Edit tour

Windows Analysis Report
LisectAVT_2403002A_26.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_26.exe
Analysis ID:	1481028
MD5:	eb4f4c455604f0f1ce111fbefecd9e21
SHA1:	0a31ea9a024ecf6536283e1eda1f48458b10cbed
SHA256:	3f48a8d80cc55a1fbe9a210b60b07f3677b736b8a02d5408697d9df54a276776
Tags:	exeWannaCry
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to several IPs in different countries

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

svchost.exe (PID: 7472 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 7512 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 7552 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7560 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

LisectAVT_2403002A_26.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_26.exe" MD5: EB4F4C455604F0F1CE111FBEFECD9E21)

tasksche.exe (PID: 8068 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 3DF2667EF94776EEB272A1404801F118)

svchost.exe (PID: 7724 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 4296 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7760 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

LisectAVT_2403002A_26.exe (PID: 7980 cmdline: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe -m security MD5: EB4F4C455604F0F1CE111FBEFECD9E21)

svchost.exe (PID: 8100 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
LisectAVT_2403002A_26.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
LisectAVT_2403002A_26.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
LisectAVT_2403002A_26.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
LisectAVT_2403002A_26.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
LisectAVT_2403002A_26.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.1300769671.000000000040E000.00000008.00000001.01000000.00000006.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000000.1276459985.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1936681471.0000000002286000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1936681471.0000000002286000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.1291190176.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.1291190176.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000004.00000000.1276607451.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000000.1276607451.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000000.1291005843.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.1936364904.0000000001D5D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.1936364904.0000000001D5D000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: LisectAVT_2403002A_26.exe PID: 7600	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: LisectAVT_2403002A_26.exe PID: 7980	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.LisectAVT_2403002A_26.exe.22778c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.LisectAVT_2403002A_26.exe.1d4e084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.0.LisectAVT_2403002A_26.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.0.LisectAVT_2403002A_26.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.LisectAVT_2403002A_26.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.2.LisectAVT_2403002A_26.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.2.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.2.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
4.2.LisectAVT_2403002A_26.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.2.LisectAVT_2403002A_26.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.LisectAVT_2403002A_26.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x28cde4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x27cbb0:$x3: tasksche.exe 0x28cdc0:$x3: tasksche.exe 0x28cd9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x28ce14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x27cc1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x24726c:$x7: mssecsvc.exe 0x262b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x27cb88:$x8: C:\%s\qeriuwjhrf 0x28cde4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x247254:$s1: C:\%s\%s 0x262b7c:$s1: C:\%s\%s 0x27cb9c:$s1: C:\%s\%s 0x28cd14:$s3: cmd.exe /c "%s" 0x2bf268:$s4: msg/m_portuguese.wnry
9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x28cdc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x28cde8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x27f8fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2538d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x25525a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2850a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
4.0.LisectAVT_2403002A_26.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
4.0.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
4.0.LisectAVT_2403002A_26.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
4.0.LisectAVT_2403002A_26.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
4.0.LisectAVT_2403002A_26.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 101 entries

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7472, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic - Source IP: 104.16.167.228 - Destination IP: 192.168.2.11

Timestamp:	2024-07-25T03:05:03.248798+0200
SID:	2031515
Source Port:	80
Destination Port:	49705
Protocol:	TCP
Classtype:	Misc activity

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.11

Timestamp:	2024-07-25T03:05:59.261810+0200
SID:	2022930
Source Port:	443
Destination Port:	50118
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.11

Timestamp:	2024-07-25T03:05:21.160650+0200
SID:	2022930
Source Port:	443
Destination Port:	49896
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 - Source IP: 192.168.2.11 - Destination IP: 104.16.167.228

Timestamp:	2024-07-25T03:05:03.247481+0200
SID:	2024302
Source Port:	49705
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 - Source IP: 192.168.2.11 - Destination IP: 104.16.167.228

Timestamp:	2024-07-25T03:05:02.317541+0200
SID:	2024302
Source Port:	49704
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible WannaCry DNS Lookup 1 - Source IP: 192.168.2.11 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T03:05:01.754726+0200
SID:	2024291
Source Port:	64236
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET MALWARE Known Sinkhole Response Kryptos Logic - Source IP: 104.16.167.228 - Destination IP: 192.168.2.11

Timestamp:	2024-07-25T03:05:02.319513+0200
SID:	2031515
Source Port:	80
Destination Port:	49704
Protocol:	TCP
Classtype:	Misc activity

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_26.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	Avira URL Cloud: Label: phishing
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/z	Avira URL Cloud: Label: phishing
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/u	Avira URL Cloud: Label: phishing
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Avira URL Cloud: Label: phishing
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/T	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for domain / URL

Source: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Virustotal: Detection: 8%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\tasksche.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: LisectAVT_2403002A_26.exe	ReversingLabs: Detection: 100%
Source: LisectAVT_2403002A_26.exe	Virustotal: Detection: 89%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_26.exe

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 10_2_004018B9 CryptReleaseContext,

10_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: LisectAVT_2403002A_26.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.11:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.11:50118 version: TLS 1.2

Networking

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Jul 2024 01:05:02 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 8a883d44ba7f7d1c-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Jul 2024 01:05:03 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 8a883d4adb6a43b1-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.42
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.42
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.3
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.3
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.3
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.105
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.105
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.105
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.1
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.1
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.1
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.105
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.1
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.1
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.1
Source: unknown	TCP traffic detected without corresponding DNS query: 63.131.224.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.136
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.136
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.136
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.136
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.1
Source: unknown	TCP traffic detected without corresponding DNS query: 158.15.154.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.42
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.42
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.101
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.101
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.1
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.101
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.1
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.1
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.1
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.101
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.1
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.1
Source: unknown	TCP traffic detected without corresponding DNS query: 48.239.46.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.3
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.42
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.42
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.42
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 87.253.190.16

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l+uax9tLW5uZ1WT&MD=MVy5HlLL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l+uax9tLW5uZ1WT&MD=MVy5HlLL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: svchost.exe, 00000008.00000002.2521584302.000001E2F3685000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2521987156.000001E2F3F20000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: svchost.exe, 00000000.00000002.1372005571.000001C7B0013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: LisectAVT_2403002A_26.exe	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000003.1300347634.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000002.1935753998.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000002.1935753998.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: LisectAVT_2403002A_26.exe, 00000009.00000003.1300347634.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000002.1935753998.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/T
Source: LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/u
Source: LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/z
Source: LisectAVT_2403002A_26.exe, 00000009.00000002.1935072040.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comT
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371642803.000001C7B005A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371457057.000001C7B006E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372150683.000001C7B0070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1371457057.000001C7B006E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372150683.000001C7B0070000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1372138499.000001C7B0068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371520605.000001C7B0067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1372163560.000001C7B0077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371310107.000001C7B0075000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371642803.000001C7B005A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1372138499.000001C7B0068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372023471.000001C7B002B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371520605.000001C7B0067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000002.1372055102.000001C7B003F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000003.1371700354.000001C7B0030000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1371291501.000001C7B0034000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1372138499.000001C7B0068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372023471.000001C7B002B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371520605.000001C7B0067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1372023471.000001C7B002B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.11:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.11:50118 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

10_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: LisectAVT_2403002A_26.exe, type: SAMPLE
Source: Yara match	File source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1276459985.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1936681471.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1291190176.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.1276607451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1291005843.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1936364904.0000000001D5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_26.exe PID: 7600, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_26.exe PID: 7980, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.22778c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.1300769671.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1936681471.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.1291190176.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000000.1276607451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1936364904.0000000001D5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

File created: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 10_2_00406C40	10_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 10_2_00402A76	10_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 10_2_00402E7E	10_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 10_2_0040350F	10_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 10_2_00404C19	10_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 10_2_0040541F	10_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 10_2_00403797	10_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 10_2_004043B7	10_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 10_2_004031BC	10_2_004031BC

Source: LisectAVT_2403002A_26.exe	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.4.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: LisectAVT_2403002A_26.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: LisectAVT_2403002A_26.exe, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.22778c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.22a996c.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.1d80128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.22778c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.LisectAVT_2403002A_26.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.1d4e084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 4.0.LisectAVT_2403002A_26.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.1d5d104.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.22828e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.2286948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.LisectAVT_2403002A_26.exe.1d590a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.1300769671.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1936681471.0000000002286000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.1291190176.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000000.1276607451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1936364904.0000000001D5D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 0000000A.00000000.1300769671.000000000040E000.00000008.00000001.01000000.00000006.sdmp, LisectAVT_2403002A_26.exe, tasksche.exe.4.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winEXE@14/3@1/100

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_00407C40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	9_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00401CE8

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Code function: 4_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,

4_2_00407CE0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Code function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

4_2_00407C40

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Code function: 4_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		4_2_00408090
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Code function: 9_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		9_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \BaseNamedObjects\Local\SM0:664:120:WilError_03

Source: C:\Program Files\Windows Defender\MpCmdRun.exe

File created: C:\Windows\SERVIC~1\LOCALS~1\AppData\Local\Temp\MpCmdRun.log

Jump to behavior

Source: LisectAVT_2403002A_26.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_26.exe	ReversingLabs: Detection: 100%
Source: LisectAVT_2403002A_26.exe	Virustotal: Detection: 89%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe "C:\Users\user\Desktop\LisectAVT_2403002A_26.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe C:\Users\user\Desktop\LisectAVT_2403002A_26.exe -m security
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: LisectAVT_2403002A_26.exe

Static file information: File size 3723271 > 1048576

Source: LisectAVT_2403002A_26.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x35b000

Source: C:\Windows\tasksche.exe

Code function: 10_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 10_2_00407710 push eax; ret		10_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 10_2_004076C8 push eax; ret		10_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Executable created and started: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Code function: 4_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

4_2_00407C40

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe TID: 8052	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe TID: 8052	Thread sleep time: -184000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe TID: 8056	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe TID: 8056	Thread sleep count: 53 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe TID: 8052	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: svchost.exe, 00000003.00000002.2521664055.000002174E460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000003.00000002.2521568449.000002174E42B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000003.00000002.2521518661.000002174E413000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000002.1935753998.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000002.1935753998.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000003.1300347634.0000000000AC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000003.00000002.2521432329.000002174E402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWg
Source: svchost.exe, 00000003.00000002.2522028487.000002174E502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000003.00000002.2521861297.000002174E466000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000003.00000002.2521664055.000002174E460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\tasksche.exe

Code function: 10_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 10_2_004029CC free,GetProcessHeap,HeapFree,

10_2_004029CC

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

Source: svchost.exe, 00000007.00000002.2522266619.000001CF9E502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2522266619.000001CF9E502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_26.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
LisectAVT_2403002A_26.exe	89%	Virustotal		Browse
LisectAVT_2403002A_26.exe	100%	Avira	TR/Ransom.Gen
LisectAVT_2403002A_26.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	9%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://dev.ditu.live.com/REST/v1/Routes/	0%	Avira URL Cloud	safe
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Driving	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	100%	Avira URL Cloud	phishing
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Transit/Stops/	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Walking	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/z	100%	Avira URL Cloud	phishing
https://dev.virtualearth.net/REST/v1/Locations	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
http://standards.iso.org/iso/19770/-2/2009/schema.xsd	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/u	100%	Avira URL Cloud	phishing
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	100%	Avira URL Cloud	phishing
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
https://dynamic.t	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comT	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Transit	0%	Avira URL Cloud	safe
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	0%	Avira URL Cloud	safe
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	0%	Avira URL Cloud	safe
http://www.bingmapsportal.com	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Locations	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/T	100%	Avira URL Cloud	phishing
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	true	false	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	true	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000000.00000002.1372138499.000001C7B0068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371520605.000001C7B0067000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000000.00000002.1372163560.000001C7B0077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371310107.000001C7B0075000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000000.00000002.1372138499.000001C7B0068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372023471.000001C7B002B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371520605.000001C7B0067000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000000.00000002.1372055102.000001C7B003F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000000.00000003.1371291501.000001C7B0034000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/z	LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/iso/19770/-2/2009/schema.xsd	svchost.exe, 00000008.00000002.2521584302.000001E2F3685000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2521987156.000001E2F3F20000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.dr	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/u	LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371642803.000001C7B005A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371457057.000001C7B006E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372150683.000001C7B0070000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	LisectAVT_2403002A_26.exe	true	Avira URL Cloud: phishing	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000000.00000002.1372023471.000001C7B002B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000000.00000002.1372070090.000001C7B0042000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371656652.000001C7B0041000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comT	LisectAVT_2403002A_26.exe, 00000004.00000002.1303050984.0000000000B7E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000000.00000002.1372005571.000001C7B0013000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000000.00000002.1372098446.000001C7B0058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371682933.000001C7B0057000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000002.1372124807.000001C7B0063000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371642803.000001C7B005A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000002.1372138499.000001C7B0068000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372023471.000001C7B002B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371520605.000001C7B0067000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/T	LisectAVT_2403002A_26.exe, 00000009.00000003.1300347634.0000000000AB5000.00000004.00000020.00020000.00000000.sdmp, LisectAVT_2403002A_26.exe, 00000009.00000002.1935753998.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	LisectAVT_2403002A_26.exe, 00000009.00000002.1935072040.000000000019D000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000000.00000003.1371457057.000001C7B006E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1372150683.000001C7B0070000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000000.00000003.1371700354.000001C7B0030000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371538073.000001C7B0062000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
150.119.16.1	unknown	United States	4152	USDA-1US	false
80.174.132.1	unknown	Spain	6739	ONO-ASCableuropa-ONOES	false
72.95.55.1	unknown	United States	701	UUNETUS	false
139.162.58.75	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
48.239.46.101	unknown	United States	2686	ATGS-MMD-ASUS	false
80.174.132.167	unknown	Spain	6739	ONO-ASCableuropa-ONOES	false
87.253.190.1	unknown	Germany	35258	ITOSSDE	false
87.253.190.2	unknown	Germany	35258	ITOSSDE	false
139.162.58.2	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
139.162.58.1	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	false
94.82.132.1	unknown	Italy	3269	ASN-IBSNAZIT	false
193.191.213.98	unknown	Belgium	2611	BELNETBE	false
193.191.213.1	unknown	Belgium	2611	BELNETBE	false
62.251.83.65	unknown	Netherlands	3265	XS4ALL-NLAmsterdamNL	false
94.82.132.51	unknown	Italy	3269	ASN-IBSNAZIT	false
57.62.233.1	unknown	Belgium	2686	ATGS-MMD-ASUS	false
62.251.83.1	unknown	Netherlands	3265	XS4ALL-NLAmsterdamNL	false
26.155.142.1	unknown	United States	7922	COMCAST-7922US	false
104.140.149.1	unknown	United States	62904	EONIX-COMMUNICATIONS-ASBLOCK-62904US	false
68.36.231.1	unknown	United States	7922	COMCAST-7922US	false
90.50.189.27	unknown	France	3215	FranceTelecom-OrangeFR	false
210.84.101.51	unknown	Australia	703	UUNETUS	false
1.0.209.114	unknown	Thailand	23969	TOT-NETTOTPublicCompanyLimitedTH	false
48.239.46.2	unknown	United States	2686	ATGS-MMD-ASUS	false
48.239.46.1	unknown	United States	2686	ATGS-MMD-ASUS	false
184.73.129.1	unknown	United States	14618	AMAZON-AESUS	false
72.95.55.167	unknown	United States	701	UUNETUS	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481028
Start date and time:	2024-07-25 03:04:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_26.exe
Detection:	MAL
Classification:	mal100.rans.expl.evad.winEXE@14/3@1/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 8068 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:05:36	API Interceptor	112x Sleep call for process: LisectAVT_2403002A_26.exe modified
21:06:00	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	zbRmQrzaHY.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	qt680eucI4.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	1w3BDu68Sg.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.167.228
	qCc1a4w5YZ.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.17.244.81
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.173.80
	02353699.exe	Get hash	malicious	Wannacry	Browse	104.16.173.80
	05894899.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81
	dNDbcC4Trx.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ONO-ASCableuropa-ONOES	92.249.48.47-skid.mpsl-2024-07-20T09_04_17.elf	Get hash	malicious	Mirai, Moobot	Browse	85.136.80.202
	MCiOZ89mRZ.elf	Get hash	malicious	Mirai	Browse	62.81.118.61
	jew.arm6.elf	Get hash	malicious	Mirai	Browse	84.124.178.145
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	85.251.45.40
	arm7.elf	Get hash	malicious	Mirai	Browse	89.140.65.57
	arm4-20240709-0417.elf	Get hash	malicious	Mirai	Browse	213.227.41.114
	arm7-20240707-0306.elf	Get hash	malicious	Mirai	Browse	84.127.11.101
	3jI8pe3luL.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	89.140.65.71
	jhpg1LVUrZ.elf	Get hash	malicious	Mirai	Browse	84.125.28.68
	h1dNV0rAcX.elf	Get hash	malicious	Mirai	Browse	62.81.143.73
USDA-1US	CSrnw4L6fz.elf	Get hash	malicious	Unknown	Browse	199.131.137.24
	YzP1CRQ7HF.elf	Get hash	malicious	Unknown	Browse	170.146.136.108
	faBNhIKHq4.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	166.2.82.27
	jklarm	Get hash	malicious	Unknown	Browse	199.159.109.41
	arm.elf	Get hash	malicious	Mirai	Browse	166.5.31.183
	botx.x86.elf	Get hash	malicious	Mirai	Browse	199.149.73.110
	botx.arm.elf	Get hash	malicious	Mirai	Browse	199.130.11.121
	botx.mips.elf	Get hash	malicious	Mirai	Browse	199.148.179.188
	jew.arm6.elf	Get hash	malicious	Mirai	Browse	199.136.182.165
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	199.151.202.36
UUNETUS	grVH45EWPn.exe	Get hash	malicious	Unknown	Browse	100.116.12.1
	94.156.8.9-skid.mips-2024-07-23T17_40_11.elf	Get hash	malicious	Mirai, Moobot	Browse	71.101.215.230
	94.156.8.9-skid.arm5-2024-07-23T17_40_09.elf	Get hash	malicious	Mirai, Moobot	Browse	173.77.121.51
	94.156.8.9-skid.x86_64-2024-07-23T17_40_08.elf	Get hash	malicious	Mirai, Moobot	Browse	208.215.57.254
	94.156.8.9-skid.ppc-2024-07-23T17_40_07.elf	Get hash	malicious	Mirai, Moobot	Browse	63.94.223.112
	94.156.8.9-skid.sh4-2024-07-23T17_40_06.elf	Get hash	malicious	Mirai, Moobot	Browse	198.228.155.108
	wAO7F8FbEz.elf	Get hash	malicious	Unknown	Browse	70.18.43.221
	yIRn1ZmsQF.elf	Get hash	malicious	Unknown	Browse	108.54.247.43
	0GJSC4Ua2K.elf	Get hash	malicious	Unknown	Browse	63.105.154.67
	BJu5gH74uD.elf	Get hash	malicious	Unknown	Browse	65.230.62.4
LINODE-APLinodeLLCUS	LisectAVT_2403002A_114.exe	Get hash	malicious	Remcos	Browse	173.255.204.62
	https://spotifyinfo.hosted.phplist.com/lists/lt.php?tid=cE5RAldVVgBRVk4GBlYLHwNRC1IeAVBSBUxVVAcHVwQBBlFcVwJLBgMAUwMCUQsfVgpcXR4NBwcPTFpVB1JOB1kGBwdXVA5VXgVWSAMEBgIPA1pSHglWUgdMV1YDUU5dCgYGSQcHDlBTBQADVVcCCw	Get hash	malicious	Unknown	Browse	45.33.29.14
	ZYlsAQi8bj.exe	Get hash	malicious	FloodFix	Browse	45.56.79.23
	http://bestfreinds.org	Get hash	malicious	Unknown	Browse	198.58.118.167
	http://hwylovermk.shop/product_details/5509027.html	Get hash	malicious	Unknown	Browse	45.79.24.154
	nZ8ZmTEBr7.exe	Get hash	malicious	Unknown	Browse	45.56.90.99
	nZ8ZmTEBr7.exe	Get hash	malicious	Unknown	Browse	45.56.90.99
	K7Vp9qOJMN.exe	Get hash	malicious	Remcos	Browse	173.255.204.62
	Quotation.xls	Get hash	malicious	Remcos	Browse	173.255.204.62
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	172.104.238.243

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	LisectAVT_2403002A_223.exe	Get hash	malicious	Wannacry	Browse	52.165.165.26
	hostr.exe	Get hash	malicious	Unknown	Browse	52.165.165.26
	FD79E637E91EC51483559DB807645755DBA0EF95199582FB48D4275445DBED5A.exe	Get hash	malicious	Unknown	Browse	52.165.165.26
	Fantom.exe	Get hash	malicious	Bdaejec	Browse	52.165.165.26
	https://cafehanoi.mx-router-ii.com/c/gjdg/vddcazcw/8-_r8_yol4c	Get hash	malicious	Phisher	Browse	52.165.165.26
	FC37EF5F08206CEEC28FA454C48311A16A8B9DAFC446BBC10E7A1DE1037BC1F8.exe	Get hash	malicious	Unknown	Browse	52.165.165.26
	https://chrome.google.com/webstore/detail/grass-extension/ilehaonighjijnmpnagapkhpcdbhclfg?hl=en&authuser=0	Get hash	malicious	Unknown	Browse	52.165.165.26
	F69B3AEC41D733F9A32066220188A064E26A2399BEEBF5EA2F722EF4ADBC2CB8.exe	Get hash	malicious	Unknown	Browse	52.165.165.26
	F10BAFE0C62DE2DA1705887BF5130BD10A300DA0CA00226076E1288BAE626560.exe	Get hash	malicious	Unknown	Browse	52.165.165.26
	EngRat v0.1.0B.exe	Get hash	malicious	Unknown	Browse	52.165.165.26

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.966299883488245
Encrypted:	false
SSDEEP:	24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
MD5:	24567B9212F806F6E3E27CDEB07728C0
SHA1:	371AE77042FFF52327BF4B929495D5603404107D
SHA-256:	82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
SHA-512:	5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.2453870436295627
Encrypted:	false
SSDEEP:	24:QOaqdmuF3rlL+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVxY:FaqdF7J+AAHdKoqKFxcxkFJ
MD5:	E03D4FB766144707149AAF220C7C93EC
SHA1:	1217AD354D01ECEC3AEEC8184E5DFD2D3F87FC0D
SHA-256:	411FADCACC0B86A9FDF3349FFD51C1C6DFEEE2D88DCD044A4B0B0E14775CBEC6
SHA-512:	FC60EE3CB2DADDA077A95E68CA5D1BC34DD99BE4DA34001CA032578355C37E039BBD81A48FFD09F7F37C35A0593E4E4371F0AEFEF2452592A8975B453C65EF37
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. J.u.l. .. 2.4. .. 2.0.2.4. .2.1.:.0.6.:.0.0.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\tasksche.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_26.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.172392869878933
Encrypted:	false
SSDEEP:	49152:nQ6MaPbcpVACtQF5Z+TSqTdX1HcQY6SAw5dZnvxJM0H9PAMEcaEau3K:Q63opJtK5ZcSUDcn6SAcdZvxWa9P593K
MD5:	3DF2667EF94776EEB272A1404801F118
SHA1:	0741698E6D3460284494B239BF6BAC7D9E0D3A99
SHA-256:	891FA5F91382FD21322DF4B0137F6C865D96FE376C88F6849592CD4942254520
SHA-512:	705921A25F6245E553358517A98996DEF0DCC878037F73BD332EE6DDD56CB208948B45A00CE42FBD94972E99A8959F44458DCF3669AC798625BFAEC8FDAF6DC6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.146766077869659
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_26.exe
File size:	3'723'271 bytes
MD5:	eb4f4c455604f0f1ce111fbefecd9e21
SHA1:	0a31ea9a024ecf6536283e1eda1f48458b10cbed
SHA256:	3f48a8d80cc55a1fbe9a210b60b07f3677b736b8a02d5408697d9df54a276776
SHA512:	e73c0fd6bf49a94ab6b1f02fe52fb86fee8040a1c4ff61d555ea5cbde6769b84c8b3ae911f3897f90f9d0a68124410938b65c604e3176bad208d9eb43b2a3acb
SSDEEP:	98304:y763opJtK5ZcSUDcn6SAcdZvxWa9P593:y763atKZcxcnZAcMadz
TLSH:	95063368622CD6BCE1051DB400B3C63AA6763C6556FF6A0F8B504DA73D53B6F7BC0A42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x409a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78ECC [Sat Nov 20 09:03:08 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007F0461113981h
cmp dword ptr [00431410h], ebx
jne 00007F046111386Eh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007F0461113953h
push 0040B010h
push 0040B00Ch
call 00007F046111393Eh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h
push 0040B000h
call 00007F046111390Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x310000	0x35a454	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8bca	0x9000	799fa6f54ef4176da2990896faea65d8	False	0.534423828125	data	6.1345234015658825	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x998	0x1000	d8037d744b539326c06e897625751cc9	False	0.29345703125	data	3.503615586181224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x30489c	0x27000	1a70bbc4e633f193e7d92914eeb4a1f3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x310000	0x35a454	0x35b000	9a4fcb263cf46b6d669a3fa1579af01c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
R	0x3100a4	0x35a000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States	0.8971652984619141
RT_VERSION	0x66a0a4	0x3b0	data	English	United States	0.7002118644067796

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dll	StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dll	closesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll	??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dll	GetAdaptersInfo, GetPerAdapterInfo
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll	__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T03:05:03.248798+0200	TCP	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	80	49705	104.16.167.228	192.168.2.11
2024-07-25T03:05:59.261810+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	50118	52.165.165.26	192.168.2.11
2024-07-25T03:05:21.160650+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49896	52.165.165.26	192.168.2.11
2024-07-25T03:05:03.247481+0200	TCP	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	49705	80	192.168.2.11	104.16.167.228
2024-07-25T03:05:02.317541+0200	TCP	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	49704	80	192.168.2.11	104.16.167.228
2024-07-25T03:05:01.754726+0200	UDP	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	64236	53	192.168.2.11	1.1.1.1
2024-07-25T03:05:02.319513+0200	TCP	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	80	49704	104.16.167.228	192.168.2.11

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 03:04:56.537849903 CEST	49671	443	192.168.2.11	204.79.197.203
Jul 25, 2024 03:04:58.584728956 CEST	49674	443	192.168.2.11	173.222.162.42
Jul 25, 2024 03:04:58.678505898 CEST	49673	443	192.168.2.11	173.222.162.42
Jul 25, 2024 03:05:00.382181883 CEST	49676	443	192.168.2.11	20.189.173.3
Jul 25, 2024 03:05:00.694083929 CEST	49676	443	192.168.2.11	20.189.173.3
Jul 25, 2024 03:05:01.303453922 CEST	49676	443	192.168.2.11	20.189.173.3
Jul 25, 2024 03:05:01.350385904 CEST	49671	443	192.168.2.11	204.79.197.203
Jul 25, 2024 03:05:01.769368887 CEST	49704	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:01.774236917 CEST	80	49704	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:01.774322033 CEST	49704	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:01.774465084 CEST	49704	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:01.779251099 CEST	80	49704	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:02.317466974 CEST	80	49704	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:02.317540884 CEST	49704	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:02.317915916 CEST	49704	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:02.319513083 CEST	80	49704	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:02.319586039 CEST	49704	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:02.325128078 CEST	80	49704	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:02.506567001 CEST	49676	443	192.168.2.11	20.189.173.3
Jul 25, 2024 03:05:02.760409117 CEST	49705	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:02.766112089 CEST	80	49705	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:02.766197920 CEST	49705	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:02.766397953 CEST	49705	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:02.771229029 CEST	80	49705	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:03.247416019 CEST	80	49705	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:03.247481108 CEST	49705	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:03.247562885 CEST	49705	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:03.248797894 CEST	80	49705	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:03.248841047 CEST	49705	80	192.168.2.11	104.16.167.228
Jul 25, 2024 03:05:03.252310991 CEST	80	49705	104.16.167.228	192.168.2.11
Jul 25, 2024 03:05:03.321157932 CEST	49706	445	192.168.2.11	210.194.28.48
Jul 25, 2024 03:05:03.325998068 CEST	445	49706	210.194.28.48	192.168.2.11
Jul 25, 2024 03:05:03.326070070 CEST	49706	445	192.168.2.11	210.194.28.48
Jul 25, 2024 03:05:03.326107025 CEST	49706	445	192.168.2.11	210.194.28.48
Jul 25, 2024 03:05:03.331269979 CEST	445	49706	210.194.28.48	192.168.2.11
Jul 25, 2024 03:05:03.331408978 CEST	445	49706	210.194.28.48	192.168.2.11
Jul 25, 2024 03:05:03.331495047 CEST	49706	445	192.168.2.11	210.194.28.48
Jul 25, 2024 03:05:03.341075897 CEST	49707	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:03.346745968 CEST	445	49707	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:03.346808910 CEST	49707	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:03.347503901 CEST	49707	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:03.350807905 CEST	49708	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:03.353131056 CEST	445	49707	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:03.353176117 CEST	49707	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:03.356513023 CEST	445	49708	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:03.356575012 CEST	49708	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:03.356614113 CEST	49708	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:03.361560106 CEST	445	49708	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:04.915987015 CEST	49676	443	192.168.2.11	20.189.173.3
Jul 25, 2024 03:05:05.321266890 CEST	49731	445	192.168.2.11	63.131.224.105
Jul 25, 2024 03:05:05.326374054 CEST	445	49731	63.131.224.105	192.168.2.11
Jul 25, 2024 03:05:05.326457024 CEST	49731	445	192.168.2.11	63.131.224.105
Jul 25, 2024 03:05:05.326510906 CEST	49731	445	192.168.2.11	63.131.224.105
Jul 25, 2024 03:05:05.326752901 CEST	49732	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:05.331499100 CEST	445	49732	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:05.331547976 CEST	49732	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:05.331621885 CEST	49732	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:05.331945896 CEST	445	49731	63.131.224.105	192.168.2.11
Jul 25, 2024 03:05:05.331998110 CEST	49731	445	192.168.2.11	63.131.224.105
Jul 25, 2024 03:05:05.333180904 CEST	49733	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:05.336946964 CEST	445	49732	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:05.336992979 CEST	49732	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:05.338233948 CEST	445	49733	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:05.338303089 CEST	49733	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:05.338356018 CEST	49733	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:05.343518972 CEST	445	49733	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:07.336184978 CEST	49756	445	192.168.2.11	158.15.154.136
Jul 25, 2024 03:05:07.341073990 CEST	445	49756	158.15.154.136	192.168.2.11
Jul 25, 2024 03:05:07.341172934 CEST	49756	445	192.168.2.11	158.15.154.136
Jul 25, 2024 03:05:07.341272116 CEST	49756	445	192.168.2.11	158.15.154.136
Jul 25, 2024 03:05:07.341509104 CEST	49757	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:07.346340895 CEST	445	49757	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:07.346437931 CEST	49757	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:07.346482038 CEST	49757	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:07.346632957 CEST	445	49756	158.15.154.136	192.168.2.11
Jul 25, 2024 03:05:07.346685886 CEST	49756	445	192.168.2.11	158.15.154.136
Jul 25, 2024 03:05:07.347625971 CEST	49758	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:07.351671934 CEST	445	49757	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:07.351758957 CEST	49757	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:07.353202105 CEST	445	49758	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:07.353276968 CEST	49758	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:07.353332996 CEST	49758	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:07.358474970 CEST	445	49758	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:08.194183111 CEST	49674	443	192.168.2.11	173.222.162.42
Jul 25, 2024 03:05:08.287807941 CEST	49673	443	192.168.2.11	173.222.162.42
Jul 25, 2024 03:05:09.351850986 CEST	49781	445	192.168.2.11	48.239.46.101
Jul 25, 2024 03:05:09.356741905 CEST	445	49781	48.239.46.101	192.168.2.11
Jul 25, 2024 03:05:09.356821060 CEST	49781	445	192.168.2.11	48.239.46.101
Jul 25, 2024 03:05:09.357034922 CEST	49782	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:09.358942986 CEST	49781	445	192.168.2.11	48.239.46.101
Jul 25, 2024 03:05:09.361928940 CEST	445	49782	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:09.361993074 CEST	49782	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:09.362021923 CEST	49782	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:09.363101006 CEST	49783	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:09.364512920 CEST	445	49781	48.239.46.101	192.168.2.11
Jul 25, 2024 03:05:09.366312027 CEST	49781	445	192.168.2.11	48.239.46.101
Jul 25, 2024 03:05:09.367280006 CEST	445	49782	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:09.367377996 CEST	445	49782	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:09.367428064 CEST	49782	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:09.367826939 CEST	445	49783	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:09.367877960 CEST	49783	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:09.367959976 CEST	49783	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:09.373203993 CEST	445	49783	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:09.725425005 CEST	49676	443	192.168.2.11	20.189.173.3
Jul 25, 2024 03:05:10.423316002 CEST	443	49703	173.222.162.42	192.168.2.11
Jul 25, 2024 03:05:10.423403025 CEST	49703	443	192.168.2.11	173.222.162.42
Jul 25, 2024 03:05:10.424669027 CEST	443	49703	173.222.162.42	192.168.2.11
Jul 25, 2024 03:05:10.424711943 CEST	49703	443	192.168.2.11	173.222.162.42
Jul 25, 2024 03:05:10.426152945 CEST	443	49703	173.222.162.42	192.168.2.11
Jul 25, 2024 03:05:10.426194906 CEST	49703	443	192.168.2.11	173.222.162.42
Jul 25, 2024 03:05:10.959698915 CEST	49671	443	192.168.2.11	204.79.197.203
Jul 25, 2024 03:05:11.367083073 CEST	49806	445	192.168.2.11	87.253.190.16
Jul 25, 2024 03:05:11.371978045 CEST	445	49806	87.253.190.16	192.168.2.11
Jul 25, 2024 03:05:11.372050047 CEST	49806	445	192.168.2.11	87.253.190.16
Jul 25, 2024 03:05:11.372134924 CEST	49806	445	192.168.2.11	87.253.190.16
Jul 25, 2024 03:05:11.372356892 CEST	49807	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:11.377228022 CEST	445	49807	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:11.377288103 CEST	49807	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:11.377329111 CEST	49807	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:11.377865076 CEST	445	49806	87.253.190.16	192.168.2.11
Jul 25, 2024 03:05:11.377913952 CEST	49806	445	192.168.2.11	87.253.190.16
Jul 25, 2024 03:05:11.378427982 CEST	49808	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:11.384459972 CEST	445	49807	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:11.384471893 CEST	445	49807	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:11.384489059 CEST	445	49808	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:11.384531975 CEST	49807	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:11.384566069 CEST	49808	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:11.384638071 CEST	49808	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:11.389484882 CEST	445	49808	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:13.041135073 CEST	445	49808	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:13.041199923 CEST	49808	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:13.041238070 CEST	49808	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:13.041312933 CEST	49808	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:13.046014071 CEST	445	49808	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:13.046255112 CEST	445	49808	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:13.383146048 CEST	49831	445	192.168.2.11	196.52.62.188
Jul 25, 2024 03:05:13.388330936 CEST	445	49831	196.52.62.188	192.168.2.11
Jul 25, 2024 03:05:13.388408899 CEST	49831	445	192.168.2.11	196.52.62.188
Jul 25, 2024 03:05:13.388499022 CEST	49831	445	192.168.2.11	196.52.62.188
Jul 25, 2024 03:05:13.388725042 CEST	49832	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:13.393939018 CEST	445	49832	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:13.394117117 CEST	49832	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:13.394117117 CEST	49832	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:13.394793987 CEST	445	49831	196.52.62.188	192.168.2.11
Jul 25, 2024 03:05:13.394851923 CEST	49831	445	192.168.2.11	196.52.62.188
Jul 25, 2024 03:05:13.394908905 CEST	49833	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:13.399714947 CEST	445	49833	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:13.399734020 CEST	445	49832	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:13.399843931 CEST	49833	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:13.399843931 CEST	49833	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:13.399970055 CEST	49832	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:13.404721975 CEST	445	49833	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:15.397702932 CEST	49854	445	192.168.2.11	90.50.189.27
Jul 25, 2024 03:05:15.403073072 CEST	445	49854	90.50.189.27	192.168.2.11
Jul 25, 2024 03:05:15.403219938 CEST	49854	445	192.168.2.11	90.50.189.27
Jul 25, 2024 03:05:15.403240919 CEST	49854	445	192.168.2.11	90.50.189.27
Jul 25, 2024 03:05:15.403493881 CEST	49855	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:15.409393072 CEST	445	49855	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:15.409589052 CEST	49855	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:15.409589052 CEST	49855	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:15.409854889 CEST	49856	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:15.411694050 CEST	445	49854	90.50.189.27	192.168.2.11
Jul 25, 2024 03:05:15.412672043 CEST	445	49854	90.50.189.27	192.168.2.11
Jul 25, 2024 03:05:15.412759066 CEST	49854	445	192.168.2.11	90.50.189.27
Jul 25, 2024 03:05:15.415879965 CEST	445	49856	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:15.415997028 CEST	49856	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:15.415997028 CEST	49856	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:15.416714907 CEST	445	49855	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:15.416842937 CEST	49855	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:15.421233892 CEST	445	49856	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:16.053913116 CEST	49862	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:16.058844090 CEST	445	49862	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:16.058968067 CEST	49862	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:16.059027910 CEST	49862	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:16.063853025 CEST	445	49862	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:17.413909912 CEST	49880	445	192.168.2.11	139.162.58.75
Jul 25, 2024 03:05:17.418836117 CEST	445	49880	139.162.58.75	192.168.2.11
Jul 25, 2024 03:05:17.418910027 CEST	49880	445	192.168.2.11	139.162.58.75
Jul 25, 2024 03:05:17.418978930 CEST	49880	445	192.168.2.11	139.162.58.75
Jul 25, 2024 03:05:17.419174910 CEST	49881	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:17.423918962 CEST	445	49881	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:17.424001932 CEST	49881	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:17.424027920 CEST	49881	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:17.424290895 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:17.424354076 CEST	445	49880	139.162.58.75	192.168.2.11
Jul 25, 2024 03:05:17.424403906 CEST	49880	445	192.168.2.11	139.162.58.75
Jul 25, 2024 03:05:17.429028034 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:17.429096937 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:17.429137945 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:17.429306984 CEST	445	49881	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:17.429352045 CEST	49881	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:17.433893919 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:17.731230974 CEST	445	49862	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:17.731347084 CEST	49862	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:17.731462955 CEST	49862	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:17.731544971 CEST	49862	445	192.168.2.11	87.253.190.1
Jul 25, 2024 03:05:17.736768007 CEST	445	49862	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:17.737150908 CEST	445	49862	87.253.190.1	192.168.2.11
Jul 25, 2024 03:05:17.788512945 CEST	49885	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:17.793519020 CEST	445	49885	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:17.793656111 CEST	49885	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:17.793752909 CEST	49885	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:17.794089079 CEST	49886	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:17.798949957 CEST	445	49886	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:17.799292088 CEST	445	49885	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:17.799305916 CEST	49886	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:17.799305916 CEST	49886	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:17.799523115 CEST	445	49885	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:17.799938917 CEST	49885	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:17.804060936 CEST	445	49886	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:18.552130938 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:18.552181005 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:18.552261114 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:18.554349899 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:18.554364920 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:19.334712982 CEST	49676	443	192.168.2.11	20.189.173.3
Jul 25, 2024 03:05:19.429008007 CEST	49908	445	192.168.2.11	56.26.26.48
Jul 25, 2024 03:05:19.968110085 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:19.968166113 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:19.968200922 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:19.968242884 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:19.968306065 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:19.968359947 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:19.968405008 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:19.968455076 CEST	49882	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:19.972302914 CEST	445	49908	56.26.26.48	192.168.2.11
Jul 25, 2024 03:05:19.972392082 CEST	49908	445	192.168.2.11	56.26.26.48
Jul 25, 2024 03:05:19.972429991 CEST	49908	445	192.168.2.11	56.26.26.48
Jul 25, 2024 03:05:19.972709894 CEST	49912	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:19.973634005 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:19.973649979 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:19.973773956 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:19.973963022 CEST	445	49882	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:19.977982044 CEST	445	49912	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:19.978046894 CEST	49912	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:19.978133917 CEST	49912	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:19.978282928 CEST	445	49908	56.26.26.48	192.168.2.11
Jul 25, 2024 03:05:19.978327990 CEST	49908	445	192.168.2.11	56.26.26.48
Jul 25, 2024 03:05:19.978642941 CEST	49913	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:19.985713959 CEST	445	49912	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:19.985861063 CEST	445	49913	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:19.985872030 CEST	445	49912	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:19.985919952 CEST	49913	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:19.985944033 CEST	49912	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:19.986010075 CEST	49913	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:19.990756035 CEST	445	49913	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:20.135463953 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:20.135535955 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:20.137990952 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:20.138005018 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:20.138348103 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:20.178457022 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:20.917036057 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:20.960500956 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.159455061 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.159523010 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.159544945 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.159584999 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.159626961 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:21.159634113 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.159657001 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.159667969 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:21.159703970 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:21.160223007 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.160295963 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:21.160301924 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.160417080 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.160592079 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:21.444881916 CEST	49936	445	192.168.2.11	104.140.149.141
Jul 25, 2024 03:05:21.449718952 CEST	445	49936	104.140.149.141	192.168.2.11
Jul 25, 2024 03:05:21.449978113 CEST	49936	445	192.168.2.11	104.140.149.141
Jul 25, 2024 03:05:21.454617023 CEST	49936	445	192.168.2.11	104.140.149.141
Jul 25, 2024 03:05:21.454672098 CEST	49937	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:21.459455013 CEST	445	49937	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:21.459558964 CEST	49937	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:21.459599018 CEST	49937	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:21.459621906 CEST	445	49936	104.140.149.141	192.168.2.11
Jul 25, 2024 03:05:21.459738970 CEST	49936	445	192.168.2.11	104.140.149.141
Jul 25, 2024 03:05:21.460167885 CEST	49938	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:21.464998960 CEST	445	49938	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:21.465073109 CEST	49938	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:21.465112925 CEST	49938	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:21.465231895 CEST	445	49937	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:21.465331078 CEST	49937	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:21.469871998 CEST	445	49938	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:21.842701912 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:21.842751980 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:21.842777014 CEST	49896	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:21.842791080 CEST	443	49896	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:22.975578070 CEST	49954	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:22.980659962 CEST	445	49954	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:22.980746984 CEST	49954	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:22.980771065 CEST	49954	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:22.985553026 CEST	445	49954	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:23.460340977 CEST	49958	445	192.168.2.11	202.46.46.52
Jul 25, 2024 03:05:23.465147018 CEST	445	49958	202.46.46.52	192.168.2.11
Jul 25, 2024 03:05:23.465214968 CEST	49958	445	192.168.2.11	202.46.46.52
Jul 25, 2024 03:05:23.465267897 CEST	49958	445	192.168.2.11	202.46.46.52
Jul 25, 2024 03:05:23.465434074 CEST	49960	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:23.470269918 CEST	445	49960	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:23.470343113 CEST	49960	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:23.470371962 CEST	49960	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:23.470568895 CEST	445	49958	202.46.46.52	192.168.2.11
Jul 25, 2024 03:05:23.470820904 CEST	49958	445	192.168.2.11	202.46.46.52
Jul 25, 2024 03:05:23.471052885 CEST	49961	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:23.475824118 CEST	445	49961	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:23.476114035 CEST	445	49960	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:23.476164103 CEST	49961	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:23.476164103 CEST	49961	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:23.476306915 CEST	49960	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:23.481076002 CEST	445	49961	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:24.713586092 CEST	445	49708	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:24.713676929 CEST	49708	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:24.713726997 CEST	49708	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:24.713809967 CEST	49708	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:24.718792915 CEST	445	49708	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:24.718813896 CEST	445	49708	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:25.080662012 CEST	445	49954	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:25.080738068 CEST	49954	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:25.080785990 CEST	49954	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:25.080868006 CEST	49954	445	192.168.2.11	139.162.58.1
Jul 25, 2024 03:05:25.085648060 CEST	445	49954	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:25.085745096 CEST	445	49954	139.162.58.1	192.168.2.11
Jul 25, 2024 03:05:25.132150888 CEST	49980	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:25.137001991 CEST	445	49980	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:25.137144089 CEST	49980	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:25.137248039 CEST	49980	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:25.138365030 CEST	49981	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:25.142982960 CEST	445	49980	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:25.143057108 CEST	49980	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:25.143151999 CEST	445	49981	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:25.143265963 CEST	49981	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:25.143265963 CEST	49981	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:25.148204088 CEST	445	49981	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:25.475941896 CEST	49985	445	192.168.2.11	184.73.129.31
Jul 25, 2024 03:05:25.480899096 CEST	445	49985	184.73.129.31	192.168.2.11
Jul 25, 2024 03:05:25.481013060 CEST	49985	445	192.168.2.11	184.73.129.31
Jul 25, 2024 03:05:25.481194019 CEST	49985	445	192.168.2.11	184.73.129.31
Jul 25, 2024 03:05:25.481509924 CEST	49986	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:25.487039089 CEST	445	49986	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:25.487077951 CEST	445	49985	184.73.129.31	192.168.2.11
Jul 25, 2024 03:05:25.487108946 CEST	49986	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:25.487131119 CEST	49985	445	192.168.2.11	184.73.129.31
Jul 25, 2024 03:05:25.487261057 CEST	49986	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:25.487729073 CEST	49987	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:25.492494106 CEST	445	49987	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:25.492563963 CEST	49987	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:25.492608070 CEST	49987	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:25.494131088 CEST	445	49986	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:25.494183064 CEST	49986	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:25.497493029 CEST	445	49987	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:25.511930943 CEST	445	49961	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:25.512041092 CEST	49961	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:25.512171030 CEST	49961	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:25.512171030 CEST	49961	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:25.518279076 CEST	445	49961	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:25.518295050 CEST	445	49961	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:26.715066910 CEST	445	49733	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:26.715184927 CEST	49733	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:26.715323925 CEST	49733	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:26.715385914 CEST	49733	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:26.720854998 CEST	445	49733	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:26.720865965 CEST	445	49733	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:27.255553961 CEST	445	49981	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:27.255826950 CEST	49981	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:27.255908966 CEST	49981	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:27.255966902 CEST	49981	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:27.262774944 CEST	445	49981	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:27.262794971 CEST	445	49981	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:27.491477013 CEST	50010	445	192.168.2.11	72.95.55.167
Jul 25, 2024 03:05:27.496417999 CEST	445	50010	72.95.55.167	192.168.2.11
Jul 25, 2024 03:05:27.496503115 CEST	50010	445	192.168.2.11	72.95.55.167
Jul 25, 2024 03:05:27.496527910 CEST	50010	445	192.168.2.11	72.95.55.167
Jul 25, 2024 03:05:27.496937990 CEST	50011	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:27.501688957 CEST	445	50011	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:27.501835108 CEST	50011	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:27.501835108 CEST	50011	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:27.502058983 CEST	50012	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:27.502088070 CEST	445	50010	72.95.55.167	192.168.2.11
Jul 25, 2024 03:05:27.502139091 CEST	50010	445	192.168.2.11	72.95.55.167
Jul 25, 2024 03:05:27.506963015 CEST	445	50012	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:27.507025957 CEST	50012	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:27.507059097 CEST	50012	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:27.507266045 CEST	445	50011	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:27.507340908 CEST	50011	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:27.511902094 CEST	445	50012	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:27.725791931 CEST	50014	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:27.730912924 CEST	445	50014	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:27.731060982 CEST	50014	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:27.731134892 CEST	50014	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:27.736215115 CEST	445	50014	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:28.522435904 CEST	50015	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:28.527375937 CEST	445	50015	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:28.527467966 CEST	50015	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:28.527514935 CEST	50015	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:28.532283068 CEST	445	50015	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:28.756180048 CEST	445	49758	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:28.756262064 CEST	49758	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:28.756316900 CEST	49758	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:28.756375074 CEST	49758	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:28.761307955 CEST	445	49758	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:28.761322021 CEST	445	49758	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:29.507122993 CEST	50016	445	192.168.2.11	157.92.67.217
Jul 25, 2024 03:05:29.512130022 CEST	445	50016	157.92.67.217	192.168.2.11
Jul 25, 2024 03:05:29.512248039 CEST	50016	445	192.168.2.11	157.92.67.217
Jul 25, 2024 03:05:29.512443066 CEST	50016	445	192.168.2.11	157.92.67.217
Jul 25, 2024 03:05:29.512445927 CEST	50017	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:29.517263889 CEST	445	50017	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:29.517318964 CEST	50017	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:29.517344952 CEST	50017	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:29.517575979 CEST	50018	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:29.518358946 CEST	445	50016	157.92.67.217	192.168.2.11
Jul 25, 2024 03:05:29.518408060 CEST	50016	445	192.168.2.11	157.92.67.217
Jul 25, 2024 03:05:29.523761988 CEST	445	50018	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:29.523824930 CEST	50018	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:29.523854971 CEST	50018	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:29.524220943 CEST	445	50017	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:29.524230957 CEST	445	50017	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:29.524271965 CEST	50017	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:29.528671026 CEST	445	50018	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:29.725893974 CEST	50019	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:29.730823994 CEST	445	50019	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:29.730915070 CEST	50019	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:29.730972052 CEST	50019	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:29.735820055 CEST	445	50019	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:30.256882906 CEST	50020	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:30.261734009 CEST	445	50020	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:30.261821032 CEST	50020	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:30.261976957 CEST	50020	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:30.266707897 CEST	445	50020	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:30.572220087 CEST	445	50015	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:30.572323084 CEST	50015	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:30.572360039 CEST	50015	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:30.572396040 CEST	50015	445	192.168.2.11	202.46.46.1
Jul 25, 2024 03:05:30.579073906 CEST	445	50015	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:30.579087019 CEST	445	50015	202.46.46.1	192.168.2.11
Jul 25, 2024 03:05:30.636286974 CEST	50021	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:30.641237020 CEST	445	50021	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:30.641423941 CEST	50021	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:30.641423941 CEST	50021	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:30.642049074 CEST	50022	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:30.646868944 CEST	445	50022	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:30.646929026 CEST	50022	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:30.646960020 CEST	50022	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:30.646977901 CEST	445	50021	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:30.647062063 CEST	50021	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:30.651905060 CEST	445	50022	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:30.787714958 CEST	445	49783	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:30.787816048 CEST	49783	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:30.795300961 CEST	49783	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:30.795377016 CEST	49783	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:30.800271034 CEST	445	49783	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:30.800307035 CEST	445	49783	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:31.522824049 CEST	50023	445	192.168.2.11	26.155.142.132
Jul 25, 2024 03:05:31.527844906 CEST	445	50023	26.155.142.132	192.168.2.11
Jul 25, 2024 03:05:31.527988911 CEST	50023	445	192.168.2.11	26.155.142.132
Jul 25, 2024 03:05:31.528006077 CEST	50023	445	192.168.2.11	26.155.142.132
Jul 25, 2024 03:05:31.528141022 CEST	50024	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:31.532951117 CEST	445	50024	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:31.533030033 CEST	50024	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:31.533044100 CEST	50024	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:31.533404112 CEST	445	50023	26.155.142.132	192.168.2.11
Jul 25, 2024 03:05:31.533462048 CEST	50023	445	192.168.2.11	26.155.142.132
Jul 25, 2024 03:05:31.533493996 CEST	50025	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:31.538563013 CEST	445	50025	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:31.538595915 CEST	445	50024	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:31.538642883 CEST	50025	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:31.538666964 CEST	50024	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:31.538713932 CEST	50025	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:31.543576956 CEST	445	50025	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:31.757915974 CEST	50026	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:31.763672113 CEST	445	50026	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:31.763756037 CEST	50026	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:31.763814926 CEST	50026	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:31.769179106 CEST	445	50026	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:32.382200956 CEST	445	50020	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:32.382328033 CEST	50020	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:32.382360935 CEST	50020	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:32.382402897 CEST	50020	445	192.168.2.11	139.162.58.2
Jul 25, 2024 03:05:32.387104988 CEST	445	50020	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:32.387231112 CEST	445	50020	139.162.58.2	192.168.2.11
Jul 25, 2024 03:05:32.445229053 CEST	50027	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:32.450155020 CEST	445	50027	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:32.450233936 CEST	50027	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:32.450265884 CEST	50027	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:32.450637102 CEST	50028	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:32.455495119 CEST	445	50028	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:32.455562115 CEST	50028	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:32.455579042 CEST	50028	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:32.455902100 CEST	445	50027	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:32.455960035 CEST	50027	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:32.460586071 CEST	445	50028	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:33.538350105 CEST	50029	445	192.168.2.11	15.134.102.215
Jul 25, 2024 03:05:33.544446945 CEST	445	50029	15.134.102.215	192.168.2.11
Jul 25, 2024 03:05:33.544527054 CEST	50029	445	192.168.2.11	15.134.102.215
Jul 25, 2024 03:05:33.544559002 CEST	50029	445	192.168.2.11	15.134.102.215
Jul 25, 2024 03:05:33.544725895 CEST	50030	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:33.551038980 CEST	445	50030	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:33.551122904 CEST	50030	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:33.551187992 CEST	50030	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:33.551215887 CEST	445	50029	15.134.102.215	192.168.2.11
Jul 25, 2024 03:05:33.551265001 CEST	50029	445	192.168.2.11	15.134.102.215
Jul 25, 2024 03:05:33.551465034 CEST	50031	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:33.558250904 CEST	445	50031	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:33.558330059 CEST	50031	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:33.558358908 CEST	445	50030	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:33.558389902 CEST	50031	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:33.558414936 CEST	50030	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:33.564408064 CEST	445	50031	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:33.803929090 CEST	50032	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:33.808778048 CEST	445	50032	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:33.808906078 CEST	50032	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:33.808971882 CEST	50032	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:33.813657045 CEST	445	50032	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:34.548532009 CEST	445	50028	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:34.548652887 CEST	50028	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:34.548705101 CEST	50028	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:34.548749924 CEST	50028	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:34.553812981 CEST	445	50028	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:34.553832054 CEST	445	50028	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:34.798279047 CEST	445	49833	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:34.798485041 CEST	49833	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:34.798485994 CEST	49833	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:34.798576117 CEST	49833	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:34.803586960 CEST	445	49833	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:34.803599119 CEST	445	49833	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:35.592325926 CEST	50033	445	192.168.2.11	1.0.209.114
Jul 25, 2024 03:05:35.597218990 CEST	445	50033	1.0.209.114	192.168.2.11
Jul 25, 2024 03:05:35.597304106 CEST	50033	445	192.168.2.11	1.0.209.114
Jul 25, 2024 03:05:35.610426903 CEST	50033	445	192.168.2.11	1.0.209.114
Jul 25, 2024 03:05:35.610488892 CEST	50034	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:35.615535975 CEST	445	50033	1.0.209.114	192.168.2.11
Jul 25, 2024 03:05:35.615611076 CEST	50033	445	192.168.2.11	1.0.209.114
Jul 25, 2024 03:05:35.616944075 CEST	445	50034	1.0.209.1	192.168.2.11
Jul 25, 2024 03:05:35.617018938 CEST	50034	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:35.617167950 CEST	50034	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:35.618813992 CEST	50035	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:35.622571945 CEST	445	50034	1.0.209.1	192.168.2.11
Jul 25, 2024 03:05:35.622636080 CEST	50034	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:35.623644114 CEST	445	50035	1.0.209.1	192.168.2.11
Jul 25, 2024 03:05:35.623703003 CEST	50035	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:35.623769045 CEST	50035	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:35.629251003 CEST	445	50035	1.0.209.1	192.168.2.11
Jul 25, 2024 03:05:36.816982031 CEST	445	49856	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:36.817208052 CEST	49856	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:36.817208052 CEST	49856	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:36.817300081 CEST	49856	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:36.822192907 CEST	445	49856	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:36.822227001 CEST	445	49856	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:37.553837061 CEST	50036	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:37.560703039 CEST	445	50036	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:37.560817957 CEST	50036	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:37.560873032 CEST	50036	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:37.565815926 CEST	445	50036	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:37.604167938 CEST	50037	445	192.168.2.11	150.119.16.59
Jul 25, 2024 03:05:37.609600067 CEST	445	50037	150.119.16.59	192.168.2.11
Jul 25, 2024 03:05:37.609715939 CEST	50037	445	192.168.2.11	150.119.16.59
Jul 25, 2024 03:05:37.609744072 CEST	50037	445	192.168.2.11	150.119.16.59
Jul 25, 2024 03:05:37.609880924 CEST	50038	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:37.620459080 CEST	445	50038	150.119.16.1	192.168.2.11
Jul 25, 2024 03:05:37.620817900 CEST	50038	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:37.620817900 CEST	50038	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:37.621573925 CEST	50039	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:37.624567032 CEST	445	50037	150.119.16.59	192.168.2.11
Jul 25, 2024 03:05:37.624650955 CEST	50037	445	192.168.2.11	150.119.16.59
Jul 25, 2024 03:05:37.626486063 CEST	445	50038	150.119.16.1	192.168.2.11
Jul 25, 2024 03:05:37.626548052 CEST	50038	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:37.626579046 CEST	445	50039	150.119.16.1	192.168.2.11
Jul 25, 2024 03:05:37.626641035 CEST	50039	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:37.626704931 CEST	50039	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:37.631516933 CEST	445	50039	150.119.16.1	192.168.2.11
Jul 25, 2024 03:05:37.807877064 CEST	50040	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:37.813173056 CEST	445	50040	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:37.813252926 CEST	50040	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:37.813318968 CEST	50040	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:37.818464041 CEST	445	50040	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:39.171304941 CEST	445	49886	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:39.171408892 CEST	49886	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:39.171410084 CEST	49886	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:39.171495914 CEST	49886	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:39.178534031 CEST	445	49886	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:39.178545952 CEST	445	49886	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:39.475867033 CEST	50041	445	192.168.2.11	57.62.233.90
Jul 25, 2024 03:05:39.480737925 CEST	445	50041	57.62.233.90	192.168.2.11
Jul 25, 2024 03:05:39.480859041 CEST	50041	445	192.168.2.11	57.62.233.90
Jul 25, 2024 03:05:39.480886936 CEST	50041	445	192.168.2.11	57.62.233.90
Jul 25, 2024 03:05:39.481004000 CEST	50042	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:05:39.485791922 CEST	445	50042	57.62.233.1	192.168.2.11
Jul 25, 2024 03:05:39.485876083 CEST	50042	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:05:39.485996008 CEST	50042	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:05:39.486162901 CEST	445	50041	57.62.233.90	192.168.2.11
Jul 25, 2024 03:05:39.486211061 CEST	50041	445	192.168.2.11	57.62.233.90
Jul 25, 2024 03:05:39.486402035 CEST	50043	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:05:39.491288900 CEST	445	50042	57.62.233.1	192.168.2.11
Jul 25, 2024 03:05:39.491465092 CEST	445	50042	57.62.233.1	192.168.2.11
Jul 25, 2024 03:05:39.491491079 CEST	445	50043	57.62.233.1	192.168.2.11
Jul 25, 2024 03:05:39.491518021 CEST	50042	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:05:39.491568089 CEST	50043	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:05:39.491607904 CEST	50043	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:05:39.496359110 CEST	445	50043	57.62.233.1	192.168.2.11
Jul 25, 2024 03:05:39.704937935 CEST	445	50036	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:39.705120087 CEST	50036	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:39.705156088 CEST	50036	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:39.705156088 CEST	50036	445	192.168.2.11	139.162.58.3
Jul 25, 2024 03:05:39.712393999 CEST	445	50036	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:39.712425947 CEST	445	50036	139.162.58.3	192.168.2.11
Jul 25, 2024 03:05:39.756807089 CEST	50044	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:39.769961119 CEST	445	50044	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:39.770039082 CEST	50044	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:39.770129919 CEST	50044	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:39.770488024 CEST	50045	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:39.778388977 CEST	445	50045	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:39.778449059 CEST	50045	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:39.778501034 CEST	50045	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:39.779969931 CEST	445	50044	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:39.780028105 CEST	50044	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:39.786192894 CEST	445	50045	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:39.819333076 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:39.830826044 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:39.830936909 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:39.830961943 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:05:39.839298964 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:05:41.225944042 CEST	50047	445	192.168.2.11	24.92.172.43
Jul 25, 2024 03:05:41.288674116 CEST	445	50047	24.92.172.43	192.168.2.11
Jul 25, 2024 03:05:41.288815022 CEST	50047	445	192.168.2.11	24.92.172.43
Jul 25, 2024 03:05:41.288865089 CEST	50047	445	192.168.2.11	24.92.172.43
Jul 25, 2024 03:05:41.289072990 CEST	50048	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:05:41.295128107 CEST	445	50048	24.92.172.1	192.168.2.11
Jul 25, 2024 03:05:41.295195103 CEST	50048	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:05:41.295311928 CEST	50048	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:05:41.295639038 CEST	445	50047	24.92.172.43	192.168.2.11
Jul 25, 2024 03:05:41.295660019 CEST	50049	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:05:41.295698881 CEST	50047	445	192.168.2.11	24.92.172.43
Jul 25, 2024 03:05:41.301445961 CEST	445	50049	24.92.172.1	192.168.2.11
Jul 25, 2024 03:05:41.301521063 CEST	50049	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:05:41.301569939 CEST	50049	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:05:41.303483009 CEST	445	50048	24.92.172.1	192.168.2.11
Jul 25, 2024 03:05:41.303538084 CEST	50048	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:05:41.312000990 CEST	445	50049	24.92.172.1	192.168.2.11
Jul 25, 2024 03:05:41.356689930 CEST	445	49913	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:41.356805086 CEST	49913	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:41.356838942 CEST	49913	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:41.356884956 CEST	49913	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:41.362715006 CEST	445	49913	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:41.362726927 CEST	445	49913	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:41.858854055 CEST	445	50045	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:41.858979940 CEST	50045	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:41.859020948 CEST	50045	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:41.859067917 CEST	50045	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:41.863750935 CEST	445	50045	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:41.863939047 CEST	445	50045	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:42.178731918 CEST	50050	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:42.183625937 CEST	445	50050	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:42.183860064 CEST	50050	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:42.183860064 CEST	50050	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:05:42.188951969 CEST	445	50050	87.253.190.2	192.168.2.11
Jul 25, 2024 03:05:42.863128901 CEST	445	49938	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:42.863198996 CEST	49938	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:42.863246918 CEST	49938	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:42.863290071 CEST	49938	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:42.866544962 CEST	50051	445	192.168.2.11	58.140.208.79
Jul 25, 2024 03:05:42.868168116 CEST	445	49938	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:42.868220091 CEST	445	49938	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:42.871893883 CEST	445	50051	58.140.208.79	192.168.2.11
Jul 25, 2024 03:05:42.872008085 CEST	50051	445	192.168.2.11	58.140.208.79
Jul 25, 2024 03:05:42.872195959 CEST	50051	445	192.168.2.11	58.140.208.79
Jul 25, 2024 03:05:42.872296095 CEST	50052	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:05:42.878593922 CEST	445	50052	58.140.208.1	192.168.2.11
Jul 25, 2024 03:05:42.878698111 CEST	50052	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:05:42.878770113 CEST	50052	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:05:42.879121065 CEST	445	50051	58.140.208.79	192.168.2.11
Jul 25, 2024 03:05:42.879142046 CEST	50053	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:05:42.879203081 CEST	50051	445	192.168.2.11	58.140.208.79
Jul 25, 2024 03:05:42.884608030 CEST	445	50053	58.140.208.1	192.168.2.11
Jul 25, 2024 03:05:42.884661913 CEST	445	50052	58.140.208.1	192.168.2.11
Jul 25, 2024 03:05:42.884670973 CEST	50053	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:05:42.884707928 CEST	50052	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:05:42.884738922 CEST	50053	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:05:42.890367031 CEST	445	50053	58.140.208.1	192.168.2.11
Jul 25, 2024 03:05:44.366271973 CEST	50054	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:44.371180058 CEST	445	50054	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:44.371305943 CEST	50054	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:44.371342897 CEST	50054	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:05:44.376151085 CEST	445	50054	56.26.26.1	192.168.2.11
Jul 25, 2024 03:05:44.397634029 CEST	50055	445	192.168.2.11	62.251.83.65
Jul 25, 2024 03:05:44.403146982 CEST	445	50055	62.251.83.65	192.168.2.11
Jul 25, 2024 03:05:44.403233051 CEST	50055	445	192.168.2.11	62.251.83.65
Jul 25, 2024 03:05:44.403299093 CEST	50055	445	192.168.2.11	62.251.83.65
Jul 25, 2024 03:05:44.403397083 CEST	50056	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:05:44.408230066 CEST	445	50056	62.251.83.1	192.168.2.11
Jul 25, 2024 03:05:44.408304930 CEST	50056	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:05:44.408329010 CEST	50056	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:05:44.408541918 CEST	445	50055	62.251.83.65	192.168.2.11
Jul 25, 2024 03:05:44.408600092 CEST	50055	445	192.168.2.11	62.251.83.65
Jul 25, 2024 03:05:44.408713102 CEST	50057	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:05:44.413463116 CEST	445	50056	62.251.83.1	192.168.2.11
Jul 25, 2024 03:05:44.413522959 CEST	50056	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:05:44.413604975 CEST	445	50057	62.251.83.1	192.168.2.11
Jul 25, 2024 03:05:44.413674116 CEST	50057	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:05:44.413722038 CEST	50057	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:05:44.418591976 CEST	445	50057	62.251.83.1	192.168.2.11
Jul 25, 2024 03:05:44.866343975 CEST	50058	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:44.871640921 CEST	445	50058	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:44.871783018 CEST	50058	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:44.871783018 CEST	50058	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:44.876678944 CEST	445	50058	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:45.824673891 CEST	50059	445	192.168.2.11	204.216.232.66
Jul 25, 2024 03:05:45.866394043 CEST	50060	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:46.645170927 CEST	445	50059	204.216.232.66	192.168.2.11
Jul 25, 2024 03:05:46.645211935 CEST	445	50060	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:46.645432949 CEST	50059	445	192.168.2.11	204.216.232.66
Jul 25, 2024 03:05:46.645488977 CEST	50059	445	192.168.2.11	204.216.232.66
Jul 25, 2024 03:05:46.645494938 CEST	50060	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:46.645575047 CEST	50060	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:05:46.645775080 CEST	50061	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:05:46.651884079 CEST	445	50060	104.140.149.1	192.168.2.11
Jul 25, 2024 03:05:46.651915073 CEST	445	50061	204.216.232.1	192.168.2.11
Jul 25, 2024 03:05:46.652003050 CEST	50061	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:05:46.652215004 CEST	50061	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:05:46.652502060 CEST	50062	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:05:46.652848005 CEST	445	50059	204.216.232.66	192.168.2.11
Jul 25, 2024 03:05:46.652918100 CEST	50059	445	192.168.2.11	204.216.232.66
Jul 25, 2024 03:05:46.657499075 CEST	445	50062	204.216.232.1	192.168.2.11
Jul 25, 2024 03:05:46.657530069 CEST	445	50061	204.216.232.1	192.168.2.11
Jul 25, 2024 03:05:46.657586098 CEST	50062	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:05:46.657608986 CEST	50061	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:05:46.657900095 CEST	50062	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:05:46.662728071 CEST	445	50062	204.216.232.1	192.168.2.11
Jul 25, 2024 03:05:46.886481047 CEST	445	49987	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:46.886637926 CEST	49987	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:46.886689901 CEST	49987	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:46.886749029 CEST	49987	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:46.892200947 CEST	445	49987	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:46.893415928 CEST	445	49987	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:46.952332020 CEST	445	50058	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:46.952455997 CEST	50058	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:46.952493906 CEST	50058	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:46.953001022 CEST	50058	445	192.168.2.11	139.162.58.4
Jul 25, 2024 03:05:46.961822987 CEST	445	50058	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:46.963869095 CEST	445	50058	139.162.58.4	192.168.2.11
Jul 25, 2024 03:05:47.007123947 CEST	50063	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:47.015866995 CEST	445	50063	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:47.015974998 CEST	50063	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:47.016040087 CEST	50063	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:47.016395092 CEST	50064	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:47.025083065 CEST	445	50064	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:47.025099039 CEST	445	50063	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:47.025207996 CEST	50063	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:47.025234938 CEST	50064	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:47.033674955 CEST	445	50064	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:47.147739887 CEST	50065	445	192.168.2.11	129.12.189.188
Jul 25, 2024 03:05:47.152803898 CEST	445	50065	129.12.189.188	192.168.2.11
Jul 25, 2024 03:05:47.152960062 CEST	50065	445	192.168.2.11	129.12.189.188
Jul 25, 2024 03:05:47.152960062 CEST	50065	445	192.168.2.11	129.12.189.188
Jul 25, 2024 03:05:47.153577089 CEST	50066	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:05:47.158447981 CEST	445	50065	129.12.189.188	192.168.2.11
Jul 25, 2024 03:05:47.158480883 CEST	445	50066	129.12.189.1	192.168.2.11
Jul 25, 2024 03:05:47.158504009 CEST	50065	445	192.168.2.11	129.12.189.188
Jul 25, 2024 03:05:47.158562899 CEST	50066	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:05:47.158593893 CEST	50066	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:05:47.158848047 CEST	50067	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:05:47.163736105 CEST	445	50067	129.12.189.1	192.168.2.11
Jul 25, 2024 03:05:47.163803101 CEST	50067	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:05:47.163834095 CEST	50067	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:05:47.164124012 CEST	445	50066	129.12.189.1	192.168.2.11
Jul 25, 2024 03:05:47.164179087 CEST	50066	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:05:47.168958902 CEST	445	50067	129.12.189.1	192.168.2.11
Jul 25, 2024 03:05:48.383157015 CEST	50068	445	192.168.2.11	94.82.132.51
Jul 25, 2024 03:05:48.388041019 CEST	445	50068	94.82.132.51	192.168.2.11
Jul 25, 2024 03:05:48.388108015 CEST	50068	445	192.168.2.11	94.82.132.51
Jul 25, 2024 03:05:48.388185024 CEST	50068	445	192.168.2.11	94.82.132.51
Jul 25, 2024 03:05:48.388334990 CEST	50069	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:05:48.393177032 CEST	445	50069	94.82.132.1	192.168.2.11
Jul 25, 2024 03:05:48.393232107 CEST	50069	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:05:48.393311024 CEST	50069	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:05:48.393594980 CEST	50070	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:05:48.393713951 CEST	445	50068	94.82.132.51	192.168.2.11
Jul 25, 2024 03:05:48.393759012 CEST	50068	445	192.168.2.11	94.82.132.51
Jul 25, 2024 03:05:48.398416996 CEST	445	50070	94.82.132.1	192.168.2.11
Jul 25, 2024 03:05:48.398487091 CEST	50070	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:05:48.398523092 CEST	445	50069	94.82.132.1	192.168.2.11
Jul 25, 2024 03:05:48.398530006 CEST	50070	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:05:48.398564100 CEST	50069	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:05:48.403318882 CEST	445	50070	94.82.132.1	192.168.2.11
Jul 25, 2024 03:05:48.918153048 CEST	445	50012	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:48.918231964 CEST	50012	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:48.918311119 CEST	50012	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:48.918312073 CEST	50012	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:48.923166037 CEST	445	50012	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:48.923192978 CEST	445	50012	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:49.113509893 CEST	445	50064	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:49.113575935 CEST	50064	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:49.113610029 CEST	50064	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:49.113673925 CEST	50064	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:49.120642900 CEST	445	50064	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:49.120671988 CEST	445	50064	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:49.126211882 CEST	445	50014	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:49.126271963 CEST	50014	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:49.126344919 CEST	50014	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:49.126424074 CEST	50014	445	192.168.2.11	210.194.28.1
Jul 25, 2024 03:05:49.131221056 CEST	445	50014	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:49.131365061 CEST	445	50014	210.194.28.1	192.168.2.11
Jul 25, 2024 03:05:49.178778887 CEST	50071	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:05:49.184089899 CEST	445	50071	210.194.28.2	192.168.2.11
Jul 25, 2024 03:05:49.184174061 CEST	50071	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:05:49.184202909 CEST	50071	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:05:49.184541941 CEST	50072	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:05:49.191698074 CEST	445	50072	210.194.28.2	192.168.2.11
Jul 25, 2024 03:05:49.191869974 CEST	50072	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:05:49.191936970 CEST	50072	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:05:49.192958117 CEST	445	50071	210.194.28.2	192.168.2.11
Jul 25, 2024 03:05:49.193013906 CEST	50071	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:05:49.197005987 CEST	445	50072	210.194.28.2	192.168.2.11
Jul 25, 2024 03:05:49.538785934 CEST	50073	445	192.168.2.11	192.240.220.214
Jul 25, 2024 03:05:49.543864965 CEST	445	50073	192.240.220.214	192.168.2.11
Jul 25, 2024 03:05:49.543965101 CEST	50073	445	192.168.2.11	192.240.220.214
Jul 25, 2024 03:05:49.544003010 CEST	50073	445	192.168.2.11	192.240.220.214
Jul 25, 2024 03:05:49.544140100 CEST	50074	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:05:49.548932076 CEST	445	50074	192.240.220.1	192.168.2.11
Jul 25, 2024 03:05:49.549010992 CEST	50074	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:05:49.549086094 CEST	50074	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:05:49.549438953 CEST	50075	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:05:49.549644947 CEST	445	50073	192.240.220.214	192.168.2.11
Jul 25, 2024 03:05:49.549715042 CEST	50073	445	192.168.2.11	192.240.220.214
Jul 25, 2024 03:05:49.554294109 CEST	445	50075	192.240.220.1	192.168.2.11
Jul 25, 2024 03:05:49.554364920 CEST	50075	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:05:49.554423094 CEST	50075	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:05:49.554532051 CEST	445	50074	192.240.220.1	192.168.2.11
Jul 25, 2024 03:05:49.554589033 CEST	50074	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:05:49.559231997 CEST	445	50075	192.240.220.1	192.168.2.11
Jul 25, 2024 03:05:49.897494078 CEST	50076	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:49.902458906 CEST	445	50076	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:49.902558088 CEST	50076	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:49.902618885 CEST	50076	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:05:49.907633066 CEST	445	50076	184.73.129.1	192.168.2.11
Jul 25, 2024 03:05:50.616525888 CEST	50077	445	192.168.2.11	30.97.153.137
Jul 25, 2024 03:05:50.622039080 CEST	445	50077	30.97.153.137	192.168.2.11
Jul 25, 2024 03:05:50.622173071 CEST	50077	445	192.168.2.11	30.97.153.137
Jul 25, 2024 03:05:50.622200012 CEST	50077	445	192.168.2.11	30.97.153.137
Jul 25, 2024 03:05:50.622411966 CEST	50078	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:05:50.629146099 CEST	445	50078	30.97.153.1	192.168.2.11
Jul 25, 2024 03:05:50.629359961 CEST	50078	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:05:50.629475117 CEST	445	50077	30.97.153.137	192.168.2.11
Jul 25, 2024 03:05:50.629503965 CEST	50078	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:05:50.629522085 CEST	50077	445	192.168.2.11	30.97.153.137
Jul 25, 2024 03:05:50.629818916 CEST	50079	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:05:50.634923935 CEST	445	50078	30.97.153.1	192.168.2.11
Jul 25, 2024 03:05:50.634952068 CEST	445	50079	30.97.153.1	192.168.2.11
Jul 25, 2024 03:05:50.635001898 CEST	50078	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:05:50.635035038 CEST	50079	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:05:50.635075092 CEST	50079	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:05:50.640074015 CEST	445	50079	30.97.153.1	192.168.2.11
Jul 25, 2024 03:05:50.923458099 CEST	445	50018	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:50.923551083 CEST	50018	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:50.923588991 CEST	50018	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:50.923635960 CEST	50018	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:50.928400040 CEST	445	50018	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:50.928422928 CEST	445	50018	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:51.107362032 CEST	445	50019	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:51.107438087 CEST	50019	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:51.107506037 CEST	50019	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:51.107589960 CEST	50019	445	192.168.2.11	63.131.224.1
Jul 25, 2024 03:05:51.112360954 CEST	445	50019	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:51.112422943 CEST	445	50019	63.131.224.1	192.168.2.11
Jul 25, 2024 03:05:51.163379908 CEST	50080	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:05:51.168905973 CEST	445	50080	63.131.224.2	192.168.2.11
Jul 25, 2024 03:05:51.168977976 CEST	50080	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:05:51.169100046 CEST	50080	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:05:51.169708014 CEST	50081	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:05:51.174922943 CEST	445	50081	63.131.224.2	192.168.2.11
Jul 25, 2024 03:05:51.174987078 CEST	50081	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:05:51.174993038 CEST	445	50080	63.131.224.2	192.168.2.11
Jul 25, 2024 03:05:51.175055027 CEST	50080	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:05:51.175223112 CEST	50081	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:05:51.180090904 CEST	445	50081	63.131.224.2	192.168.2.11
Jul 25, 2024 03:05:51.632132053 CEST	50082	445	192.168.2.11	193.191.213.98
Jul 25, 2024 03:05:51.637222052 CEST	445	50082	193.191.213.98	192.168.2.11
Jul 25, 2024 03:05:51.637343884 CEST	50082	445	192.168.2.11	193.191.213.98
Jul 25, 2024 03:05:51.637424946 CEST	50082	445	192.168.2.11	193.191.213.98
Jul 25, 2024 03:05:51.637769938 CEST	50083	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:05:51.642615080 CEST	445	50083	193.191.213.1	192.168.2.11
Jul 25, 2024 03:05:51.642678976 CEST	50083	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:05:51.642739058 CEST	50083	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:05:51.642961025 CEST	50084	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:05:51.643062115 CEST	445	50082	193.191.213.98	192.168.2.11
Jul 25, 2024 03:05:51.643116951 CEST	50082	445	192.168.2.11	193.191.213.98
Jul 25, 2024 03:05:51.647972107 CEST	445	50084	193.191.213.1	192.168.2.11
Jul 25, 2024 03:05:51.648053885 CEST	50084	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:05:51.648067951 CEST	50084	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:05:51.648116112 CEST	445	50083	193.191.213.1	192.168.2.11
Jul 25, 2024 03:05:51.648170948 CEST	50083	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:05:51.653132915 CEST	445	50084	193.191.213.1	192.168.2.11
Jul 25, 2024 03:05:51.928929090 CEST	50085	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:51.934695005 CEST	445	50085	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:51.934832096 CEST	50085	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:51.934921980 CEST	50085	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:05:51.940694094 CEST	445	50085	72.95.55.1	192.168.2.11
Jul 25, 2024 03:05:51.996124983 CEST	445	50022	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:51.996287107 CEST	50022	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:51.996287107 CEST	50022	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:51.996287107 CEST	50022	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:52.001696110 CEST	445	50022	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:52.001749039 CEST	445	50022	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:52.116189003 CEST	50086	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:52.121370077 CEST	445	50086	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:52.121490955 CEST	50086	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:52.121490955 CEST	50086	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:52.126451015 CEST	445	50086	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:52.569756031 CEST	50087	445	192.168.2.11	210.84.101.51
Jul 25, 2024 03:05:52.574773073 CEST	445	50087	210.84.101.51	192.168.2.11
Jul 25, 2024 03:05:52.574923038 CEST	50087	445	192.168.2.11	210.84.101.51
Jul 25, 2024 03:05:52.574923038 CEST	50087	445	192.168.2.11	210.84.101.51
Jul 25, 2024 03:05:52.575084925 CEST	50088	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:05:52.579919100 CEST	445	50088	210.84.101.1	192.168.2.11
Jul 25, 2024 03:05:52.579999924 CEST	50088	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:05:52.580034971 CEST	50088	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:05:52.580312967 CEST	50089	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:05:52.580342054 CEST	445	50087	210.84.101.51	192.168.2.11
Jul 25, 2024 03:05:52.580414057 CEST	50087	445	192.168.2.11	210.84.101.51
Jul 25, 2024 03:05:52.585122108 CEST	445	50089	210.84.101.1	192.168.2.11
Jul 25, 2024 03:05:52.585305929 CEST	50089	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:05:52.585347891 CEST	50089	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:05:52.585505009 CEST	445	50088	210.84.101.1	192.168.2.11
Jul 25, 2024 03:05:52.585561037 CEST	50088	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:05:52.590140104 CEST	445	50089	210.84.101.1	192.168.2.11
Jul 25, 2024 03:05:52.926640034 CEST	445	50025	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:52.926776886 CEST	50025	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:52.926820040 CEST	50025	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:52.926863909 CEST	50025	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:52.935064077 CEST	445	50025	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:52.935117006 CEST	445	50025	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:53.141231060 CEST	445	50026	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:53.141345024 CEST	50026	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:53.141424894 CEST	50026	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:53.141504049 CEST	50026	445	192.168.2.11	158.15.154.1
Jul 25, 2024 03:05:53.147737026 CEST	445	50026	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:53.147787094 CEST	445	50026	158.15.154.1	192.168.2.11
Jul 25, 2024 03:05:53.194456100 CEST	50090	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:05:53.200537920 CEST	445	50090	158.15.154.2	192.168.2.11
Jul 25, 2024 03:05:53.200602055 CEST	50090	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:05:53.200644016 CEST	50090	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:05:53.201023102 CEST	50091	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:05:53.205862045 CEST	445	50091	158.15.154.2	192.168.2.11
Jul 25, 2024 03:05:53.205943108 CEST	445	50090	158.15.154.2	192.168.2.11
Jul 25, 2024 03:05:53.205959082 CEST	50091	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:05:53.205981016 CEST	50091	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:05:53.206001043 CEST	50090	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:05:53.212189913 CEST	445	50091	158.15.154.2	192.168.2.11
Jul 25, 2024 03:05:53.455017090 CEST	50092	445	192.168.2.11	217.85.57.196
Jul 25, 2024 03:05:53.464577913 CEST	445	50092	217.85.57.196	192.168.2.11
Jul 25, 2024 03:05:53.464735985 CEST	50092	445	192.168.2.11	217.85.57.196
Jul 25, 2024 03:05:53.464780092 CEST	50092	445	192.168.2.11	217.85.57.196
Jul 25, 2024 03:05:53.464941978 CEST	50093	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:05:53.474324942 CEST	445	50093	217.85.57.1	192.168.2.11
Jul 25, 2024 03:05:53.474432945 CEST	50093	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:05:53.474529028 CEST	50093	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:05:53.474786043 CEST	445	50092	217.85.57.196	192.168.2.11
Jul 25, 2024 03:05:53.474852085 CEST	50092	445	192.168.2.11	217.85.57.196
Jul 25, 2024 03:05:53.474905014 CEST	50094	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:05:53.483226061 CEST	445	50094	217.85.57.1	192.168.2.11
Jul 25, 2024 03:05:53.483293056 CEST	445	50093	217.85.57.1	192.168.2.11
Jul 25, 2024 03:05:53.483344078 CEST	50094	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:05:53.483407021 CEST	50094	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:05:53.483407021 CEST	50093	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:05:53.488902092 CEST	445	50094	217.85.57.1	192.168.2.11
Jul 25, 2024 03:05:53.929009914 CEST	50095	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:53.933809996 CEST	445	50095	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:53.933923960 CEST	50095	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:53.933923960 CEST	50095	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:05:53.938733101 CEST	445	50095	157.92.67.1	192.168.2.11
Jul 25, 2024 03:05:54.182446957 CEST	445	50086	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:54.182540894 CEST	50086	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:54.182625055 CEST	50086	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:54.182625055 CEST	50086	445	192.168.2.11	139.162.58.5
Jul 25, 2024 03:05:54.187876940 CEST	445	50086	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:54.187930107 CEST	445	50086	139.162.58.5	192.168.2.11
Jul 25, 2024 03:05:54.241724968 CEST	50096	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:05:54.247323036 CEST	445	50096	139.162.58.6	192.168.2.11
Jul 25, 2024 03:05:54.247538090 CEST	50096	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:05:54.247538090 CEST	50096	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:05:54.248023033 CEST	50097	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:05:54.253143072 CEST	445	50097	139.162.58.6	192.168.2.11
Jul 25, 2024 03:05:54.253237009 CEST	445	50096	139.162.58.6	192.168.2.11
Jul 25, 2024 03:05:54.253317118 CEST	50097	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:05:54.253317118 CEST	50097	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:05:54.254000902 CEST	50096	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:05:54.258121967 CEST	445	50097	139.162.58.6	192.168.2.11
Jul 25, 2024 03:05:54.273499012 CEST	50098	445	192.168.2.11	80.174.132.167
Jul 25, 2024 03:05:54.278330088 CEST	445	50098	80.174.132.167	192.168.2.11
Jul 25, 2024 03:05:54.278456926 CEST	50098	445	192.168.2.11	80.174.132.167
Jul 25, 2024 03:05:54.278456926 CEST	50098	445	192.168.2.11	80.174.132.167
Jul 25, 2024 03:05:54.278594971 CEST	50099	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:05:54.283576012 CEST	445	50099	80.174.132.1	192.168.2.11
Jul 25, 2024 03:05:54.283714056 CEST	50099	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:05:54.283860922 CEST	50099	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:05:54.284176111 CEST	50100	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:05:54.284909010 CEST	445	50098	80.174.132.167	192.168.2.11
Jul 25, 2024 03:05:54.285428047 CEST	50098	445	192.168.2.11	80.174.132.167
Jul 25, 2024 03:05:54.288999081 CEST	445	50100	80.174.132.1	192.168.2.11
Jul 25, 2024 03:05:54.289112091 CEST	50100	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:05:54.289148092 CEST	50100	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:05:54.289453030 CEST	445	50099	80.174.132.1	192.168.2.11
Jul 25, 2024 03:05:54.289526939 CEST	50099	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:05:54.293951988 CEST	445	50100	80.174.132.1	192.168.2.11
Jul 25, 2024 03:05:54.974620104 CEST	445	50031	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:54.974853039 CEST	50031	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:54.975130081 CEST	50031	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:54.975259066 CEST	50031	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:54.981406927 CEST	445	50031	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:54.982423067 CEST	445	50031	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:55.007531881 CEST	50101	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:55.012622118 CEST	445	50101	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:55.012753963 CEST	50101	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:55.012809992 CEST	50101	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:05:55.017644882 CEST	445	50101	202.46.46.2	192.168.2.11
Jul 25, 2024 03:05:55.038475990 CEST	50102	445	192.168.2.11	68.36.231.33
Jul 25, 2024 03:05:55.043766975 CEST	445	50102	68.36.231.33	192.168.2.11
Jul 25, 2024 03:05:55.043898106 CEST	50102	445	192.168.2.11	68.36.231.33
Jul 25, 2024 03:05:55.043925047 CEST	50102	445	192.168.2.11	68.36.231.33
Jul 25, 2024 03:05:55.044022083 CEST	50103	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:05:55.049443007 CEST	445	50102	68.36.231.33	192.168.2.11
Jul 25, 2024 03:05:55.049519062 CEST	50102	445	192.168.2.11	68.36.231.33
Jul 25, 2024 03:05:55.049609900 CEST	445	50103	68.36.231.1	192.168.2.11
Jul 25, 2024 03:05:55.049660921 CEST	50103	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:05:55.049757957 CEST	50103	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:05:55.050055981 CEST	50104	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:05:55.056356907 CEST	445	50103	68.36.231.1	192.168.2.11
Jul 25, 2024 03:05:55.056435108 CEST	50103	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:05:55.057811022 CEST	445	50104	68.36.231.1	192.168.2.11
Jul 25, 2024 03:05:55.057877064 CEST	50104	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:05:55.057919025 CEST	50104	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:05:55.063483953 CEST	445	50104	68.36.231.1	192.168.2.11
Jul 25, 2024 03:05:55.203213930 CEST	445	50032	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:55.203416109 CEST	50032	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:55.203522921 CEST	50032	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:55.203592062 CEST	50032	445	192.168.2.11	48.239.46.1
Jul 25, 2024 03:05:55.209027052 CEST	445	50032	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:55.209055901 CEST	445	50032	48.239.46.1	192.168.2.11
Jul 25, 2024 03:05:55.257100105 CEST	50105	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:05:55.262001038 CEST	445	50105	48.239.46.2	192.168.2.11
Jul 25, 2024 03:05:55.262177944 CEST	50105	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:05:55.262218952 CEST	50105	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:05:55.262644053 CEST	50106	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:05:55.268883944 CEST	445	50106	48.239.46.2	192.168.2.11
Jul 25, 2024 03:05:55.268980026 CEST	50106	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:05:55.269042969 CEST	50106	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:05:55.269474983 CEST	445	50105	48.239.46.2	192.168.2.11
Jul 25, 2024 03:05:55.269526005 CEST	50105	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:05:55.273947001 CEST	445	50106	48.239.46.2	192.168.2.11
Jul 25, 2024 03:05:55.928919077 CEST	50108	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:55.933743954 CEST	445	50108	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:55.933846951 CEST	50108	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:55.933882952 CEST	50108	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:05:55.938632965 CEST	445	50108	26.155.142.1	192.168.2.11
Jul 25, 2024 03:05:57.021841049 CEST	445	50035	1.0.209.1	192.168.2.11
Jul 25, 2024 03:05:57.022073984 CEST	50035	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:57.022284985 CEST	50035	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:57.022341967 CEST	50035	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:05:57.029457092 CEST	445	50035	1.0.209.1	192.168.2.11
Jul 25, 2024 03:05:57.029473066 CEST	445	50035	1.0.209.1	192.168.2.11
Jul 25, 2024 03:05:57.975900888 CEST	50114	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:57.980967999 CEST	445	50114	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:57.981074095 CEST	50114	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:57.981142044 CEST	50114	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:05:57.986879110 CEST	445	50114	15.134.102.1	192.168.2.11
Jul 25, 2024 03:05:58.305268049 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:58.305325985 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:58.305417061 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:58.305830002 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:58.305845976 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:58.981508017 CEST	445	50039	150.119.16.1	192.168.2.11
Jul 25, 2024 03:05:58.981612921 CEST	50039	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:58.981656075 CEST	50039	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:58.981704950 CEST	50039	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:05:58.986473083 CEST	445	50039	150.119.16.1	192.168.2.11
Jul 25, 2024 03:05:58.986495972 CEST	445	50039	150.119.16.1	192.168.2.11
Jul 25, 2024 03:05:58.993278027 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:58.993413925 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:58.996989965 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:58.997010946 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:58.997364044 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.003134012 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.044498920 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.248114109 CEST	445	50040	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:59.248178959 CEST	50040	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:59.248249054 CEST	50040	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:59.248322964 CEST	50040	445	192.168.2.11	196.52.62.1
Jul 25, 2024 03:05:59.252988100 CEST	445	50040	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:59.253014088 CEST	445	50040	196.52.62.1	192.168.2.11
Jul 25, 2024 03:05:59.259006977 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.259037971 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.259057999 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.259104013 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.259138107 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.259151936 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.259181023 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.261610985 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.261646032 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.261662006 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.261676073 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.261706114 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.261713982 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.261740923 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.262032032 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.262051105 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.262062073 CEST	50118	443	192.168.2.11	52.165.165.26
Jul 25, 2024 03:05:59.262067080 CEST	443	50118	52.165.165.26	192.168.2.11
Jul 25, 2024 03:05:59.303989887 CEST	50126	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:05:59.308810949 CEST	445	50126	196.52.62.2	192.168.2.11
Jul 25, 2024 03:05:59.308876991 CEST	50126	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:05:59.308958054 CEST	50126	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:05:59.309299946 CEST	50127	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:05:59.314078093 CEST	445	50127	196.52.62.2	192.168.2.11
Jul 25, 2024 03:05:59.314138889 CEST	50127	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:05:59.314177036 CEST	50127	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:05:59.314316034 CEST	445	50126	196.52.62.2	192.168.2.11
Jul 25, 2024 03:05:59.314353943 CEST	50126	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:05:59.319015026 CEST	445	50127	196.52.62.2	192.168.2.11
Jul 25, 2024 03:06:00.038225889 CEST	50132	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:06:00.043965101 CEST	445	50132	1.0.209.1	192.168.2.11
Jul 25, 2024 03:06:00.044096947 CEST	50132	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:06:00.044096947 CEST	50132	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:06:00.048978090 CEST	445	50132	1.0.209.1	192.168.2.11
Jul 25, 2024 03:06:00.873511076 CEST	445	50043	57.62.233.1	192.168.2.11
Jul 25, 2024 03:06:00.873657942 CEST	50043	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:06:00.873749018 CEST	50043	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:06:00.873749018 CEST	50043	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:06:00.878997087 CEST	445	50043	57.62.233.1	192.168.2.11
Jul 25, 2024 03:06:00.879014015 CEST	445	50043	57.62.233.1	192.168.2.11
Jul 25, 2024 03:06:01.991323948 CEST	50155	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:06:02.168260098 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.169219971 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.169337988 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:06:02.169367075 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:06:02.169428110 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:06:02.169827938 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.170129061 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:06:02.170864105 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.170943975 CEST	50046	445	192.168.2.11	90.50.189.1
Jul 25, 2024 03:06:02.172734022 CEST	445	50155	150.119.16.1	192.168.2.11
Jul 25, 2024 03:06:02.176193953 CEST	50155	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:06:02.176193953 CEST	50155	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:06:02.176624060 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.183365107 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.183387995 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.183398962 CEST	445	50046	90.50.189.1	192.168.2.11
Jul 25, 2024 03:06:02.183415890 CEST	445	50155	150.119.16.1	192.168.2.11
Jul 25, 2024 03:06:02.226774931 CEST	50160	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:02.233933926 CEST	445	50160	90.50.189.2	192.168.2.11
Jul 25, 2024 03:06:02.234016895 CEST	50160	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:02.234158993 CEST	50160	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:02.237864971 CEST	50161	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:02.242206097 CEST	445	50160	90.50.189.2	192.168.2.11
Jul 25, 2024 03:06:02.242275953 CEST	50160	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:02.244323015 CEST	445	50161	90.50.189.2	192.168.2.11
Jul 25, 2024 03:06:02.244426012 CEST	50161	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:02.244426012 CEST	50161	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:02.251852989 CEST	445	50161	90.50.189.2	192.168.2.11
Jul 25, 2024 03:06:02.757038116 CEST	445	50049	24.92.172.1	192.168.2.11
Jul 25, 2024 03:06:02.757164001 CEST	50049	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:06:02.757242918 CEST	50049	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:06:02.757262945 CEST	50049	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:06:02.762087107 CEST	445	50049	24.92.172.1	192.168.2.11
Jul 25, 2024 03:06:02.762100935 CEST	445	50049	24.92.172.1	192.168.2.11
Jul 25, 2024 03:06:03.579961061 CEST	445	50050	87.253.190.2	192.168.2.11
Jul 25, 2024 03:06:03.580106020 CEST	50050	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:06:03.580152988 CEST	50050	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:06:03.580180883 CEST	50050	445	192.168.2.11	87.253.190.2
Jul 25, 2024 03:06:03.584908962 CEST	445	50050	87.253.190.2	192.168.2.11
Jul 25, 2024 03:06:03.584945917 CEST	445	50050	87.253.190.2	192.168.2.11
Jul 25, 2024 03:06:03.632093906 CEST	50189	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:03.636975050 CEST	445	50189	87.253.190.3	192.168.2.11
Jul 25, 2024 03:06:03.637085915 CEST	50189	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:03.637099028 CEST	50189	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:03.637413025 CEST	50190	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:03.642321110 CEST	445	50190	87.253.190.3	192.168.2.11
Jul 25, 2024 03:06:03.642395973 CEST	50190	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:03.642443895 CEST	50190	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:03.643527031 CEST	445	50189	87.253.190.3	192.168.2.11
Jul 25, 2024 03:06:03.643580914 CEST	50189	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:03.647438049 CEST	445	50190	87.253.190.3	192.168.2.11
Jul 25, 2024 03:06:03.882013083 CEST	50197	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:06:04.104351997 CEST	445	50197	57.62.233.1	192.168.2.11
Jul 25, 2024 03:06:04.104502916 CEST	50197	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:06:04.104549885 CEST	50197	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:06:04.109353065 CEST	445	50197	57.62.233.1	192.168.2.11
Jul 25, 2024 03:06:04.304212093 CEST	445	50053	58.140.208.1	192.168.2.11
Jul 25, 2024 03:06:04.304286957 CEST	50053	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:06:04.304331064 CEST	50053	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:06:04.304389954 CEST	50053	445	192.168.2.11	58.140.208.1
Jul 25, 2024 03:06:04.309148073 CEST	445	50053	58.140.208.1	192.168.2.11
Jul 25, 2024 03:06:04.309159994 CEST	445	50053	58.140.208.1	192.168.2.11
Jul 25, 2024 03:06:05.750467062 CEST	445	50054	56.26.26.1	192.168.2.11
Jul 25, 2024 03:06:05.750561953 CEST	50054	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:06:05.750603914 CEST	50054	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:06:05.750619888 CEST	50054	445	192.168.2.11	56.26.26.1
Jul 25, 2024 03:06:05.755445957 CEST	445	50054	56.26.26.1	192.168.2.11
Jul 25, 2024 03:06:05.755470037 CEST	445	50054	56.26.26.1	192.168.2.11
Jul 25, 2024 03:06:05.772530079 CEST	50265	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:06:05.783874989 CEST	445	50265	24.92.172.1	192.168.2.11
Jul 25, 2024 03:06:05.783972979 CEST	50265	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:06:05.783989906 CEST	50265	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:06:05.784740925 CEST	445	50057	62.251.83.1	192.168.2.11
Jul 25, 2024 03:06:05.784801960 CEST	50057	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:06:05.784821033 CEST	50057	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:06:05.784859896 CEST	50057	445	192.168.2.11	62.251.83.1
Jul 25, 2024 03:06:05.789113998 CEST	445	50265	24.92.172.1	192.168.2.11
Jul 25, 2024 03:06:05.790096998 CEST	445	50057	62.251.83.1	192.168.2.11
Jul 25, 2024 03:06:05.790107012 CEST	445	50057	62.251.83.1	192.168.2.11
Jul 25, 2024 03:06:05.803776979 CEST	50270	445	192.168.2.11	56.26.26.2
Jul 25, 2024 03:06:05.808593988 CEST	445	50270	56.26.26.2	192.168.2.11
Jul 25, 2024 03:06:05.808710098 CEST	50270	445	192.168.2.11	56.26.26.2
Jul 25, 2024 03:06:05.808806896 CEST	50270	445	192.168.2.11	56.26.26.2
Jul 25, 2024 03:06:05.809127092 CEST	50271	445	192.168.2.11	56.26.26.2
Jul 25, 2024 03:06:05.814093113 CEST	445	50271	56.26.26.2	192.168.2.11
Jul 25, 2024 03:06:05.814102888 CEST	445	50270	56.26.26.2	192.168.2.11
Jul 25, 2024 03:06:05.814177990 CEST	50270	445	192.168.2.11	56.26.26.2
Jul 25, 2024 03:06:05.814192057 CEST	50271	445	192.168.2.11	56.26.26.2
Jul 25, 2024 03:06:05.814265013 CEST	50271	445	192.168.2.11	56.26.26.2
Jul 25, 2024 03:06:05.818980932 CEST	445	50271	56.26.26.2	192.168.2.11
Jul 25, 2024 03:06:07.796011925 CEST	50190	445	192.168.2.11	87.253.190.3
Jul 25, 2024 03:06:07.796039104 CEST	50091	445	192.168.2.11	158.15.154.2
Jul 25, 2024 03:06:07.796087027 CEST	50101	445	192.168.2.11	202.46.46.2
Jul 25, 2024 03:06:07.796205044 CEST	50106	445	192.168.2.11	48.239.46.2
Jul 25, 2024 03:06:07.796228886 CEST	50072	445	192.168.2.11	210.194.28.2
Jul 25, 2024 03:06:07.796230078 CEST	50060	445	192.168.2.11	104.140.149.1
Jul 25, 2024 03:06:07.796262980 CEST	50127	445	192.168.2.11	196.52.62.2
Jul 25, 2024 03:06:07.796278954 CEST	50081	445	192.168.2.11	63.131.224.2
Jul 25, 2024 03:06:07.796323061 CEST	50062	445	192.168.2.11	204.216.232.1
Jul 25, 2024 03:06:07.796323061 CEST	50067	445	192.168.2.11	129.12.189.1
Jul 25, 2024 03:06:07.796358109 CEST	50070	445	192.168.2.11	94.82.132.1
Jul 25, 2024 03:06:07.796370029 CEST	50075	445	192.168.2.11	192.240.220.1
Jul 25, 2024 03:06:07.796389103 CEST	50076	445	192.168.2.11	184.73.129.1
Jul 25, 2024 03:06:07.796406984 CEST	50079	445	192.168.2.11	30.97.153.1
Jul 25, 2024 03:06:07.796431065 CEST	50084	445	192.168.2.11	193.191.213.1
Jul 25, 2024 03:06:07.796457052 CEST	50085	445	192.168.2.11	72.95.55.1
Jul 25, 2024 03:06:07.796467066 CEST	50089	445	192.168.2.11	210.84.101.1
Jul 25, 2024 03:06:07.796528101 CEST	50097	445	192.168.2.11	139.162.58.6
Jul 25, 2024 03:06:07.796533108 CEST	50094	445	192.168.2.11	217.85.57.1
Jul 25, 2024 03:06:07.796574116 CEST	50104	445	192.168.2.11	68.36.231.1
Jul 25, 2024 03:06:07.796613932 CEST	50108	445	192.168.2.11	26.155.142.1
Jul 25, 2024 03:06:07.796627045 CEST	50114	445	192.168.2.11	15.134.102.1
Jul 25, 2024 03:06:07.796652079 CEST	50132	445	192.168.2.11	1.0.209.1
Jul 25, 2024 03:06:07.796684027 CEST	50095	445	192.168.2.11	157.92.67.1
Jul 25, 2024 03:06:07.796684027 CEST	50100	445	192.168.2.11	80.174.132.1
Jul 25, 2024 03:06:07.796684027 CEST	50155	445	192.168.2.11	150.119.16.1
Jul 25, 2024 03:06:07.796740055 CEST	50197	445	192.168.2.11	57.62.233.1
Jul 25, 2024 03:06:07.796765089 CEST	50161	445	192.168.2.11	90.50.189.2
Jul 25, 2024 03:06:07.796859026 CEST	50265	445	192.168.2.11	24.92.172.1
Jul 25, 2024 03:06:07.796972036 CEST	50271	445	192.168.2.11	56.26.26.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 03:05:01.754725933 CEST	64236	53	192.168.2.11	1.1.1.1
Jul 25, 2024 03:05:01.763159037 CEST	53	64236	1.1.1.1	192.168.2.11
Jul 25, 2024 03:05:58.288953066 CEST	138	138	192.168.2.11	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 03:05:01.754725933 CEST	192.168.2.11	1.1.1.1	0x5159	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 03:05:01.763159037 CEST	1.1.1.1	192.168.2.11	0x5159	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.167.228	A (IP address)	IN (0x0001)	false
Jul 25, 2024 03:05:01.763159037 CEST	1.1.1.1	192.168.2.11	0x5159	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.166.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49704	104.16.167.228	80	7600	C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 03:05:01.774465084 CEST	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jul 25, 2024 03:05:02.317466974 CEST	778	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 01:05:02 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 8a883d44ba7f7d1c-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49705	104.16.167.228	80	7980	C:\Users\user\Desktop\LisectAVT_2403002A_26.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 03:05:02.766397953 CEST	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jul 25, 2024 03:05:03.247416019 CEST	778	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 01:05:03 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 8a883d4adb6a43b1-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49896	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-07-25 01:05:20 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l+uax9tLW5uZ1WT&MD=MVy5HlLL HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-25 01:05:21 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 4fac9600-fbda-4fba-97b7-29a1f4181743 MS-RequestId: 5aa1a148-95fc-4268-a9ce-b93074b31f35 MS-CV: NfJt4xwAvEWPI85N.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Jul 2024 01:05:20 GMT Connection: close Content-Length: 24490
2024-07-25 01:05:21 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-25 01:05:21 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	50118	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-07-25 01:05:58 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=l+uax9tLW5uZ1WT&MD=MVy5HlLL HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-25 01:05:59 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 713f042e-74ee-4dc8-b7a4-41bd0fb33a60 MS-RequestId: ff72e1a1-8821-4bfe-8d7d-1f4041d46f5f MS-CV: egmsDm5nAEqoJjjs.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 25 Jul 2024 01:05:58 GMT Connection: close Content-Length: 30005
2024-07-25 01:05:59 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-25 01:05:59 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	21:04:59
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:04:59
Start date:	24/07/2024
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff620220000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	21:04:59
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	21:04:59
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	21:04:59
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_26.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_26.exe"
Imagebase:	0x400000
File size:	3'723'271 bytes
MD5 hash:	EB4F4C455604F0F1CE111FBEFECD9E21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.1276459985.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000000.1276607451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000000.1276607451.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	21:04:59
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	21:04:59
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	21:05:01
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_26.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\LisectAVT_2403002A_26.exe -m security
Imagebase:	0x400000
File size:	3'723'271 bytes
MD5 hash:	EB4F4C455604F0F1CE111FBEFECD9E21
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1936681471.0000000002286000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1936681471.0000000002286000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.1291190176.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.1291190176.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000000.1291005843.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000009.00000002.1936364904.0000000001D5D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1936364904.0000000001D5D000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	21:05:02
Start date:	24/07/2024
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	3DF2667EF94776EEB272A1404801F118
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.1300769671.000000000040E000.00000008.00000001.01000000.00000006.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	21:05:46
Start date:	24/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff68dea0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	21:06:00
Start date:	24/07/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff645940000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	21:06:00
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F3A0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

kernel32.dll, xrefs: 00407CEA
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
C:\%s\%s, xrefs: 00407DFB
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29

Memory Dump Source

Source File: 00000004.00000002.1301965645.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1301947144.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1301985566.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302080761.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 1541710770-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000004.00000002.1301965645.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1301947144.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1301985566.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302080761.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000004.00000002.1301965645.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1301947144.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1301985566.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302080761.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F3A0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000004.00000002.1301965645.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1301947144.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1301985566.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302080761.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F3A0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000004.00000002.1301965645.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1301947144.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1301985566.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302016386.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302080761.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1302206488.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: LisectAVT_2403002A_26.exePID: 7980, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F3A0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000009.00000002.1935141737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1935119591.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935162980.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935251679.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935271996.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000009.00000002.1935141737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1935119591.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935162980.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935251679.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935271996.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F3A0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000009.00000002.1935141737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1935119591.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935162980.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935251679.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935271996.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F3A0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CloseHandle, xrefs: 00407D29
C:\%s\%s, xrefs: 00407DFB
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
D, xrefs: 00407ED3
/i, xrefs: 00407E8D
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\qeriuwjhrf, xrefs: 00407E12
kernel32.dll, xrefs: 00407CEA
tasksche.exe, xrefs: 00407DEA
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000009.00000002.1935141737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1935119591.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935162980.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935251679.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935271996.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000009.00000002.1935141737.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1935119591.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935162980.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935183043.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935230575.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935251679.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935271996.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.00000000007CA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000009.00000002.1935370484.0000000000A60000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_LisectAVT_2403002A_26.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 8068, Parent PID: 7600COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

\../, xrefs: 00406DE7
/../, xrefs: 00406DF5
/..\, xrefs: 00406E03
\..\, xrefs: 00406DD9

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptAcquireContextA, xrefs: 00401A71
advapi32.dll, xrefs: 00401A55
CryptGenKey, xrefs: 00401AAD
CryptDestroyKey, xrefs: 00401A86
CryptEncrypt, xrefs: 00401A93
CryptImportKey, xrefs: 00401A79
CryptDecrypt, xrefs: 00401AA0

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

Q;@, xrefs: 004036E2, 004035FD
, xrefs: 004036AE

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

CreateFileW, xrefs: 00401743
MoveFileExW, xrefs: 00401772
CloseHandle, xrefs: 0040178C
ReadFile, xrefs: 00401758
WriteFile, xrefs: 0040174B
MoveFileW, xrefs: 00401765
kernel32.dll, xrefs: 00401727
DeleteFileW, xrefs: 0040177F

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

%s%s, xrefs: 00407389
\, xrefs: 00407358
:, xrefs: 0040736E
%s%s%s, xrefs: 004072F6

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON

Download Yara Rule

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
t.wnry, xrefs: 00402125
TaskStart, xrefs: 00402145
tasksche.exe, xrefs: 00402061, 0040206D, 00402075
attrib +h ., xrefs: 004020DC

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

Software\, xrefs: 0040110A
0@, xrefs: 00401157
WanaCrypt0r, xrefs: 00401145

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

GetNativeSystemInfo, xrefs: 004022A1
kernel32.dll, xrefs: 0040228C
?!@, xrefs: 004021F8

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

%s%d, xrefs: 00401F10
Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 0000000A.00000002.1301248082.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1301225837.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301276948.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301298100.000000000040E000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000410000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.00000000004BA000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.1301324290.0000000000750000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_26.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
LisectAVT_2403002A_26.exe

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON