 13:00:30.397339106 CET	445	50501	84.251.48.96	192.168.2.22
Mar 19, 2024 13:00:30.630312920 CET	50621	445	192.168.2.22	44.64.96.118
Mar 19, 2024 13:00:30.692789078 CET	50630	445	192.168.2.22	5.152.235.208
Mar 19, 2024 13:00:30.692878008 CET	50631	445	192.168.2.22	32.251.230.102
Mar 19, 2024 13:00:30.739160061 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:00:30.770462990 CET	50637	445	192.168.2.22	165.177.37.181
Mar 19, 2024 13:00:30.770601034 CET	50639	445	192.168.2.22	190.233.92.248
Mar 19, 2024 13:00:30.786011934 CET	50641	445	192.168.2.22	106.32.185.51
Mar 19, 2024 13:00:30.801744938 CET	50644	445	192.168.2.22	54.236.245.42
Mar 19, 2024 13:00:30.801748037 CET	50643	445	192.168.2.22	178.208.225.176
Mar 19, 2024 13:00:30.801906109 CET	50648	445	192.168.2.22	60.208.46.124
Mar 19, 2024 13:00:30.801948071 CET	50647	445	192.168.2.22	205.220.147.116
Mar 19, 2024 13:00:30.907692909 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:31.160350084 CET	50448	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:31.468321085 CET	50448	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:33.859168053 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:00:33.921564102 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:39.927557945 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:40.114779949 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:00:51.924021959 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:00:52.610409021 CET	50408	445	192.168.2.22	5.209.64.109
Mar 19, 2024 13:01:15.932499886 CET	50427	445	192.168.2.22	5.209.64.1
Mar 19, 2024 13:01:17.570558071 CET	50408	445	192.168.2.22	5.209.64.109

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 19, 2024 12:59:22.162600040 CET	138	138	192.168.2.22	192.168.2.255
Mar 19, 2024 12:59:26.329581976 CET	138	138	192.168.2.22	192.168.2.255
Mar 19, 2024 12:59:26.506947994 CET	54562	53	192.168.2.22	8.8.8.8
Mar 19, 2024 12:59:26.606369972 CET	53	54562	8.8.8.8	192.168.2.22
Mar 19, 2024 12:59:26.963275909 CET	52917	53	192.168.2.22	8.8.8.8
Mar 19, 2024 12:59:27.060370922 CET	53	52917	8.8.8.8	192.168.2.22
Mar 19, 2024 13:01:26.031538010 CET	138	138	192.168.2.22	192.168.2.255

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 19, 2024 12:59:30.956001043 CET	211.233.26.186	192.168.2.22	c7d3	(Time to live exceeded in transit)	Time Exceeded
Mar 19, 2024 12:59:49.146991014 CET	77.187.137.217	192.168.2.22	356e	(Unknown)	Destination Unreachable
Mar 19, 2024 12:59:59.910646915 CET	78.136.135.10	192.168.2.22	cd8b	(Time to live exceeded in transit)	Time Exceeded
Mar 19, 2024 12:59:59.936063051 CET	151.14.48.6	192.168.2.22	891c	(Host unreachable)	Destination Unreachable
Mar 19, 2024 13:00:01.619266033 CET	40.128.251.121	192.168.2.22	11a3	(Host unreachable)	Destination Unreachable
Mar 19, 2024 13:00:05.725773096 CET	88.116.56.50	192.168.2.22	5086	(Port unreachable)	Destination Unreachable
Mar 19, 2024 13:00:06.834146023 CET	38.140.246.249	192.168.2.22	5f13	(Net unreachable)	Destination Unreachable
Mar 19, 2024 13:00:08.688941002 CET	77.191.157.219	192.168.2.22	7679	(Unknown)	Destination Unreachable
Mar 19, 2024 13:00:11.874273062 CET	185.161.75.21	192.168.2.22	c48e	(Unknown)	Destination Unreachable
Mar 19, 2024 13:00:14.449457884 CET	183.178.25.252	192.168.2.22	a28b	(Host unreachable)	Destination Unreachable
Mar 19, 2024 13:00:17.046430111 CET	185.54.120.139	192.168.2.22	79d1	(Unknown)	Destination Unreachable
Mar 19, 2024 13:00:21.982461929 CET	62.218.129.38	192.168.2.22	7a8b	(Host unreachable)	Destination Unreachable
Mar 19, 2024 13:00:23.225405931 CET	109.168.93.89	192.168.2.22	46d5	(Unknown)	Destination Unreachable
Mar 19, 2024 13:00:26.494009972 CET	88.217.41.203	192.168.2.22	f3d9	(Unknown)	Destination Unreachable
Mar 19, 2024 13:00:27.836168051 CET	45.14.111.171	192.168.2.22	695e	(Net unreachable)	Destination Unreachable
Mar 19, 2024 13:00:30.889715910 CET	5.152.235.6	192.168.2.22	4d8a	(Time to live exceeded in transit)	Time Exceeded

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 19, 2024 12:59:26.506947994 CET	192.168.2.22	8.8.8.8	0x7db7	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false
Mar 19, 2024 12:59:26.963275909 CET	192.168.2.22	8.8.8.8	0x8111	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 19, 2024 12:59:26.606369972 CET	8.8.8.8	192.168.2.22	0x7db7	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.17.244.81	A (IP address)	IN (0x0001)	false
Mar 19, 2024 12:59:26.606369972 CET	8.8.8.8	192.168.2.22	0x7db7	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	A (IP address)	IN (0x0001)	false
Mar 19, 2024 12:59:27.060370922 CET	8.8.8.8	192.168.2.22	0x8111	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.17.244.81	A (IP address)	IN (0x0001)	false
Mar 19, 2024 12:59:27.060370922 CET	8.8.8.8	192.168.2.22	0x8111	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.173.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	104.17.244.81	80	2680	C:\Users\user\Desktop\qCc1a4w5YZ.exe

Timestamp	Bytes transferred	Direction	Data
Mar 19, 2024 12:59:26.731565952 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Mar 19, 2024 12:59:26.837632895 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 19 Mar 2024 11:59:26 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 866d4be05d6b5e86-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49162	104.17.244.81	80	3164	C:\Users\user\Desktop\qCc1a4w5YZ.exe

Timestamp	Bytes transferred	Direction	Data
Mar 19, 2024 12:59:27.165393114 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Mar 19, 2024 12:59:27.283140898 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 19 Mar 2024 11:59:27 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 866d4be30cbc0f83-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Target ID:	0
Start time:	12:59:23
Start date:	19/03/2024
Path:	C:\Users\user\Desktop\qCc1a4w5YZ.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\qCc1a4w5YZ.exe"
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	FB1C4D59ADAF64A044DBA323EA8FE6F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.335185624.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.335206533.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.335206533.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:59:25
Start date:	19/03/2024
Path:	C:\Users\user\Desktop\qCc1a4w5YZ.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\qCc1a4w5YZ.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	FB1C4D59ADAF64A044DBA323EA8FE6F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.338908311.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.338930451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.338930451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.476299865.000000000280B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.476299865.000000000280B000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.476242619.00000000022F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.476242619.00000000022F3000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:59:26
Start date:	19/03/2024
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	7F7CCAA16FB15EB1C7399D422F8363E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.340346288.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs Detection: 93%, Virustotal, Browse
Reputation:	moderate
Has exited:	true

Disassembly

Reset < >

Analysis Process: qCc1a4w5YZ.exePID: 2680, Parent PID: 1244COMMON

Execution Graph

Execution Coverage:	82.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,76A05360,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA,?,00000000), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA,?,00000000), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile,?,00000000), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle,?,00000000), ref: 00407D34
FindResourceA.KERNEL32 ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNEL32(00000000), ref: 00407E68
CreateProcessA.KERNEL32 ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
CreateProcessA, xrefs: 00407D07
D, xrefs: 00407ED3
tasksche.exe, xrefs: 00407DEA
WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29
C:\%s\qeriuwjhrf, xrefs: 00407E12
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000000.00000002.341932452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341929359.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341936408.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341948668.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,76A05360,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000000.00000002.341932452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341929359.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341936408.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341948668.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32 ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000000.00000002.341932452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341929359.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341936408.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341948668.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000000.00000002.341932452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341929359.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341936408.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341948668.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,76A05360,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000000.00000002.341932452.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.341929359.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341936408.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341939628.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341948668.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.341968463.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: qCc1a4w5YZ.exePID: 3164, Parent PID: 404COMMON

Execution Graph

Execution Coverage:	36.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.SECHOST(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,76A05360,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000004.00000002.476065209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.476062418.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476068199.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476080919.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476084079.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Uniqueness

Uniqueness Score: -1.00%

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32 ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000004.00000002.476065209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.476062418.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476068199.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476080919.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476084079.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: 372b72291a79fe7f323a7fd117d835006d69336e2c0488ca977e4fa79056e622
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000004.00000002.476065209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.476062418.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476068199.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476080919.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476084079.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,76A05360,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000004.00000002.476065209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.476062418.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476068199.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476080919.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476084079.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Uniqueness

Uniqueness Score: -1.00%

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,76A05360,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA,?,00000000), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA,?,00000000), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile,?,00000000), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle,?,00000000), ref: 00407D34
FindResourceA.KERNEL32 ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32 ref: 00407E2C

Strings

/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12
WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
CreateProcessA, xrefs: 00407D07
WriteFile, xrefs: 00407D1C
C:\%s\%s, xrefs: 00407DFB
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F

Memory Dump Source

Source File: 00000004.00000002.476065209.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.476062418.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476068199.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476070926.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476078183.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476080919.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476084079.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.476101754.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_qCc1a4w5YZ.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: tasksche.exePID: 3256, Parent PID: 2680COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/..\, xrefs: 00406E03
\..\, xrefs: 00406DD9
/../, xrefs: 00406DF5
\../, xrefs: 00406DE7

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptDecrypt, xrefs: 00401AA0
CryptDestroyKey, xrefs: 00401A86
CryptImportKey, xrefs: 00401A79
advapi32.dll, xrefs: 00401A55
CryptGenKey, xrefs: 00401AAD
CryptEncrypt, xrefs: 00401A93
CryptAcquireContextA, xrefs: 00401A71

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Uniqueness

Uniqueness Score: -1.00%

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Uniqueness

Uniqueness Score: -1.00%

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Uniqueness

Uniqueness Score: -1.00%

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

WriteFile, xrefs: 0040174B
DeleteFileW, xrefs: 0040177F
ReadFile, xrefs: 00401758
kernel32.dll, xrefs: 00401727
MoveFileExW, xrefs: 00401772
CloseHandle, xrefs: 0040178C
MoveFileW, xrefs: 00401765
CreateFileW, xrefs: 00401743

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Uniqueness

Uniqueness Score: -1.00%

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00407389
%s%s%s, xrefs: 004072F6
\, xrefs: 00407358
:, xrefs: 0040736E

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON

Download Yara Rule

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

tasksche.exe, xrefs: 00402061, 0040206D, 00402075
attrib +h ., xrefs: 004020DC
t.wnry, xrefs: 00402125
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
TaskStart, xrefs: 00402145

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Uniqueness

Uniqueness Score: -1.00%

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

Software\, xrefs: 0040110A
0@, xrefs: 00401157
WanaCrypt0r, xrefs: 00401145

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Uniqueness

Uniqueness Score: -1.00%

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

GetNativeSystemInfo, xrefs: 004022A1
kernel32.dll, xrefs: 0040228C
?!@, xrefs: 004021F8

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Uniqueness

Uniqueness Score: -1.00%

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08
%s%d, xrefs: 00401F10

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Uniqueness

Uniqueness Score: -1.00%

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Uniqueness

Uniqueness Score: -1.00%

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Uniqueness

Uniqueness Score: -1.00%

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Uniqueness

Uniqueness Score: -1.00%

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000005.00000002.340508351.0000000000401000.00000020.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.340502387.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340511682.0000000000408000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340514790.000000000040E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.340517998.0000000000410000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qCc1a4w5YZ.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
qCc1a4w5YZ.exe

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON