Edit tour

Windows Analysis Report
mCgW5qofxC.dll

Overview

General Information

Sample name:	mCgW5qofxC.dll renamed because original name is a hash value
Original sample name:	2637da2286536690b1649bee21f335c1.dll
Analysis ID:	1591259
MD5:	2637da2286536690b1649bee21f335c1
SHA1:	cf6c307ad8d95c9b71e0902ad1b45cfbe26278d0
SHA256:	ef55bbed02387455cc660149d8933508887ff26c160c8704df2de3cd5d0f7e82
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4512 cmdline: loaddll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6420 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2948 cmdline: rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 5896 cmdline: C:\WINDOWS\mssecsvc.exe MD5: FC9B6711FD800ECCBF960932F0E9B75B)

tasksche.exe (PID: 1372 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 16A8FDD68114C10EAE3C843FAFF5916B)

rundll32.exe (PID: 3352 cmdline: rundll32.exe C:\Users\user\Desktop\mCgW5qofxC.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7012 cmdline: rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 1924 cmdline: C:\WINDOWS\mssecsvc.exe MD5: FC9B6711FD800ECCBF960932F0E9B75B)

tasksche.exe (PID: 5008 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 16A8FDD68114C10EAE3C843FAFF5916B)

mssecsvc.exe (PID: 4208 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: FC9B6711FD800ECCBF960932F0E9B75B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mCgW5qofxC.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
mCgW5qofxC.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
mCgW5qofxC.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\mssecsvc.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvc.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
C:\Windows\mssecsvc.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvc.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvc.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2220670094.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000000.2209536984.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2852248132.00000000023DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2852248132.00000000023DE000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.2200457017.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.2212468574.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.2212468574.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2184434328.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.2221303870.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2200675746.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2200675746.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.2211938201.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000000.2220295913.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2848443868.0000000001EBD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2848443868.0000000001EBD000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000002.2221455318.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.2221455318.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2184692680.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2184692680.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 5896	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 4208	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 1924	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvc.exe.1eae084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.23cf8c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.1ebd104.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1ebd104.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1ebd104.5.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1ebd104.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1ee0128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1ee0128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1ee0128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1ee0128.4.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.240196c.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.240196c.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.240196c.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.240196c.9.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1ee0128.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1ee0128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1ee0128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1ee0128.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23de948.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23de948.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23de948.8.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.23de948.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.240196c.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.240196c.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.240196c.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.240196c.9.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23da8e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23da8e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23da8e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1ebd104.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1ebd104.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x5099ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5099d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1ebd104.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1eb90a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb90a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1eb90a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.23de948.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23de948.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23de948.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23cf8c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23cf8c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.23cf8c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1eae084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eae084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x284de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x274bb0:$x3: tasksche.exe 0x284dc0:$x3: tasksche.exe 0x284d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x284e14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x274c1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x23f26c:$x7: mssecsvc.exe 0x25ab94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x274b88:$x8: C:\%s\qeriuwjhrf 0x284de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x23f254:$s1: C:\%s\%s 0x25ab7c:$s1: C:\%s\%s 0x274b9c:$s1: C:\%s\%s 0x284d14:$s3: cmd.exe /c "%s" 0x2b7268:$s4: msg/m_portuguese.wnry
8.2.mssecsvc.exe.1eae084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1eae084.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x284dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x284de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1eae084.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2778fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x24b8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24d25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x27d0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 135 entries

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T20:57:07.932719+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.6	49710	TCP
2025-01-14T20:57:08.783325+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.6	49712	TCP
2025-01-14T20:57:09.843644+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.6	49726	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T20:57:07.396425+0100	2024291	1	A Network Trojan was detected	192.168.2.6	56557	1.1.1.1	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T20:57:07.895280+0100	2024298	1	A Network Trojan was detected	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024298	1	A Network Trojan was detected	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024298	1	A Network Trojan was detected	192.168.2.6	49726	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T20:57:07.895280+0100	2024299	1	A Network Trojan was detected	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024299	1	A Network Trojan was detected	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024299	1	A Network Trojan was detected	192.168.2.6	49726	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T20:57:07.895280+0100	2024301	1	A Network Trojan was detected	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024301	1	A Network Trojan was detected	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024301	1	A Network Trojan was detected	192.168.2.6	49726	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T20:57:07.895280+0100	2024302	1	A Network Trojan was detected	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024302	1	A Network Trojan was detected	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024302	1	A Network Trojan was detected	192.168.2.6	49726	104.16.167.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T20:57:07.895280+0100	2803304	3	Unknown Traffic	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2803304	3	Unknown Traffic	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2803304	3	Unknown Traffic	192.168.2.6	49726	104.16.167.228	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mCgW5qofxC.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\mssecsvc.exe	Avira: detection malicious, Label: TR/Ransom.Gen
Source: C:\Windows\tasksche.exe	Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 93%
Source: C:\Windows\mssecsvc.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 93%

Multi AV Scanner detection for submitted file

Source: mCgW5qofxC.dll	ReversingLabs: Detection: 94%
Source: mCgW5qofxC.dll	Virustotal: Detection: 92%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Windows\mssecsvc.exe	Joe Sandbox ML: detected
Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: mCgW5qofxC.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 9_2_004018B9 CryptReleaseContext,

9_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: mCgW5qofxC.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49930 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50637 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50639 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.6:49726 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.6:49726 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.6:49726 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.6:49726 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.6:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.6:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.6:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.6:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.6:49712 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.6:49712 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.6:49712 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.6:49712 -> 104.16.167.228:80

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 19:57:07 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9020317bd8e442a9-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 19:57:08 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902031817b7cf3bb-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 19:57:09 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 902031882d99f5f8-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: unknown

Network traffic detected: IP country count 10

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49726 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49710 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.6:49726
Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.6:56557 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49712 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.6:49710
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.6:49712

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49930 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.238
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.238
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.238
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.238
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.1
Source: unknown	TCP traffic detected without corresponding DNS query: 115.153.235.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.202
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.202
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.202
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.1
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.202
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.1
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.1
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.1
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.1
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.1
Source: unknown	TCP traffic detected without corresponding DNS query: 26.20.34.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.21
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.21
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.21
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.21
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 125.52.121.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: mssecsvc.exe.3.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 00000006.00000002.2210803453.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2847196923.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 00000006.00000002.2210803453.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&
Source: mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&r
Source: mssecsvc.exe, 00000006.00000002.2210803453.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2VsTk
Source: mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/6rtj
Source: mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/O
Source: mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/fsDk
Source: mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/k&s
Source: mssecsvc.exe, 00000006.00000002.2210803453.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/q
Source: mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/s
Source: mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/x
Source: mssecsvc.exe, 00000008.00000002.2846264612.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: mssecsvc.exe, 00000006.00000002.2210803453.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comL
Source: mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comV

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 50637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50637
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50639
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50232
Source: unknown	Network traffic detected: HTTP traffic on port 50639 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 50232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49990 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50232 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50637 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:50639 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

9_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: mCgW5qofxC.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvc.exe.1ebd104.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1ee0128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.240196c.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1ee0128.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23de948.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.240196c.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23da8e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1ebd104.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb90a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23de948.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23cf8c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2852248132.00000000023DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2200457017.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2212468574.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2184434328.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2221303870.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.2200675746.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2211938201.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2848443868.0000000001EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2221455318.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2184692680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 5896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 4208, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 1924, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\mssecsvc.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: mCgW5qofxC.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: mCgW5qofxC.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eae084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23cf8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ebd104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ebd104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1ebd104.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1ee0128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ee0128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1ee0128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.240196c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240196c.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.240196c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1ee0128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ee0128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1ee0128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23de948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23de948.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.23de948.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.240196c.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240196c.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.240196c.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23da8e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23da8e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1ebd104.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ebd104.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1eb90a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb90a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.23de948.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23de948.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23cf8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23cf8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0000000C.00000002.2220670094.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.2209536984.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2852248132.00000000023DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000000.2212468574.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2200675746.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000000.2220295913.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2848443868.0000000001EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.2221455318.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2184692680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 9_2_00406C40	9_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402A76	9_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402E7E	9_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040350F	9_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00404C19	9_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040541F	9_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00403797	9_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 9_2_004043B7	9_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 9_2_004031BC	9_2_004031BC

Source: mssecsvc.exe.3.dr	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.6.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: mCgW5qofxC.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: mCgW5qofxC.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: mCgW5qofxC.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eae084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23cf8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ebd104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ebd104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1ebd104.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1ee0128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ee0128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1ee0128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.240196c.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240196c.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.240196c.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1ee0128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ee0128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1ee0128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23de948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23de948.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.23de948.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.240196c.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240196c.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.240196c.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23da8e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23da8e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1ebd104.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ebd104.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1eb90a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb90a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.23de948.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23de948.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23cf8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23cf8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1eae084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000C.00000002.2220670094.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.2209536984.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2852248132.00000000023DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000000.2212468574.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2200675746.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000000.2220295913.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2848443868.0000000001EBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.2221455318.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2184692680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 00000009.00000000.2209536984.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000002.2220670094.000000000040E000.00000008.00000001.01000000.00000007.sdmp, mCgW5qofxC.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/3@1/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	8_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	9_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03

Source: mCgW5qofxC.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mCgW5qofxC.dll,PlayGame

Source: mCgW5qofxC.dll	ReversingLabs: Detection: 94%
Source: mCgW5qofxC.dll	Virustotal: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mCgW5qofxC.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mCgW5qofxC.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: mCgW5qofxC.dll

Static file information: File size 5267459 > 1048576

Source: mCgW5qofxC.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe

Code function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 9_2_00407710 push eax; ret		9_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 9_2_004076C8 push eax; ret		9_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 7008	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7008	Thread sleep time: -182000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6544	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 6544	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7008	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8m
Source: mssecsvc.exe, 00000006.00000002.2210803453.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2210803453.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2847196923.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000003.2209123528.0000000000CEC000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\tasksche.exe

Code function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 9_2_004029CC free,GetProcessHeap,HeapFree,

9_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mCgW5qofxC.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
mCgW5qofxC.dll	93%	Virustotal		Browse
mCgW5qofxC.dll	100%	Avira	TR/AD.WannaCry.zlvln
mCgW5qofxC.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvc.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvc.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	94%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\mssecsvc.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	94%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comV	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comL	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	mssecsvc.exe.3.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/s	mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comL	mssecsvc.exe, 00000006.00000002.2210803453.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/q	mssecsvc.exe, 00000006.00000002.2210803453.0000000000C9F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/O	mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comV	mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&	mssecsvc.exe, 00000006.00000002.2210803453.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/&r	mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2VsTk	mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	mssecsvc.exe, 00000006.00000002.2210803453.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/fsDk	mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/k&s	mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/x	mssecsvc.exe, 0000000B.00000002.2221872098.0000000000D38000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/6rtj	mssecsvc.exe, 00000008.00000002.2847196923.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe, 00000008.00000002.2846264612.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
116.178.208.121	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
43.54.236.1	unknown	Japan	4249	LILLY-ASUS	false
25.198.44.1	unknown	United Kingdom	7922	COMCAST-7922US	false
114.252.160.189	unknown	China	4808	CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	false
201.118.194.137	unknown	Mexico	8151	UninetSAdeCVMX	false
26.197.227.1	unknown	United States	7922	COMCAST-7922US	false
137.253.225.34	unknown	United Kingdom	786	JANETJiscServicesLimitedGB	false
89.1.159.2	unknown	Germany	8422	NETCOLOGNEDE	false
89.1.159.1	unknown	Germany	8422	NETCOLOGNEDE	false
37.56.78.1	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
38.202.131.1	unknown	United States	9009	M247GB	false
26.20.34.202	unknown	United States	7922	COMCAST-7922US	false
44.86.39.1	unknown	United States	7377	UCSDUS	false
52.252.59.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
38.202.131.61	unknown	United States	9009	M247GB	false
44.86.39.2	unknown	United States	7377	UCSDUS	false
98.102.89.130	unknown	United States	10796	TWC-10796-MIDWESTUS	false
52.252.59.4	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
131.241.117.1	unknown	United States	3549	LVLT-3549US	false
37.56.78.12	unknown	Saudi Arabia	25019	SAUDINETSTC-ASSA	false
14.86.25.59	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
115.153.235.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
193.228.157.116	unknown	Sweden	43504	CENTIRO-ASSE	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591259
Start date and time:	2025-01-14 20:56:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mCgW5qofxC.dll renamed because original name is a hash value
Original Sample Name:	2637da2286536690b1649bee21f335c1.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/3@1/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 2.17.190.73, 2.16.168.102, 199.232.214.172, 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 1372 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:57:08	API Interceptor	1x Sleep call for process: loaddll32.exe modified
14:57:42	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.166.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.166.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.167.228
	LisectAVT_2403002A_26.exe	Get hash	malicious	Wannacry	Browse	104.16.167.228
	zbRmQrzaHY.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	qt680eucI4.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	1w3BDu68Sg.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.167.228
	qCc1a4w5YZ.exe	Get hash	malicious	Wannacry	Browse	104.17.244.81

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LILLY-ASUS	logitix.pdf	Get hash	malicious	HTMLPhisher	Browse	43.152.64.193
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	40.161.250.136
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	43.153.232.152
	Ecastillo-In Service Agreement.pdf	Get hash	malicious	HTMLPhisher	Browse	43.135.205.15
	meth10.elf	Get hash	malicious	Mirai	Browse	43.194.182.201
	arm4.elf	Get hash	malicious	Unknown	Browse	40.50.104.208
	ppc.elf	Get hash	malicious	Unknown	Browse	40.204.188.253
	m68k.elf	Get hash	malicious	Unknown	Browse	40.24.80.155
	i686.elf	Get hash	malicious	Unknown	Browse	40.237.228.164
	arm5.elf	Get hash	malicious	Unknown	Browse	43.153.179.66
CHINA169-BJChinaUnicomBeijingProvinceNetworkCN	meth1.elf	Get hash	malicious	Mirai	Browse	1.94.186.186
	m68k.elf	Get hash	malicious	Unknown	Browse	114.246.183.13
	i686.elf	Get hash	malicious	Unknown	Browse	114.255.32.224
	x86_64.elf	Get hash	malicious	Unknown	Browse	124.68.52.200
	meth2.elf	Get hash	malicious	Mirai	Browse	111.192.240.184
	meth15.elf	Get hash	malicious	Mirai	Browse	123.122.220.189
	meth7.elf	Get hash	malicious	Mirai	Browse	60.207.195.72
	elitebotnet.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	111.208.229.170
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	116.219.82.0
	5.elf	Get hash	malicious	Unknown	Browse	111.193.47.96
COMCAST-7922US	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	68.43.54.12
	meth10.elf	Get hash	malicious	Mirai	Browse	50.189.178.1
	meth3.elf	Get hash	malicious	Mirai	Browse	69.246.125.237
	meth8.elf	Get hash	malicious	Mirai	Browse	50.136.199.8
	arm4.elf	Get hash	malicious	Unknown	Browse	73.242.202.214
	ppc.elf	Get hash	malicious	Unknown	Browse	25.152.149.43
	m68k.elf	Get hash	malicious	Unknown	Browse	96.69.200.200
	i686.elf	Get hash	malicious	Unknown	Browse	73.12.82.235
	x86.elf	Get hash	malicious	Unknown	Browse	25.151.58.104
	meth4.elf	Get hash	malicious	Mirai	Browse	73.26.129.67
CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	61.167.78.49
	meth10.elf	Get hash	malicious	Mirai	Browse	60.16.183.30
	meth3.elf	Get hash	malicious	Mirai	Browse	157.2.250.223
	meth8.elf	Get hash	malicious	Mirai	Browse	183.189.239.112
	arm4.elf	Get hash	malicious	Unknown	Browse	113.230.132.37
	ppc.elf	Get hash	malicious	Unknown	Browse	183.188.114.225
	m68k.elf	Get hash	malicious	Unknown	Browse	221.215.129.62
	i686.elf	Get hash	malicious	Unknown	Browse	42.49.158.242
	x86.elf	Get hash	malicious	Unknown	Browse	112.81.244.142
	meth4.elf	Get hash	malicious	Mirai	Browse	218.69.20.160

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	Document_31055.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	173.222.162.64
	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	173.222.162.64
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://github.com/MscrmTools/XrmToolBox/releases/download/v1.2024.9.69/XrmToolbox.zip	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://bccab.dynartis.it/TI_loc.csv	Get hash	malicious	Unknown	Browse	173.222.162.64
	1736856908fb16676aec3e4c808c4bd5cde8e123cc70360266f85ec0ed17050bca6456c9dd274.dat-decoded.exe	Get hash	malicious	XWorm	Browse	173.222.162.64
	https://akirapowered84501.emlnk.com/lt.php?x=3DZy~GDLVnab5KCs-Nu4WOae1qEoiN9xvxk1XaPMVXahD5B9-Uy.xuG-142imNH	Get hash	malicious	Unknown	Browse	173.222.162.64
	http://bombasml.es	Get hash	malicious	Unknown	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253 40.113.103.199
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253 40.113.103.199

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	5.085007675253267
Encrypted:	false
SSDEEP:	49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:QqPoBhz1aRxcSUDk36SA
MD5:	16A8FDD68114C10EAE3C843FAFF5916B
SHA1:	98555EE1FD1B0A1EDCDC64CA3CC38BF8DA382C76
SHA-256:	84823E7430AE9E9DAEB611E986CA50000A7C66547F5CA060B320101A32A2902C
SHA-512:	87E96104FD98F0C46E8765F52F48E9DE0F29CA8ABD96E270F000A9DA4C17EF73FDE33441E21CA8E8517BAD103A99F3BD2BF05DCA3E934BD6DFDBA5D1C25C27EA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 94%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvc.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3723264
Entropy (8bit):	5.175448064832401
Encrypted:	false
SSDEEP:	49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:yDqPoBhz1aRxcSUDk36SA
MD5:	FC9B6711FD800ECCBF960932F0E9B75B
SHA1:	54C17F1505A1A908F33CE35238AC32FB8216D113
SHA-256:	CEE373187F0B70F79A3E886FCE0A8F128AF53637BBEB6E9C50AF78A1166B4BEF
SHA-512:	451A277527CA8CC6D05315AA08589C9A3BA432256B9E716A9D74961A09FF2D5808199345CD1C43A61902CE3091B3DA945822509ED8D286E3ACCE0F944E3A6ED6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	5.085007675253267
Encrypted:	false
SSDEEP:	49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:QqPoBhz1aRxcSUDk36SA
MD5:	16A8FDD68114C10EAE3C843FAFF5916B
SHA1:	98555EE1FD1B0A1EDCDC64CA3CC38BF8DA382C76
SHA-256:	84823E7430AE9E9DAEB611E986CA50000A7C66547F5CA060B320101A32A2902C
SHA-512:	87E96104FD98F0C46E8765F52F48E9DE0F29CA8ABD96E270F000A9DA4C17EF73FDE33441E21CA8E8517BAD103A99F3BD2BF05DCA3E934BD6DFDBA5D1C25C27EA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 94%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.904793562147678
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mCgW5qofxC.dll
File size:	5'267'459 bytes
MD5:	2637da2286536690b1649bee21f335c1
SHA1:	cf6c307ad8d95c9b71e0902ad1b45cfbe26278d0
SHA256:	ef55bbed02387455cc660149d8933508887ff26c160c8704df2de3cd5d0f7e82
SHA512:	f7697684cdadd2ec7690dace02b934dfdfb4dfd1fd5928195f5d237a9e3ab207d3aa7aa45ccf4e2f82091c780ed2c02797bc43b53ea4ba4951b97eafe4e8637e
SSDEEP:	49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
TLSH:	E136335A717CD1FCC106297954A78967E7F33C9A12FE6A0F8F8049A60D13B19BF90A43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F37484CD20Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F37484CD228h
cmp esi, 01h
je 00007F37484CD207h
cmp esi, 02h
jne 00007F37484CD224h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F37484CD20Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F37484CD20Eh
push edi
push esi
push ebx
call 00007F37484CD11Ah
test eax, eax
jne 00007F37484CD206h
xor eax, eax
jmp 00007F37484CD250h
push edi
push esi
push ebx
call 00007F37484CCFCCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F37484CD20Eh
test eax, eax
jne 00007F37484CD239h
push edi
push eax
push ebx
call 00007F37484CD0F6h
test esi, esi
je 00007F37484CD207h
cmp esi, 03h
jne 00007F37484CD228h
push edi
push esi
push ebx
call 00007F37484CD0E5h
test eax, eax
jne 00007F37484CD205h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F37484CD213h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F37484CD20Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	d31d5bf20a85a2f0ac68f686b23466dc	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8770942687988281

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T20:57:07.396425+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.6	56557	1.1.1.1	53	UDP
2025-01-14T20:57:07.895280+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:07.895280+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:07.895280+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:07.895280+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:07.895280+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.6	49710	104.16.167.228	80	TCP
2025-01-14T20:57:07.932719+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.6	49710	TCP
2025-01-14T20:57:08.781989+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:08.781989+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.6	49712	104.16.167.228	80	TCP
2025-01-14T20:57:08.783325+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.6	49712	TCP
2025-01-14T20:57:09.843111+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.6	49726	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.6	49726	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.6	49726	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.6	49726	104.16.167.228	80	TCP
2025-01-14T20:57:09.843111+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.6	49726	104.16.167.228	80	TCP
2025-01-14T20:57:09.843644+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.6	49726	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 20:56:59.567717075 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:56:59.567958117 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:56:59.898627043 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:03.761030912 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:03.761080027 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:03.761274099 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:03.761856079 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:03.761877060 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.569838047 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.570002079 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.574352026 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.574362040 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.574636936 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.579329967 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.579613924 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.579613924 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.579627991 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.627325058 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.758759022 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.758846045 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:04.759505987 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.759933949 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.759933949 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 20:57:04.759968042 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 20:57:07.411268950 CET	49710	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:07.416515112 CET	80	49710	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:07.416618109 CET	49710	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:07.417496920 CET	49710	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:07.422378063 CET	80	49710	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:07.895226955 CET	80	49710	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:07.895241976 CET	80	49710	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:07.895279884 CET	49710	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:07.895307064 CET	49710	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:07.927568913 CET	49710	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:07.932718992 CET	80	49710	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:08.283502102 CET	49712	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:08.288367033 CET	80	49712	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:08.288430929 CET	49712	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:08.288737059 CET	49712	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:08.293518066 CET	80	49712	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:08.781863928 CET	80	49712	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:08.781989098 CET	49712	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:08.782116890 CET	49712	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:08.783324957 CET	80	49712	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:08.783382893 CET	49712	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:08.787029028 CET	80	49712	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:08.856177092 CET	49713	445	192.168.2.6	115.153.235.238
Jan 14, 2025 20:57:08.861100912 CET	445	49713	115.153.235.238	192.168.2.6
Jan 14, 2025 20:57:08.861174107 CET	49713	445	192.168.2.6	115.153.235.238
Jan 14, 2025 20:57:08.861207008 CET	49713	445	192.168.2.6	115.153.235.238
Jan 14, 2025 20:57:08.861394882 CET	49714	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:08.866219044 CET	445	49714	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:08.866281033 CET	49714	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:08.866373062 CET	445	49713	115.153.235.238	192.168.2.6
Jan 14, 2025 20:57:08.866420984 CET	49713	445	192.168.2.6	115.153.235.238
Jan 14, 2025 20:57:08.867060900 CET	49714	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:08.871866941 CET	445	49714	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:08.871915102 CET	49714	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:08.878405094 CET	49715	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:08.883320093 CET	445	49715	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:08.883436918 CET	49715	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:08.883558035 CET	49715	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:08.888407946 CET	445	49715	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:09.177007914 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:09.177011013 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:09.373125076 CET	49726	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:09.378035069 CET	80	49726	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:09.380230904 CET	49726	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:09.380431890 CET	49726	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:09.385207891 CET	80	49726	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:09.505129099 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:09.842781067 CET	80	49726	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:09.843111038 CET	49726	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:09.843111038 CET	49726	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:09.843643904 CET	80	49726	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:09.843765020 CET	49726	80	192.168.2.6	104.16.167.228
Jan 14, 2025 20:57:09.847946882 CET	80	49726	104.16.167.228	192.168.2.6
Jan 14, 2025 20:57:10.834520102 CET	49739	445	192.168.2.6	26.20.34.202
Jan 14, 2025 20:57:10.840989113 CET	445	49739	26.20.34.202	192.168.2.6
Jan 14, 2025 20:57:10.841074944 CET	49739	445	192.168.2.6	26.20.34.202
Jan 14, 2025 20:57:10.841203928 CET	49739	445	192.168.2.6	26.20.34.202
Jan 14, 2025 20:57:10.841423035 CET	49740	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:10.847634077 CET	445	49739	26.20.34.202	192.168.2.6
Jan 14, 2025 20:57:10.847692966 CET	49739	445	192.168.2.6	26.20.34.202
Jan 14, 2025 20:57:10.847768068 CET	445	49740	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:10.848413944 CET	49740	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:10.848555088 CET	49740	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:10.850636959 CET	49741	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:10.855957031 CET	445	49740	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:10.856004953 CET	49740	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:10.856935024 CET	445	49741	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:10.856998920 CET	49741	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:10.858011961 CET	49741	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:10.864181042 CET	445	49741	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:11.247658014 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 20:57:11.247791052 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:11.910979033 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:11.911005020 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:11.911087036 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:11.912117004 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:11.912130117 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.715380907 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.715549946 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:12.717874050 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:12.717886925 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.718125105 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.719811916 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:12.719878912 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:12.719885111 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.720004082 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:12.767330885 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.834554911 CET	49770	445	192.168.2.6	125.52.121.21
Jan 14, 2025 20:57:12.839365005 CET	445	49770	125.52.121.21	192.168.2.6
Jan 14, 2025 20:57:12.839605093 CET	49770	445	192.168.2.6	125.52.121.21
Jan 14, 2025 20:57:12.839629889 CET	49770	445	192.168.2.6	125.52.121.21
Jan 14, 2025 20:57:12.839796066 CET	49771	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:12.844561100 CET	445	49771	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:12.845187902 CET	445	49770	125.52.121.21	192.168.2.6
Jan 14, 2025 20:57:12.845309019 CET	49770	445	192.168.2.6	125.52.121.21
Jan 14, 2025 20:57:12.845310926 CET	49771	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:12.845364094 CET	49771	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:12.846544981 CET	49772	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:12.850646973 CET	445	49771	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:12.851356030 CET	445	49772	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:12.851402998 CET	49771	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:12.851428032 CET	49772	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:12.851497889 CET	49772	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:12.856302023 CET	445	49772	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:12.894392014 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.894543886 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:12.894670010 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:12.894881964 CET	49752	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:12.894898891 CET	443	49752	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:14.850769043 CET	49808	445	192.168.2.6	49.79.158.87
Jan 14, 2025 20:57:14.855696917 CET	445	49808	49.79.158.87	192.168.2.6
Jan 14, 2025 20:57:14.855822086 CET	49808	445	192.168.2.6	49.79.158.87
Jan 14, 2025 20:57:14.855879068 CET	49808	445	192.168.2.6	49.79.158.87
Jan 14, 2025 20:57:14.856096983 CET	49809	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:14.860965967 CET	445	49808	49.79.158.87	192.168.2.6
Jan 14, 2025 20:57:14.860979080 CET	445	49809	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:14.861058950 CET	49808	445	192.168.2.6	49.79.158.87
Jan 14, 2025 20:57:14.861109972 CET	49809	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:14.861169100 CET	49809	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:14.862760067 CET	49810	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:14.866214037 CET	445	49809	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:14.866292000 CET	49809	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:14.867575884 CET	445	49810	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:14.868129969 CET	49810	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:14.868129969 CET	49810	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:14.872941971 CET	445	49810	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:16.865855932 CET	49845	445	192.168.2.6	44.86.39.155
Jan 14, 2025 20:57:16.870671988 CET	445	49845	44.86.39.155	192.168.2.6
Jan 14, 2025 20:57:16.870742083 CET	49845	445	192.168.2.6	44.86.39.155
Jan 14, 2025 20:57:16.870799065 CET	49845	445	192.168.2.6	44.86.39.155
Jan 14, 2025 20:57:16.870970964 CET	49846	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:16.875726938 CET	445	49846	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:16.875737906 CET	445	49845	44.86.39.155	192.168.2.6
Jan 14, 2025 20:57:16.875797987 CET	49845	445	192.168.2.6	44.86.39.155
Jan 14, 2025 20:57:16.875809908 CET	49846	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:16.875917912 CET	49846	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:16.876909971 CET	49847	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:16.880702972 CET	445	49846	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:16.880759001 CET	49846	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:16.881937027 CET	445	49847	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:16.882028103 CET	49847	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:16.882086992 CET	49847	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:16.886850119 CET	445	49847	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:18.882364988 CET	49879	445	192.168.2.6	97.239.252.179
Jan 14, 2025 20:57:18.887286901 CET	445	49879	97.239.252.179	192.168.2.6
Jan 14, 2025 20:57:18.887516975 CET	49879	445	192.168.2.6	97.239.252.179
Jan 14, 2025 20:57:18.887516975 CET	49879	445	192.168.2.6	97.239.252.179
Jan 14, 2025 20:57:18.887674093 CET	49880	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:18.892441988 CET	445	49880	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:18.892508030 CET	49880	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:18.892532110 CET	49880	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:18.892672062 CET	445	49879	97.239.252.179	192.168.2.6
Jan 14, 2025 20:57:18.893668890 CET	49879	445	192.168.2.6	97.239.252.179
Jan 14, 2025 20:57:18.893668890 CET	49881	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:18.897597075 CET	445	49880	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:18.897670031 CET	49880	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:18.898545980 CET	445	49881	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:18.899971008 CET	49881	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:18.899971008 CET	49881	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:18.904793024 CET	445	49881	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:20.904983997 CET	49914	445	192.168.2.6	89.1.159.242
Jan 14, 2025 20:57:20.910166979 CET	445	49914	89.1.159.242	192.168.2.6
Jan 14, 2025 20:57:20.910243988 CET	49914	445	192.168.2.6	89.1.159.242
Jan 14, 2025 20:57:20.910376072 CET	49914	445	192.168.2.6	89.1.159.242
Jan 14, 2025 20:57:20.910613060 CET	49915	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:20.915268898 CET	445	49914	89.1.159.242	192.168.2.6
Jan 14, 2025 20:57:20.915321112 CET	49914	445	192.168.2.6	89.1.159.242
Jan 14, 2025 20:57:20.915364027 CET	445	49915	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:20.915411949 CET	49915	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:20.915492058 CET	49915	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:20.920984983 CET	445	49915	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:20.921021938 CET	49915	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:20.926100969 CET	49916	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:20.931005955 CET	445	49916	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:20.931128979 CET	49916	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:20.931128979 CET	49916	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:20.936003923 CET	445	49916	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:21.642102957 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:21.642204046 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:21.642962933 CET	49930	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:21.643002033 CET	443	49930	173.222.162.64	192.168.2.6
Jan 14, 2025 20:57:21.643754959 CET	49930	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:21.648942947 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 20:57:21.649095058 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 20:57:21.649104118 CET	49930	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:21.649116993 CET	443	49930	173.222.162.64	192.168.2.6
Jan 14, 2025 20:57:22.234131098 CET	443	49930	173.222.162.64	192.168.2.6
Jan 14, 2025 20:57:22.234235048 CET	49930	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:22.912064075 CET	49955	445	192.168.2.6	12.102.130.168
Jan 14, 2025 20:57:22.917207003 CET	445	49955	12.102.130.168	192.168.2.6
Jan 14, 2025 20:57:22.917335987 CET	49955	445	192.168.2.6	12.102.130.168
Jan 14, 2025 20:57:22.917474985 CET	49955	445	192.168.2.6	12.102.130.168
Jan 14, 2025 20:57:22.917723894 CET	49956	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:22.922485113 CET	445	49955	12.102.130.168	192.168.2.6
Jan 14, 2025 20:57:22.922646046 CET	49955	445	192.168.2.6	12.102.130.168
Jan 14, 2025 20:57:22.922697067 CET	445	49956	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:22.922761917 CET	49956	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:22.922902107 CET	49956	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:22.923227072 CET	49957	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:22.927881956 CET	445	49956	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:22.927978039 CET	49956	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:22.928318024 CET	445	49957	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:22.928406000 CET	49957	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:22.928488016 CET	49957	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:22.933393002 CET	445	49957	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:24.828275919 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:24.828324080 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:24.828407049 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:24.829252958 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:24.829279900 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:24.928638935 CET	49993	445	192.168.2.6	98.102.89.130
Jan 14, 2025 20:57:24.933434010 CET	445	49993	98.102.89.130	192.168.2.6
Jan 14, 2025 20:57:24.933521032 CET	49993	445	192.168.2.6	98.102.89.130
Jan 14, 2025 20:57:24.933661938 CET	49993	445	192.168.2.6	98.102.89.130
Jan 14, 2025 20:57:24.933765888 CET	49994	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:24.938565016 CET	445	49993	98.102.89.130	192.168.2.6
Jan 14, 2025 20:57:24.938602924 CET	445	49994	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:24.938627005 CET	49993	445	192.168.2.6	98.102.89.130
Jan 14, 2025 20:57:24.938683987 CET	49994	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:24.938771963 CET	49994	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:24.939172029 CET	49995	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:24.943695068 CET	445	49994	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:24.943748951 CET	49994	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:24.944056988 CET	445	49995	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:24.944123983 CET	49995	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:24.944160938 CET	49995	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:24.948973894 CET	445	49995	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:25.888200998 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:25.888288975 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:25.894325972 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:25.894350052 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:25.894629002 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:25.897231102 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:25.897286892 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:25.897299051 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:25.897506952 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:25.939337015 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:26.071357012 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:26.071436882 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:26.071513891 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:26.071816921 CET	49990	443	192.168.2.6	40.113.110.67
Jan 14, 2025 20:57:26.071837902 CET	443	49990	40.113.110.67	192.168.2.6
Jan 14, 2025 20:57:26.943586111 CET	50028	445	192.168.2.6	43.54.236.166
Jan 14, 2025 20:57:26.948359013 CET	445	50028	43.54.236.166	192.168.2.6
Jan 14, 2025 20:57:26.948436022 CET	50028	445	192.168.2.6	43.54.236.166
Jan 14, 2025 20:57:26.948540926 CET	50028	445	192.168.2.6	43.54.236.166
Jan 14, 2025 20:57:26.948726892 CET	50030	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:26.953418016 CET	445	50028	43.54.236.166	192.168.2.6
Jan 14, 2025 20:57:26.953475952 CET	50028	445	192.168.2.6	43.54.236.166
Jan 14, 2025 20:57:26.953525066 CET	445	50030	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:26.953583002 CET	50030	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:26.953651905 CET	50030	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:26.954046965 CET	50031	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:26.958540916 CET	445	50030	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:26.958640099 CET	50030	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:26.958837986 CET	445	50031	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:26.959054947 CET	50031	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:26.959054947 CET	50031	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:26.963865995 CET	445	50031	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:28.959959030 CET	50066	445	192.168.2.6	52.252.59.4
Jan 14, 2025 20:57:28.964890003 CET	445	50066	52.252.59.4	192.168.2.6
Jan 14, 2025 20:57:28.964966059 CET	50066	445	192.168.2.6	52.252.59.4
Jan 14, 2025 20:57:28.965248108 CET	50066	445	192.168.2.6	52.252.59.4
Jan 14, 2025 20:57:28.965430021 CET	50067	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:28.970196009 CET	445	50067	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:28.970484018 CET	50067	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:28.970484018 CET	50067	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:28.972125053 CET	445	50066	52.252.59.4	192.168.2.6
Jan 14, 2025 20:57:28.972876072 CET	50068	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:28.977762938 CET	445	50068	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:28.977835894 CET	50068	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:28.977909088 CET	50068	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:28.980581045 CET	445	50066	52.252.59.4	192.168.2.6
Jan 14, 2025 20:57:28.980633020 CET	50066	445	192.168.2.6	52.252.59.4
Jan 14, 2025 20:57:28.981213093 CET	445	50067	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:28.981266975 CET	50067	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:28.984392881 CET	445	50068	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:30.295459986 CET	445	49715	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:30.295614958 CET	49715	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:30.295614958 CET	49715	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:30.295713902 CET	49715	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:30.300390959 CET	445	49715	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:30.300486088 CET	445	49715	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:30.974654913 CET	50099	445	192.168.2.6	14.86.25.59
Jan 14, 2025 20:57:30.979569912 CET	445	50099	14.86.25.59	192.168.2.6
Jan 14, 2025 20:57:30.979665995 CET	50099	445	192.168.2.6	14.86.25.59
Jan 14, 2025 20:57:30.979700089 CET	50099	445	192.168.2.6	14.86.25.59
Jan 14, 2025 20:57:30.979860067 CET	50100	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:30.984778881 CET	445	50099	14.86.25.59	192.168.2.6
Jan 14, 2025 20:57:30.984788895 CET	445	50100	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:30.984842062 CET	50099	445	192.168.2.6	14.86.25.59
Jan 14, 2025 20:57:30.984925032 CET	50100	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:30.985039949 CET	50100	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:30.985336065 CET	50101	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:30.989823103 CET	445	50100	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:30.989886999 CET	50100	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:30.990155935 CET	445	50101	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:30.990294933 CET	50101	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:30.990333080 CET	50101	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:30.995244026 CET	445	50101	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:32.256916046 CET	445	49741	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:32.257392883 CET	49741	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:32.261720896 CET	49741	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:32.261982918 CET	49741	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:32.266535997 CET	445	49741	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:32.266696930 CET	445	49741	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:32.990215063 CET	50135	445	192.168.2.6	26.197.227.129
Jan 14, 2025 20:57:32.995148897 CET	445	50135	26.197.227.129	192.168.2.6
Jan 14, 2025 20:57:32.995260000 CET	50135	445	192.168.2.6	26.197.227.129
Jan 14, 2025 20:57:32.995305061 CET	50135	445	192.168.2.6	26.197.227.129
Jan 14, 2025 20:57:32.995547056 CET	50136	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:33.000153065 CET	445	50135	26.197.227.129	192.168.2.6
Jan 14, 2025 20:57:33.000323057 CET	445	50136	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:33.000391960 CET	50136	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:33.000435114 CET	50136	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:33.000556946 CET	445	50135	26.197.227.129	192.168.2.6
Jan 14, 2025 20:57:33.000598907 CET	50135	445	192.168.2.6	26.197.227.129
Jan 14, 2025 20:57:33.000814915 CET	50137	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:33.005601883 CET	445	50136	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:33.005680084 CET	50136	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:33.005731106 CET	445	50137	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:33.005800009 CET	50137	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:33.005853891 CET	50137	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:33.010627031 CET	445	50137	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:33.308633089 CET	50143	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:33.313534021 CET	445	50143	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:33.313616037 CET	50143	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:33.313688993 CET	50143	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:33.318404913 CET	445	50143	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:34.216489077 CET	445	49772	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:34.216564894 CET	49772	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:34.216614962 CET	49772	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:34.216691971 CET	49772	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:34.221426010 CET	445	49772	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:34.221438885 CET	445	49772	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:35.093703032 CET	50159	445	192.168.2.6	116.178.208.121
Jan 14, 2025 20:57:35.098635912 CET	445	50159	116.178.208.121	192.168.2.6
Jan 14, 2025 20:57:35.098757982 CET	50159	445	192.168.2.6	116.178.208.121
Jan 14, 2025 20:57:35.100771904 CET	50159	445	192.168.2.6	116.178.208.121
Jan 14, 2025 20:57:35.105648041 CET	445	50159	116.178.208.121	192.168.2.6
Jan 14, 2025 20:57:35.105741024 CET	50159	445	192.168.2.6	116.178.208.121
Jan 14, 2025 20:57:35.112097025 CET	50160	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:35.117014885 CET	445	50160	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:35.117094994 CET	50160	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:35.117290020 CET	50160	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:35.117866039 CET	50161	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:35.122179031 CET	445	50160	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:35.122239113 CET	50160	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:35.122637987 CET	445	50161	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:35.122699976 CET	50161	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:35.122740030 CET	50161	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:35.127559900 CET	445	50161	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:35.272233963 CET	50164	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:35.278359890 CET	445	50164	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:35.278440952 CET	50164	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:35.278542995 CET	50164	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:35.284529924 CET	445	50164	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:36.251679897 CET	445	49810	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:36.251768112 CET	49810	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:36.251851082 CET	49810	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:36.251939058 CET	49810	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:36.256624937 CET	445	49810	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:36.256668091 CET	445	49810	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:37.099741936 CET	50174	445	192.168.2.6	116.90.121.241
Jan 14, 2025 20:57:37.104666948 CET	445	50174	116.90.121.241	192.168.2.6
Jan 14, 2025 20:57:37.104794025 CET	50174	445	192.168.2.6	116.90.121.241
Jan 14, 2025 20:57:37.104908943 CET	50174	445	192.168.2.6	116.90.121.241
Jan 14, 2025 20:57:37.105113983 CET	50175	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:37.109859943 CET	445	50175	116.90.121.1	192.168.2.6
Jan 14, 2025 20:57:37.109967947 CET	50175	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:37.110045910 CET	50175	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:37.110234022 CET	445	50174	116.90.121.241	192.168.2.6
Jan 14, 2025 20:57:37.110321045 CET	50174	445	192.168.2.6	116.90.121.241
Jan 14, 2025 20:57:37.110589027 CET	50176	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:37.115250111 CET	445	50175	116.90.121.1	192.168.2.6
Jan 14, 2025 20:57:37.115329981 CET	50175	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:37.115365028 CET	445	50176	116.90.121.1	192.168.2.6
Jan 14, 2025 20:57:37.115736961 CET	50176	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:37.115787029 CET	50176	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:37.120495081 CET	445	50176	116.90.121.1	192.168.2.6
Jan 14, 2025 20:57:37.225948095 CET	50177	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:37.230887890 CET	445	50177	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:37.231029987 CET	50177	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:37.231111050 CET	50177	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:37.235848904 CET	445	50177	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:38.246210098 CET	445	49847	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:38.246377945 CET	49847	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:38.246447086 CET	49847	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:38.246534109 CET	49847	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:38.251308918 CET	445	49847	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:38.251327038 CET	445	49847	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:39.115241051 CET	50186	445	192.168.2.6	114.252.160.189
Jan 14, 2025 20:57:39.120187998 CET	445	50186	114.252.160.189	192.168.2.6
Jan 14, 2025 20:57:39.120428085 CET	50186	445	192.168.2.6	114.252.160.189
Jan 14, 2025 20:57:39.120532990 CET	50186	445	192.168.2.6	114.252.160.189
Jan 14, 2025 20:57:39.120819092 CET	50187	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:57:39.125586987 CET	445	50187	114.252.160.1	192.168.2.6
Jan 14, 2025 20:57:39.125660896 CET	50187	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:57:39.125708103 CET	445	50186	114.252.160.189	192.168.2.6
Jan 14, 2025 20:57:39.125713110 CET	50187	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:57:39.125756979 CET	50186	445	192.168.2.6	114.252.160.189
Jan 14, 2025 20:57:39.126300097 CET	50188	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:57:39.131124020 CET	445	50188	114.252.160.1	192.168.2.6
Jan 14, 2025 20:57:39.131236076 CET	50188	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:57:39.131269932 CET	445	50187	114.252.160.1	192.168.2.6
Jan 14, 2025 20:57:39.131274939 CET	50188	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:57:39.131334066 CET	50187	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:57:39.136064053 CET	445	50188	114.252.160.1	192.168.2.6
Jan 14, 2025 20:57:39.255734921 CET	50190	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:39.260637045 CET	445	50190	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:39.260730028 CET	50190	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:39.260791063 CET	50190	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:57:39.265584946 CET	445	50190	49.79.158.1	192.168.2.6
Jan 14, 2025 20:57:40.294943094 CET	445	49881	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:40.296112061 CET	49881	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:40.296176910 CET	49881	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:40.296262026 CET	49881	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:40.308401108 CET	445	49881	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:40.308444977 CET	445	49881	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:41.130795956 CET	50200	445	192.168.2.6	194.163.210.65
Jan 14, 2025 20:57:41.135658026 CET	445	50200	194.163.210.65	192.168.2.6
Jan 14, 2025 20:57:41.135742903 CET	50200	445	192.168.2.6	194.163.210.65
Jan 14, 2025 20:57:41.135823011 CET	50200	445	192.168.2.6	194.163.210.65
Jan 14, 2025 20:57:41.136037111 CET	50201	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:57:41.140839100 CET	445	50200	194.163.210.65	192.168.2.6
Jan 14, 2025 20:57:41.140851974 CET	445	50201	194.163.210.1	192.168.2.6
Jan 14, 2025 20:57:41.140893936 CET	50200	445	192.168.2.6	194.163.210.65
Jan 14, 2025 20:57:41.140969992 CET	50201	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:57:41.141100883 CET	50201	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:57:41.141557932 CET	50202	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:57:41.145889044 CET	445	50201	194.163.210.1	192.168.2.6
Jan 14, 2025 20:57:41.145940065 CET	50201	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:57:41.146401882 CET	445	50202	194.163.210.1	192.168.2.6
Jan 14, 2025 20:57:41.146461010 CET	50202	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:57:41.146501064 CET	50202	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:57:41.151346922 CET	445	50202	194.163.210.1	192.168.2.6
Jan 14, 2025 20:57:41.255737066 CET	50203	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:41.260641098 CET	445	50203	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:41.260775089 CET	50203	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:41.260873079 CET	50203	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:57:41.265598059 CET	445	50203	44.86.39.1	192.168.2.6
Jan 14, 2025 20:57:41.435720921 CET	443	49930	173.222.162.64	192.168.2.6
Jan 14, 2025 20:57:41.435785055 CET	49930	443	192.168.2.6	173.222.162.64
Jan 14, 2025 20:57:42.343789101 CET	445	49916	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:42.343934059 CET	49916	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:42.343934059 CET	49916	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:42.346726894 CET	49916	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:42.348794937 CET	445	49916	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:42.351475954 CET	445	49916	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:43.254556894 CET	50212	445	192.168.2.6	38.202.131.61
Jan 14, 2025 20:57:43.259432077 CET	445	50212	38.202.131.61	192.168.2.6
Jan 14, 2025 20:57:43.259540081 CET	50212	445	192.168.2.6	38.202.131.61
Jan 14, 2025 20:57:43.259677887 CET	50212	445	192.168.2.6	38.202.131.61
Jan 14, 2025 20:57:43.259885073 CET	50213	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:57:43.264672995 CET	445	50213	38.202.131.1	192.168.2.6
Jan 14, 2025 20:57:43.264766932 CET	50213	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:57:43.264775038 CET	445	50212	38.202.131.61	192.168.2.6
Jan 14, 2025 20:57:43.264825106 CET	50212	445	192.168.2.6	38.202.131.61
Jan 14, 2025 20:57:43.264976978 CET	50213	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:57:43.266804934 CET	50214	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:57:43.269745111 CET	445	50213	38.202.131.1	192.168.2.6
Jan 14, 2025 20:57:43.269815922 CET	50213	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:57:43.271601915 CET	445	50214	38.202.131.1	192.168.2.6
Jan 14, 2025 20:57:43.271671057 CET	50214	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:57:43.337275982 CET	50214	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:57:43.342191935 CET	445	50214	38.202.131.1	192.168.2.6
Jan 14, 2025 20:57:43.555767059 CET	50215	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:43.721242905 CET	445	50215	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:43.721323967 CET	50215	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:43.721441984 CET	50215	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:57:43.726231098 CET	445	50215	97.239.252.1	192.168.2.6
Jan 14, 2025 20:57:44.293869019 CET	445	49957	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:44.293956995 CET	49957	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:44.293992043 CET	49957	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:44.294080973 CET	49957	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:44.298780918 CET	445	49957	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:44.298821926 CET	445	49957	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:45.084357977 CET	50224	445	192.168.2.6	131.241.117.245
Jan 14, 2025 20:57:45.089317083 CET	445	50224	131.241.117.245	192.168.2.6
Jan 14, 2025 20:57:45.089493990 CET	50224	445	192.168.2.6	131.241.117.245
Jan 14, 2025 20:57:45.089493990 CET	50224	445	192.168.2.6	131.241.117.245
Jan 14, 2025 20:57:45.089627028 CET	50225	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:57:45.094444990 CET	445	50225	131.241.117.1	192.168.2.6
Jan 14, 2025 20:57:45.094521999 CET	50225	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:57:45.094542980 CET	445	50224	131.241.117.245	192.168.2.6
Jan 14, 2025 20:57:45.094547987 CET	50225	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:57:45.095074892 CET	50226	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:57:45.095139980 CET	50224	445	192.168.2.6	131.241.117.245
Jan 14, 2025 20:57:45.099792957 CET	445	50225	131.241.117.1	192.168.2.6
Jan 14, 2025 20:57:45.099847078 CET	50225	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:57:45.099908113 CET	445	50226	131.241.117.1	192.168.2.6
Jan 14, 2025 20:57:45.099972963 CET	50226	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:57:45.100006104 CET	50226	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:57:45.104759932 CET	445	50226	131.241.117.1	192.168.2.6
Jan 14, 2025 20:57:45.349345922 CET	50231	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:45.354494095 CET	445	50231	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:45.354724884 CET	50231	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:45.354724884 CET	50231	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:57:45.359652042 CET	445	50231	89.1.159.1	192.168.2.6
Jan 14, 2025 20:57:45.959208965 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:45.959250927 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:45.959336996 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:45.960072041 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:45.960084915 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.423717976 CET	445	49995	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:46.423796892 CET	49995	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:46.423830032 CET	49995	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:46.423883915 CET	49995	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:46.428637981 CET	445	49995	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:46.428648949 CET	445	49995	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:46.740674019 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.740770102 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:46.743089914 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:46.743096113 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.743465900 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.745399952 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:46.745496035 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:46.745501041 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.745738029 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:46.787341118 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.834233999 CET	50240	445	192.168.2.6	53.130.241.206
Jan 14, 2025 20:57:46.839222908 CET	445	50240	53.130.241.206	192.168.2.6
Jan 14, 2025 20:57:46.839319944 CET	50240	445	192.168.2.6	53.130.241.206
Jan 14, 2025 20:57:46.839350939 CET	50240	445	192.168.2.6	53.130.241.206
Jan 14, 2025 20:57:46.839607000 CET	50241	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:57:46.844424963 CET	445	50241	53.130.241.1	192.168.2.6
Jan 14, 2025 20:57:46.844435930 CET	445	50240	53.130.241.206	192.168.2.6
Jan 14, 2025 20:57:46.844532967 CET	50241	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:57:46.844533920 CET	50240	445	192.168.2.6	53.130.241.206
Jan 14, 2025 20:57:46.844904900 CET	50242	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:57:46.849538088 CET	445	50241	53.130.241.1	192.168.2.6
Jan 14, 2025 20:57:46.849610090 CET	50241	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:57:46.849787951 CET	445	50242	53.130.241.1	192.168.2.6
Jan 14, 2025 20:57:46.849848986 CET	50242	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:57:46.849894047 CET	50242	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:57:46.854955912 CET	445	50242	53.130.241.1	192.168.2.6
Jan 14, 2025 20:57:46.915812016 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.915921926 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:46.915999889 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:46.916223049 CET	50232	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:57:46.916240931 CET	443	50232	40.113.103.199	192.168.2.6
Jan 14, 2025 20:57:47.302498102 CET	50244	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:47.307374954 CET	445	50244	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:47.307476044 CET	50244	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:47.307506084 CET	50244	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:57:47.312355995 CET	445	50244	12.102.130.1	192.168.2.6
Jan 14, 2025 20:57:48.324431896 CET	445	50031	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:48.324567080 CET	50031	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:48.324654102 CET	50031	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:48.324709892 CET	50031	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:48.329498053 CET	445	50031	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:48.329513073 CET	445	50031	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:48.474592924 CET	50253	445	192.168.2.6	25.198.44.178
Jan 14, 2025 20:57:48.479850054 CET	445	50253	25.198.44.178	192.168.2.6
Jan 14, 2025 20:57:48.479953051 CET	50253	445	192.168.2.6	25.198.44.178
Jan 14, 2025 20:57:48.480061054 CET	50253	445	192.168.2.6	25.198.44.178
Jan 14, 2025 20:57:48.480235100 CET	50254	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:57:48.485337019 CET	445	50253	25.198.44.178	192.168.2.6
Jan 14, 2025 20:57:48.485399008 CET	50253	445	192.168.2.6	25.198.44.178
Jan 14, 2025 20:57:48.485479116 CET	445	50254	25.198.44.1	192.168.2.6
Jan 14, 2025 20:57:48.485547066 CET	50254	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:57:48.485649109 CET	50254	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:57:48.486066103 CET	50255	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:57:48.491139889 CET	445	50254	25.198.44.1	192.168.2.6
Jan 14, 2025 20:57:48.491197109 CET	50254	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:57:48.491266012 CET	445	50255	25.198.44.1	192.168.2.6
Jan 14, 2025 20:57:48.491328001 CET	50255	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:57:48.491352081 CET	50255	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:57:48.496706009 CET	445	50255	25.198.44.1	192.168.2.6
Jan 14, 2025 20:57:49.427292109 CET	50260	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:49.432109118 CET	445	50260	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:49.432193995 CET	50260	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:49.432216883 CET	50260	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:57:49.437017918 CET	445	50260	98.102.89.1	192.168.2.6
Jan 14, 2025 20:57:50.006288052 CET	50264	445	192.168.2.6	37.56.78.12
Jan 14, 2025 20:57:50.011159897 CET	445	50264	37.56.78.12	192.168.2.6
Jan 14, 2025 20:57:50.011317968 CET	50264	445	192.168.2.6	37.56.78.12
Jan 14, 2025 20:57:50.011317968 CET	50264	445	192.168.2.6	37.56.78.12
Jan 14, 2025 20:57:50.011481047 CET	50265	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:57:50.016159058 CET	445	50264	37.56.78.12	192.168.2.6
Jan 14, 2025 20:57:50.016302109 CET	445	50265	37.56.78.1	192.168.2.6
Jan 14, 2025 20:57:50.016315937 CET	445	50264	37.56.78.12	192.168.2.6
Jan 14, 2025 20:57:50.016366005 CET	50265	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:57:50.016438007 CET	50264	445	192.168.2.6	37.56.78.12
Jan 14, 2025 20:57:50.016597986 CET	50265	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:57:50.017113924 CET	50266	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:57:50.021389961 CET	445	50265	37.56.78.1	192.168.2.6
Jan 14, 2025 20:57:50.021452904 CET	50265	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:57:50.021904945 CET	445	50266	37.56.78.1	192.168.2.6
Jan 14, 2025 20:57:50.021977901 CET	50266	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:57:50.022031069 CET	50266	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:57:50.026848078 CET	445	50266	37.56.78.1	192.168.2.6
Jan 14, 2025 20:57:50.377036095 CET	445	50068	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:50.377185106 CET	50068	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:50.377291918 CET	50068	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:50.377360106 CET	50068	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:50.382153034 CET	445	50068	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:50.382168055 CET	445	50068	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:50.864167929 CET	80	49704	84.201.210.36	192.168.2.6
Jan 14, 2025 20:57:50.864547014 CET	49704	80	192.168.2.6	84.201.210.36
Jan 14, 2025 20:57:50.864661932 CET	49704	80	192.168.2.6	84.201.210.36
Jan 14, 2025 20:57:50.870238066 CET	80	49704	84.201.210.36	192.168.2.6
Jan 14, 2025 20:57:51.333616972 CET	50272	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:51.340254068 CET	445	50272	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:51.340379953 CET	50272	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:51.340411901 CET	50272	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:57:51.346832991 CET	445	50272	43.54.236.1	192.168.2.6
Jan 14, 2025 20:57:51.428095102 CET	50276	445	192.168.2.6	23.233.104.201
Jan 14, 2025 20:57:51.434587002 CET	445	50276	23.233.104.201	192.168.2.6
Jan 14, 2025 20:57:51.434659004 CET	50276	445	192.168.2.6	23.233.104.201
Jan 14, 2025 20:57:51.434786081 CET	50276	445	192.168.2.6	23.233.104.201
Jan 14, 2025 20:57:51.434866905 CET	50277	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:57:51.441323042 CET	445	50277	23.233.104.1	192.168.2.6
Jan 14, 2025 20:57:51.441334963 CET	445	50276	23.233.104.201	192.168.2.6
Jan 14, 2025 20:57:51.441421986 CET	50276	445	192.168.2.6	23.233.104.201
Jan 14, 2025 20:57:51.441485882 CET	50277	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:57:51.441593885 CET	50277	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:57:51.441981077 CET	50278	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:57:51.446582079 CET	445	50277	23.233.104.1	192.168.2.6
Jan 14, 2025 20:57:51.446722031 CET	50277	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:57:51.447196007 CET	445	50278	23.233.104.1	192.168.2.6
Jan 14, 2025 20:57:51.447258949 CET	50278	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:57:51.447305918 CET	50278	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:57:51.453680038 CET	445	50278	23.233.104.1	192.168.2.6
Jan 14, 2025 20:57:52.373157978 CET	445	50101	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:52.373382092 CET	50101	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:52.373425961 CET	50101	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:52.373450994 CET	50101	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:52.379157066 CET	445	50101	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:52.379168987 CET	445	50101	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:52.756053925 CET	50284	445	192.168.2.6	137.253.225.34
Jan 14, 2025 20:57:52.761035919 CET	445	50284	137.253.225.34	192.168.2.6
Jan 14, 2025 20:57:52.761164904 CET	50284	445	192.168.2.6	137.253.225.34
Jan 14, 2025 20:57:52.761207104 CET	50284	445	192.168.2.6	137.253.225.34
Jan 14, 2025 20:57:52.761614084 CET	50285	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:57:52.766314983 CET	445	50284	137.253.225.34	192.168.2.6
Jan 14, 2025 20:57:52.766416073 CET	50284	445	192.168.2.6	137.253.225.34
Jan 14, 2025 20:57:52.766439915 CET	445	50285	137.253.225.1	192.168.2.6
Jan 14, 2025 20:57:52.766539097 CET	50285	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:57:52.766539097 CET	50285	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:57:52.767261028 CET	50286	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:57:52.771591902 CET	445	50285	137.253.225.1	192.168.2.6
Jan 14, 2025 20:57:52.771728992 CET	50285	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:57:52.772062063 CET	445	50286	137.253.225.1	192.168.2.6
Jan 14, 2025 20:57:52.772142887 CET	50286	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:57:52.772213936 CET	50286	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:57:52.777085066 CET	445	50286	137.253.225.1	192.168.2.6
Jan 14, 2025 20:57:53.380620003 CET	50291	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:53.385881901 CET	445	50291	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:53.386023998 CET	50291	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:53.386120081 CET	50291	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:57:53.390858889 CET	445	50291	52.252.59.1	192.168.2.6
Jan 14, 2025 20:57:54.005912066 CET	50295	445	192.168.2.6	177.147.64.92
Jan 14, 2025 20:57:54.010821104 CET	445	50295	177.147.64.92	192.168.2.6
Jan 14, 2025 20:57:54.010967970 CET	50295	445	192.168.2.6	177.147.64.92
Jan 14, 2025 20:57:54.011010885 CET	50295	445	192.168.2.6	177.147.64.92
Jan 14, 2025 20:57:54.011154890 CET	50296	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:54.015959978 CET	445	50296	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:54.016068935 CET	50296	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:54.016108990 CET	445	50295	177.147.64.92	192.168.2.6
Jan 14, 2025 20:57:54.016114950 CET	50296	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:54.016163111 CET	50295	445	192.168.2.6	177.147.64.92
Jan 14, 2025 20:57:54.016546965 CET	50297	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:54.021151066 CET	445	50296	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:54.021315098 CET	445	50297	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:54.021325111 CET	50296	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:54.021399021 CET	50297	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:54.021451950 CET	50297	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:54.026196003 CET	445	50297	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:54.376946926 CET	445	50137	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:54.377123117 CET	50137	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:54.377173901 CET	50137	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:54.377213001 CET	50137	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:54.381997108 CET	445	50137	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:54.382010937 CET	445	50137	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:54.688965082 CET	445	50143	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:54.689089060 CET	50143	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:54.689241886 CET	50143	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:54.689385891 CET	50143	445	192.168.2.6	115.153.235.1
Jan 14, 2025 20:57:54.694328070 CET	445	50143	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:54.694339037 CET	445	50143	115.153.235.1	192.168.2.6
Jan 14, 2025 20:57:54.755758047 CET	50301	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:57:54.760641098 CET	445	50301	115.153.235.2	192.168.2.6
Jan 14, 2025 20:57:54.760725975 CET	50301	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:57:54.760827065 CET	50301	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:57:54.761234045 CET	50302	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:57:54.765714884 CET	445	50301	115.153.235.2	192.168.2.6
Jan 14, 2025 20:57:54.765759945 CET	50301	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:57:54.765995979 CET	445	50302	115.153.235.2	192.168.2.6
Jan 14, 2025 20:57:54.766047001 CET	50302	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:57:54.766102076 CET	50302	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:57:54.770816088 CET	445	50302	115.153.235.2	192.168.2.6
Jan 14, 2025 20:57:55.177900076 CET	50303	445	192.168.2.6	72.217.90.242
Jan 14, 2025 20:57:55.182755947 CET	445	50303	72.217.90.242	192.168.2.6
Jan 14, 2025 20:57:55.182845116 CET	50303	445	192.168.2.6	72.217.90.242
Jan 14, 2025 20:57:55.182914972 CET	50303	445	192.168.2.6	72.217.90.242
Jan 14, 2025 20:57:55.183157921 CET	50304	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:55.187971115 CET	445	50304	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:55.188076973 CET	50304	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:55.188136101 CET	445	50303	72.217.90.242	192.168.2.6
Jan 14, 2025 20:57:55.188215971 CET	50304	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:55.188726902 CET	50305	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:55.193516970 CET	445	50305	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:55.193597078 CET	50305	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:55.193636894 CET	50305	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:55.196130991 CET	445	50304	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:55.199445963 CET	445	50305	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:55.204636097 CET	445	50303	72.217.90.242	192.168.2.6
Jan 14, 2025 20:57:55.204813957 CET	50303	445	192.168.2.6	72.217.90.242
Jan 14, 2025 20:57:55.204881907 CET	445	50304	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:55.204931974 CET	50304	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:55.381722927 CET	50309	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:55.386739016 CET	445	50309	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:55.386845112 CET	50309	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:55.386924028 CET	50309	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:57:55.391671896 CET	445	50309	14.86.25.1	192.168.2.6
Jan 14, 2025 20:57:55.976020098 CET	445	50297	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:55.976099014 CET	50297	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:55.976150990 CET	50297	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:55.976210117 CET	50297	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:55.980894089 CET	445	50297	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:55.980933905 CET	445	50297	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:56.255861044 CET	50314	445	192.168.2.6	89.75.246.158
Jan 14, 2025 20:57:56.260721922 CET	445	50314	89.75.246.158	192.168.2.6
Jan 14, 2025 20:57:56.260932922 CET	50314	445	192.168.2.6	89.75.246.158
Jan 14, 2025 20:57:56.260950089 CET	50314	445	192.168.2.6	89.75.246.158
Jan 14, 2025 20:57:56.261123896 CET	50315	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:56.265963078 CET	445	50315	89.75.246.1	192.168.2.6
Jan 14, 2025 20:57:56.266028881 CET	445	50314	89.75.246.158	192.168.2.6
Jan 14, 2025 20:57:56.266036034 CET	50315	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:56.266061068 CET	50315	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:56.266073942 CET	50314	445	192.168.2.6	89.75.246.158
Jan 14, 2025 20:57:56.266488075 CET	50316	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:56.272202969 CET	445	50315	89.75.246.1	192.168.2.6
Jan 14, 2025 20:57:56.272259951 CET	50315	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:56.272480011 CET	445	50316	89.75.246.1	192.168.2.6
Jan 14, 2025 20:57:56.272533894 CET	50316	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:56.272578001 CET	50316	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:56.277580976 CET	445	50316	89.75.246.1	192.168.2.6
Jan 14, 2025 20:57:56.515877962 CET	445	50161	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:56.515970945 CET	50161	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:56.519607067 CET	50161	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:56.519658089 CET	50161	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:56.524390936 CET	445	50161	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:56.524406910 CET	445	50161	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:56.654323101 CET	445	50164	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:56.654429913 CET	50164	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:56.654495955 CET	50164	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:56.654576063 CET	50164	445	192.168.2.6	26.20.34.1
Jan 14, 2025 20:57:56.659632921 CET	445	50164	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:56.659651041 CET	445	50164	26.20.34.1	192.168.2.6
Jan 14, 2025 20:57:56.708966970 CET	50317	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:57:56.713896990 CET	445	50317	26.20.34.2	192.168.2.6
Jan 14, 2025 20:57:56.713984966 CET	50317	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:57:56.714039087 CET	50317	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:57:56.714489937 CET	50319	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:57:56.719037056 CET	445	50317	26.20.34.2	192.168.2.6
Jan 14, 2025 20:57:56.719120979 CET	50317	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:57:56.719276905 CET	445	50319	26.20.34.2	192.168.2.6
Jan 14, 2025 20:57:56.719348907 CET	50319	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:57:56.719383001 CET	50319	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:57:56.724566936 CET	445	50319	26.20.34.2	192.168.2.6
Jan 14, 2025 20:57:56.785885096 CET	445	50305	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:56.785964966 CET	50305	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:56.786010981 CET	50305	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:56.786058903 CET	50305	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:56.790920973 CET	445	50305	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:56.790939093 CET	445	50305	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:57.271981955 CET	50324	445	192.168.2.6	193.228.157.116
Jan 14, 2025 20:57:57.276856899 CET	445	50324	193.228.157.116	192.168.2.6
Jan 14, 2025 20:57:57.276994944 CET	50324	445	192.168.2.6	193.228.157.116
Jan 14, 2025 20:57:57.277089119 CET	50325	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:57.277091026 CET	50324	445	192.168.2.6	193.228.157.116
Jan 14, 2025 20:57:57.281878948 CET	445	50325	193.228.157.1	192.168.2.6
Jan 14, 2025 20:57:57.281946898 CET	50325	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:57.281991005 CET	445	50324	193.228.157.116	192.168.2.6
Jan 14, 2025 20:57:57.282049894 CET	50324	445	192.168.2.6	193.228.157.116
Jan 14, 2025 20:57:57.282089949 CET	50325	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:57.282393932 CET	50326	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:57.286904097 CET	445	50325	193.228.157.1	192.168.2.6
Jan 14, 2025 20:57:57.286978960 CET	50325	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:57.287240028 CET	445	50326	193.228.157.1	192.168.2.6
Jan 14, 2025 20:57:57.287292957 CET	50326	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:57.287343025 CET	50326	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:57.292097092 CET	445	50326	193.228.157.1	192.168.2.6
Jan 14, 2025 20:57:57.380609035 CET	50327	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:57.386378050 CET	445	50327	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:57.386528015 CET	50327	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:57.386579037 CET	50327	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:57:57.391442060 CET	445	50327	26.197.227.1	192.168.2.6
Jan 14, 2025 20:57:58.053327084 CET	445	50316	89.75.246.1	192.168.2.6
Jan 14, 2025 20:57:58.054481030 CET	50316	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:58.054548025 CET	50316	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:58.054600954 CET	50316	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:57:58.059381008 CET	445	50316	89.75.246.1	192.168.2.6
Jan 14, 2025 20:57:58.059391975 CET	445	50316	89.75.246.1	192.168.2.6
Jan 14, 2025 20:57:58.208913088 CET	50334	445	192.168.2.6	49.158.7.42
Jan 14, 2025 20:57:58.213694096 CET	445	50334	49.158.7.42	192.168.2.6
Jan 14, 2025 20:57:58.213783026 CET	50334	445	192.168.2.6	49.158.7.42
Jan 14, 2025 20:57:58.213825941 CET	50334	445	192.168.2.6	49.158.7.42
Jan 14, 2025 20:57:58.214047909 CET	50335	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:57:58.218699932 CET	445	50334	49.158.7.42	192.168.2.6
Jan 14, 2025 20:57:58.218764067 CET	50334	445	192.168.2.6	49.158.7.42
Jan 14, 2025 20:57:58.218836069 CET	445	50335	49.158.7.1	192.168.2.6
Jan 14, 2025 20:57:58.218887091 CET	50335	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:57:58.218928099 CET	50335	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:57:58.219229937 CET	50336	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:57:58.223844051 CET	445	50335	49.158.7.1	192.168.2.6
Jan 14, 2025 20:57:58.223908901 CET	50335	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:57:58.223999023 CET	445	50336	49.158.7.1	192.168.2.6
Jan 14, 2025 20:57:58.227200985 CET	50336	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:57:58.227263927 CET	50336	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:57:58.232008934 CET	445	50336	49.158.7.1	192.168.2.6
Jan 14, 2025 20:57:58.547147989 CET	445	50176	116.90.121.1	192.168.2.6
Jan 14, 2025 20:57:58.547224998 CET	50176	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:58.547267914 CET	50176	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:58.547307014 CET	50176	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:57:58.552105904 CET	445	50176	116.90.121.1	192.168.2.6
Jan 14, 2025 20:57:58.552120924 CET	445	50176	116.90.121.1	192.168.2.6
Jan 14, 2025 20:57:58.790512085 CET	445	50177	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:58.790591002 CET	50177	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:58.790709972 CET	50177	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:58.790874958 CET	50177	445	192.168.2.6	125.52.121.1
Jan 14, 2025 20:57:58.795422077 CET	445	50177	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:58.795630932 CET	445	50177	125.52.121.1	192.168.2.6
Jan 14, 2025 20:57:58.849690914 CET	50342	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:57:58.854645967 CET	445	50342	125.52.121.2	192.168.2.6
Jan 14, 2025 20:57:58.854768991 CET	50342	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:57:58.854823112 CET	50342	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:57:58.855231047 CET	50343	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:57:58.859816074 CET	445	50342	125.52.121.2	192.168.2.6
Jan 14, 2025 20:57:58.859896898 CET	50342	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:57:58.860050917 CET	445	50343	125.52.121.2	192.168.2.6
Jan 14, 2025 20:57:58.860115051 CET	50343	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:57:58.860151052 CET	50343	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:57:58.864943981 CET	445	50343	125.52.121.2	192.168.2.6
Jan 14, 2025 20:57:58.971431017 CET	445	50326	193.228.157.1	192.168.2.6
Jan 14, 2025 20:57:58.971507072 CET	50326	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:58.971549034 CET	50326	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:58.971596956 CET	50326	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:57:58.976450920 CET	445	50326	193.228.157.1	192.168.2.6
Jan 14, 2025 20:57:58.976468086 CET	445	50326	193.228.157.1	192.168.2.6
Jan 14, 2025 20:57:58.989814997 CET	50344	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:58.994653940 CET	445	50344	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:58.994736910 CET	50344	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:58.994791985 CET	50344	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:57:58.999708891 CET	445	50344	177.147.64.1	192.168.2.6
Jan 14, 2025 20:57:59.083869934 CET	50346	445	192.168.2.6	158.143.48.67
Jan 14, 2025 20:57:59.088701963 CET	445	50346	158.143.48.67	192.168.2.6
Jan 14, 2025 20:57:59.088771105 CET	50346	445	192.168.2.6	158.143.48.67
Jan 14, 2025 20:57:59.088865042 CET	50346	445	192.168.2.6	158.143.48.67
Jan 14, 2025 20:57:59.089135885 CET	50347	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:57:59.093689919 CET	445	50346	158.143.48.67	192.168.2.6
Jan 14, 2025 20:57:59.093744993 CET	50346	445	192.168.2.6	158.143.48.67
Jan 14, 2025 20:57:59.093970060 CET	445	50347	158.143.48.1	192.168.2.6
Jan 14, 2025 20:57:59.094043016 CET	50347	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:57:59.094115019 CET	50347	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:57:59.094475985 CET	50348	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:57:59.098915100 CET	445	50347	158.143.48.1	192.168.2.6
Jan 14, 2025 20:57:59.098978996 CET	50347	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:57:59.099268913 CET	445	50348	158.143.48.1	192.168.2.6
Jan 14, 2025 20:57:59.099343061 CET	50348	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:57:59.099375010 CET	50348	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:57:59.104237080 CET	445	50348	158.143.48.1	192.168.2.6
Jan 14, 2025 20:57:59.521121025 CET	50352	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:59.525958061 CET	445	50352	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:59.526058912 CET	50352	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:59.526058912 CET	50352	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:57:59.530915976 CET	445	50352	116.178.208.1	192.168.2.6
Jan 14, 2025 20:57:59.786832094 CET	50354	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:59.791695118 CET	445	50354	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:59.791913033 CET	50354	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:59.791913033 CET	50354	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:57:59.796849966 CET	445	50354	72.217.90.1	192.168.2.6
Jan 14, 2025 20:57:59.912414074 CET	50357	445	192.168.2.6	18.241.31.36
Jan 14, 2025 20:57:59.917432070 CET	445	50357	18.241.31.36	192.168.2.6
Jan 14, 2025 20:57:59.917591095 CET	50357	445	192.168.2.6	18.241.31.36
Jan 14, 2025 20:57:59.917612076 CET	50357	445	192.168.2.6	18.241.31.36
Jan 14, 2025 20:57:59.917783022 CET	50358	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:57:59.922609091 CET	445	50358	18.241.31.1	192.168.2.6
Jan 14, 2025 20:57:59.922693968 CET	445	50357	18.241.31.36	192.168.2.6
Jan 14, 2025 20:57:59.922691107 CET	50358	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:57:59.922749043 CET	50358	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:57:59.922760010 CET	50357	445	192.168.2.6	18.241.31.36
Jan 14, 2025 20:57:59.923109055 CET	50359	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:57:59.927925110 CET	445	50359	18.241.31.1	192.168.2.6
Jan 14, 2025 20:57:59.927938938 CET	445	50358	18.241.31.1	192.168.2.6
Jan 14, 2025 20:57:59.928002119 CET	50358	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:57:59.928025961 CET	50359	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:57:59.928097010 CET	50359	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:57:59.932881117 CET	445	50359	18.241.31.1	192.168.2.6
Jan 14, 2025 20:58:00.500236034 CET	445	50188	114.252.160.1	192.168.2.6
Jan 14, 2025 20:58:00.500303030 CET	50188	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:58:00.500348091 CET	50188	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:58:00.500386000 CET	50188	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:58:00.505219936 CET	445	50188	114.252.160.1	192.168.2.6
Jan 14, 2025 20:58:00.505235910 CET	445	50188	114.252.160.1	192.168.2.6
Jan 14, 2025 20:58:00.622415066 CET	445	50190	49.79.158.1	192.168.2.6
Jan 14, 2025 20:58:00.622581005 CET	50190	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:58:00.622637987 CET	50190	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:58:00.622718096 CET	50190	445	192.168.2.6	49.79.158.1
Jan 14, 2025 20:58:00.627814054 CET	445	50190	49.79.158.1	192.168.2.6
Jan 14, 2025 20:58:00.627825975 CET	445	50190	49.79.158.1	192.168.2.6
Jan 14, 2025 20:58:00.677714109 CET	50360	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:00.682641029 CET	445	50360	49.79.158.2	192.168.2.6
Jan 14, 2025 20:58:00.682751894 CET	50360	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:00.682887077 CET	50360	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:00.683844090 CET	50361	445	192.168.2.6	201.118.194.137
Jan 14, 2025 20:58:00.683984995 CET	50362	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:00.687876940 CET	445	50360	49.79.158.2	192.168.2.6
Jan 14, 2025 20:58:00.687932968 CET	50360	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:00.688677073 CET	445	50361	201.118.194.137	192.168.2.6
Jan 14, 2025 20:58:00.688750982 CET	50361	445	192.168.2.6	201.118.194.137
Jan 14, 2025 20:58:00.688776016 CET	50361	445	192.168.2.6	201.118.194.137
Jan 14, 2025 20:58:00.688787937 CET	445	50362	49.79.158.2	192.168.2.6
Jan 14, 2025 20:58:00.688832998 CET	50362	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:00.688942909 CET	50362	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:00.688942909 CET	50363	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:00.693851948 CET	445	50362	49.79.158.2	192.168.2.6
Jan 14, 2025 20:58:00.693870068 CET	445	50363	201.118.194.1	192.168.2.6
Jan 14, 2025 20:58:00.694036007 CET	50363	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:00.694104910 CET	50363	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:00.694214106 CET	445	50361	201.118.194.137	192.168.2.6
Jan 14, 2025 20:58:00.694259882 CET	50361	445	192.168.2.6	201.118.194.137
Jan 14, 2025 20:58:00.694485903 CET	50364	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:00.699044943 CET	445	50363	201.118.194.1	192.168.2.6
Jan 14, 2025 20:58:00.699178934 CET	50363	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:00.699266911 CET	445	50364	201.118.194.1	192.168.2.6
Jan 14, 2025 20:58:00.699333906 CET	50364	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:00.699352026 CET	50364	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:00.704155922 CET	445	50364	201.118.194.1	192.168.2.6
Jan 14, 2025 20:58:00.931237936 CET	445	50344	177.147.64.1	192.168.2.6
Jan 14, 2025 20:58:00.931406975 CET	50344	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:58:00.931458950 CET	50344	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:58:00.931503057 CET	50344	445	192.168.2.6	177.147.64.1
Jan 14, 2025 20:58:00.936758995 CET	445	50344	177.147.64.1	192.168.2.6
Jan 14, 2025 20:58:00.936770916 CET	445	50344	177.147.64.1	192.168.2.6
Jan 14, 2025 20:58:00.990173101 CET	50365	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:00.995079041 CET	445	50365	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:00.995206118 CET	50365	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:00.995349884 CET	50365	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:00.995702028 CET	50366	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:01.000210047 CET	445	50365	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:01.000368118 CET	445	50365	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:01.000413895 CET	50365	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:01.000534058 CET	445	50366	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:01.000588894 CET	50366	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:01.000629902 CET	50366	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:01.005379915 CET	445	50366	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:01.068213940 CET	50367	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:58:01.073136091 CET	445	50367	89.75.246.1	192.168.2.6
Jan 14, 2025 20:58:01.073256016 CET	50367	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:58:01.073309898 CET	50367	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:58:01.078078985 CET	445	50367	89.75.246.1	192.168.2.6
Jan 14, 2025 20:58:01.373563051 CET	445	50354	72.217.90.1	192.168.2.6
Jan 14, 2025 20:58:01.373729944 CET	50354	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:58:01.373773098 CET	50354	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:58:01.373817921 CET	50354	445	192.168.2.6	72.217.90.1
Jan 14, 2025 20:58:01.378675938 CET	445	50354	72.217.90.1	192.168.2.6
Jan 14, 2025 20:58:01.378686905 CET	445	50354	72.217.90.1	192.168.2.6
Jan 14, 2025 20:58:01.427551985 CET	50369	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:01.432585955 CET	445	50369	72.217.90.2	192.168.2.6
Jan 14, 2025 20:58:01.432729006 CET	50369	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:01.432877064 CET	50369	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:01.433386087 CET	50370	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:01.438256979 CET	445	50370	72.217.90.2	192.168.2.6
Jan 14, 2025 20:58:01.438272953 CET	445	50369	72.217.90.2	192.168.2.6
Jan 14, 2025 20:58:01.438374043 CET	50369	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:01.438391924 CET	50370	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:01.438483953 CET	50370	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:01.443259001 CET	445	50370	72.217.90.2	192.168.2.6
Jan 14, 2025 20:58:01.552567005 CET	50371	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:58:01.557507992 CET	445	50371	116.90.121.1	192.168.2.6
Jan 14, 2025 20:58:01.557672977 CET	50371	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:58:01.557708025 CET	50371	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:58:01.562514067 CET	445	50371	116.90.121.1	192.168.2.6
Jan 14, 2025 20:58:01.974456072 CET	50372	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:58:01.980288982 CET	445	50372	193.228.157.1	192.168.2.6
Jan 14, 2025 20:58:01.980458021 CET	50372	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:58:01.980520010 CET	50372	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:58:01.985253096 CET	445	50372	193.228.157.1	192.168.2.6
Jan 14, 2025 20:58:02.513720989 CET	445	50202	194.163.210.1	192.168.2.6
Jan 14, 2025 20:58:02.513791084 CET	50202	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:58:02.513890982 CET	50202	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:58:02.513937950 CET	50202	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:58:02.518754959 CET	445	50202	194.163.210.1	192.168.2.6
Jan 14, 2025 20:58:02.518773079 CET	445	50202	194.163.210.1	192.168.2.6
Jan 14, 2025 20:58:02.672151089 CET	445	50203	44.86.39.1	192.168.2.6
Jan 14, 2025 20:58:02.672233105 CET	50203	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:58:02.672343016 CET	50203	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:58:02.672446012 CET	50203	445	192.168.2.6	44.86.39.1
Jan 14, 2025 20:58:02.677174091 CET	445	50203	44.86.39.1	192.168.2.6
Jan 14, 2025 20:58:02.677408934 CET	445	50203	44.86.39.1	192.168.2.6
Jan 14, 2025 20:58:02.803545952 CET	50376	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:02.809478998 CET	445	50376	44.86.39.2	192.168.2.6
Jan 14, 2025 20:58:02.809551001 CET	50376	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:02.809757948 CET	50376	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:02.814037085 CET	50377	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:02.815121889 CET	445	50376	44.86.39.2	192.168.2.6
Jan 14, 2025 20:58:02.815172911 CET	50376	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:02.818914890 CET	445	50377	44.86.39.2	192.168.2.6
Jan 14, 2025 20:58:02.818968058 CET	50377	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:02.819041967 CET	50377	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:02.823769093 CET	445	50377	44.86.39.2	192.168.2.6
Jan 14, 2025 20:58:02.848902941 CET	445	50367	89.75.246.1	192.168.2.6
Jan 14, 2025 20:58:02.848979950 CET	50367	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:58:02.849265099 CET	50367	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:58:02.849309921 CET	50367	445	192.168.2.6	89.75.246.1
Jan 14, 2025 20:58:02.854074955 CET	445	50367	89.75.246.1	192.168.2.6
Jan 14, 2025 20:58:02.854087114 CET	445	50367	89.75.246.1	192.168.2.6
Jan 14, 2025 20:58:02.911833048 CET	50378	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:02.916759014 CET	445	50378	89.75.246.2	192.168.2.6
Jan 14, 2025 20:58:02.916836977 CET	50378	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:02.916995049 CET	50378	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:02.917460918 CET	50379	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:02.922023058 CET	445	50378	89.75.246.2	192.168.2.6
Jan 14, 2025 20:58:02.922076941 CET	50378	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:02.922239065 CET	445	50379	89.75.246.2	192.168.2.6
Jan 14, 2025 20:58:02.922307014 CET	50379	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:02.922341108 CET	50379	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:02.927123070 CET	445	50379	89.75.246.2	192.168.2.6
Jan 14, 2025 20:58:02.927402020 CET	445	50366	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:02.927453041 CET	50366	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:02.927505016 CET	50366	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:02.927561045 CET	50366	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:02.932297945 CET	445	50366	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:02.932308912 CET	445	50366	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:03.505688906 CET	50382	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:58:03.510859013 CET	445	50382	114.252.160.1	192.168.2.6
Jan 14, 2025 20:58:03.511090994 CET	50382	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:58:03.511137009 CET	50382	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:58:03.516171932 CET	445	50382	114.252.160.1	192.168.2.6
Jan 14, 2025 20:58:03.684451103 CET	445	50372	193.228.157.1	192.168.2.6
Jan 14, 2025 20:58:03.684622049 CET	50372	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:58:03.684672117 CET	50372	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:58:03.684726954 CET	50372	445	192.168.2.6	193.228.157.1
Jan 14, 2025 20:58:03.689409018 CET	445	50372	193.228.157.1	192.168.2.6
Jan 14, 2025 20:58:03.689431906 CET	445	50372	193.228.157.1	192.168.2.6
Jan 14, 2025 20:58:03.740011930 CET	50384	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:03.744765997 CET	445	50384	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:03.744842052 CET	50384	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:03.744920969 CET	50384	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:03.745429993 CET	50385	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:03.749716043 CET	445	50384	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:03.749773979 CET	50384	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:03.750235081 CET	445	50385	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:03.750288010 CET	50385	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:03.750333071 CET	50385	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:03.755043983 CET	445	50385	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:04.637279034 CET	445	50214	38.202.131.1	192.168.2.6
Jan 14, 2025 20:58:04.637481928 CET	50214	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:58:04.637526035 CET	50214	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:58:04.637615919 CET	50214	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:58:04.642448902 CET	445	50214	38.202.131.1	192.168.2.6
Jan 14, 2025 20:58:04.642465115 CET	445	50214	38.202.131.1	192.168.2.6
Jan 14, 2025 20:58:05.090950966 CET	445	50215	97.239.252.1	192.168.2.6
Jan 14, 2025 20:58:05.091104031 CET	50215	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:58:05.091269016 CET	50215	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:58:05.091327906 CET	50215	445	192.168.2.6	97.239.252.1
Jan 14, 2025 20:58:05.096189022 CET	445	50215	97.239.252.1	192.168.2.6
Jan 14, 2025 20:58:05.096203089 CET	445	50215	97.239.252.1	192.168.2.6
Jan 14, 2025 20:58:05.146497011 CET	50395	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:05.151385069 CET	445	50395	97.239.252.2	192.168.2.6
Jan 14, 2025 20:58:05.151460886 CET	50395	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:05.151535988 CET	50395	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:05.151945114 CET	50396	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:05.156574011 CET	445	50395	97.239.252.2	192.168.2.6
Jan 14, 2025 20:58:05.156639099 CET	50395	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:05.156757116 CET	445	50396	97.239.252.2	192.168.2.6
Jan 14, 2025 20:58:05.156815052 CET	50396	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:05.156847000 CET	50396	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:05.161570072 CET	445	50396	97.239.252.2	192.168.2.6
Jan 14, 2025 20:58:05.435981035 CET	445	50385	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:05.436145067 CET	50385	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:05.436184883 CET	50385	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:05.436239958 CET	50385	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:05.440969944 CET	445	50385	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:05.440983057 CET	445	50385	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:05.521234035 CET	50399	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:58:05.526161909 CET	445	50399	194.163.210.1	192.168.2.6
Jan 14, 2025 20:58:05.526276112 CET	50399	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:58:05.526360035 CET	50399	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:58:05.531191111 CET	445	50399	194.163.210.1	192.168.2.6
Jan 14, 2025 20:58:05.943025112 CET	50404	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:05.947838068 CET	445	50404	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:05.947923899 CET	50404	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:05.947997093 CET	50404	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:05.952795982 CET	445	50404	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:06.486594915 CET	445	50226	131.241.117.1	192.168.2.6
Jan 14, 2025 20:58:06.486747026 CET	50226	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:58:06.486790895 CET	50226	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:58:06.486844063 CET	50226	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:58:06.491581917 CET	445	50226	131.241.117.1	192.168.2.6
Jan 14, 2025 20:58:06.491612911 CET	445	50226	131.241.117.1	192.168.2.6
Jan 14, 2025 20:58:06.715435028 CET	445	50231	89.1.159.1	192.168.2.6
Jan 14, 2025 20:58:06.715586901 CET	50231	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:58:06.715586901 CET	50231	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:58:06.715640068 CET	50231	445	192.168.2.6	89.1.159.1
Jan 14, 2025 20:58:06.720474005 CET	445	50231	89.1.159.1	192.168.2.6
Jan 14, 2025 20:58:06.720487118 CET	445	50231	89.1.159.1	192.168.2.6
Jan 14, 2025 20:58:06.771509886 CET	50414	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:06.776458025 CET	445	50414	89.1.159.2	192.168.2.6
Jan 14, 2025 20:58:06.776566982 CET	50414	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:06.776619911 CET	50414	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:06.777048111 CET	50415	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:06.781742096 CET	445	50414	89.1.159.2	192.168.2.6
Jan 14, 2025 20:58:06.781836033 CET	50414	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:06.781876087 CET	445	50415	89.1.159.2	192.168.2.6
Jan 14, 2025 20:58:06.781940937 CET	50415	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:06.782011032 CET	50415	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:06.786840916 CET	445	50415	89.1.159.2	192.168.2.6
Jan 14, 2025 20:58:07.653201103 CET	50428	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:58:07.658211946 CET	445	50428	38.202.131.1	192.168.2.6
Jan 14, 2025 20:58:07.658287048 CET	50428	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:58:07.658354044 CET	50428	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:58:07.663168907 CET	445	50428	38.202.131.1	192.168.2.6
Jan 14, 2025 20:58:07.846105099 CET	445	50404	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:07.846172094 CET	50404	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:07.846236944 CET	50404	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:07.846319914 CET	50404	445	192.168.2.6	177.147.64.2
Jan 14, 2025 20:58:07.851111889 CET	445	50404	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:07.851130009 CET	445	50404	177.147.64.2	192.168.2.6
Jan 14, 2025 20:58:07.912868977 CET	50432	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:07.917948961 CET	445	50432	177.147.64.3	192.168.2.6
Jan 14, 2025 20:58:07.918052912 CET	50432	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:07.918203115 CET	50432	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:07.918685913 CET	50433	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:07.923331022 CET	445	50432	177.147.64.3	192.168.2.6
Jan 14, 2025 20:58:07.923398972 CET	50432	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:07.923526049 CET	445	50433	177.147.64.3	192.168.2.6
Jan 14, 2025 20:58:07.923616886 CET	50433	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:07.923687935 CET	50433	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:07.928455114 CET	445	50433	177.147.64.3	192.168.2.6
Jan 14, 2025 20:58:08.215342999 CET	445	50242	53.130.241.1	192.168.2.6
Jan 14, 2025 20:58:08.215428114 CET	50242	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:58:08.215476036 CET	50242	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:58:08.215532064 CET	50242	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:58:08.220293045 CET	445	50242	53.130.241.1	192.168.2.6
Jan 14, 2025 20:58:08.220316887 CET	445	50242	53.130.241.1	192.168.2.6
Jan 14, 2025 20:58:08.443079948 CET	50444	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:08.447875977 CET	445	50444	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:08.448015928 CET	50444	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:08.448059082 CET	50444	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:08.452963114 CET	445	50444	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:08.668541908 CET	445	50244	12.102.130.1	192.168.2.6
Jan 14, 2025 20:58:08.668768883 CET	50244	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:58:08.668839931 CET	50244	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:58:08.668945074 CET	50244	445	192.168.2.6	12.102.130.1
Jan 14, 2025 20:58:08.673676014 CET	445	50244	12.102.130.1	192.168.2.6
Jan 14, 2025 20:58:08.673748016 CET	445	50244	12.102.130.1	192.168.2.6
Jan 14, 2025 20:58:08.724675894 CET	50448	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:08.729762077 CET	445	50448	12.102.130.2	192.168.2.6
Jan 14, 2025 20:58:08.729887962 CET	50448	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:08.729928017 CET	50448	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:08.730561972 CET	50450	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:08.735402107 CET	445	50450	12.102.130.2	192.168.2.6
Jan 14, 2025 20:58:08.735572100 CET	50450	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:08.735621929 CET	50450	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:08.736129045 CET	445	50448	12.102.130.2	192.168.2.6
Jan 14, 2025 20:58:08.736838102 CET	445	50448	12.102.130.2	192.168.2.6
Jan 14, 2025 20:58:08.736926079 CET	50448	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:08.740402937 CET	445	50450	12.102.130.2	192.168.2.6
Jan 14, 2025 20:58:09.489841938 CET	50469	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:58:09.494654894 CET	445	50469	131.241.117.1	192.168.2.6
Jan 14, 2025 20:58:09.494807005 CET	50469	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:58:09.494826078 CET	50469	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:58:09.499721050 CET	445	50469	131.241.117.1	192.168.2.6
Jan 14, 2025 20:58:09.855832100 CET	445	50255	25.198.44.1	192.168.2.6
Jan 14, 2025 20:58:09.855914116 CET	50255	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:58:09.856086016 CET	50255	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:58:09.856086016 CET	50255	445	192.168.2.6	25.198.44.1
Jan 14, 2025 20:58:09.861394882 CET	445	50255	25.198.44.1	192.168.2.6
Jan 14, 2025 20:58:09.861404896 CET	445	50255	25.198.44.1	192.168.2.6
Jan 14, 2025 20:58:10.126516104 CET	445	50444	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:10.126660109 CET	50444	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:10.129735947 CET	50444	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:10.129774094 CET	50444	445	192.168.2.6	193.228.157.2
Jan 14, 2025 20:58:10.134995937 CET	445	50444	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:10.135006905 CET	445	50444	193.228.157.2	192.168.2.6
Jan 14, 2025 20:58:10.264369965 CET	50489	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:10.269354105 CET	445	50489	193.228.157.3	192.168.2.6
Jan 14, 2025 20:58:10.269423008 CET	50489	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:10.272898912 CET	50489	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:10.277795076 CET	445	50489	193.228.157.3	192.168.2.6
Jan 14, 2025 20:58:10.277849913 CET	50489	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:10.281276941 CET	50491	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:10.286108971 CET	445	50491	193.228.157.3	192.168.2.6
Jan 14, 2025 20:58:10.286205053 CET	50491	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:10.289335012 CET	50491	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:10.294122934 CET	445	50491	193.228.157.3	192.168.2.6
Jan 14, 2025 20:58:10.793565035 CET	445	50260	98.102.89.1	192.168.2.6
Jan 14, 2025 20:58:10.793685913 CET	50260	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:58:10.793725014 CET	50260	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:58:10.793761015 CET	50260	445	192.168.2.6	98.102.89.1
Jan 14, 2025 20:58:10.798507929 CET	445	50260	98.102.89.1	192.168.2.6
Jan 14, 2025 20:58:10.798536062 CET	445	50260	98.102.89.1	192.168.2.6
Jan 14, 2025 20:58:10.849356890 CET	50510	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:10.854285955 CET	445	50510	98.102.89.2	192.168.2.6
Jan 14, 2025 20:58:10.854381084 CET	50510	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:10.854454994 CET	50510	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:10.854758978 CET	50511	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:10.859430075 CET	445	50510	98.102.89.2	192.168.2.6
Jan 14, 2025 20:58:10.859489918 CET	50510	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:10.859541893 CET	445	50511	98.102.89.2	192.168.2.6
Jan 14, 2025 20:58:10.859600067 CET	50511	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:10.859647036 CET	50511	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:10.864428043 CET	445	50511	98.102.89.2	192.168.2.6
Jan 14, 2025 20:58:11.224488020 CET	50527	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:58:11.229382038 CET	445	50527	53.130.241.1	192.168.2.6
Jan 14, 2025 20:58:11.229578972 CET	50527	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:58:11.229604006 CET	50527	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:58:11.234414101 CET	445	50527	53.130.241.1	192.168.2.6
Jan 14, 2025 20:58:11.389363050 CET	445	50266	37.56.78.1	192.168.2.6
Jan 14, 2025 20:58:11.389617920 CET	50266	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:58:11.389694929 CET	50266	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:58:11.389717102 CET	50266	445	192.168.2.6	37.56.78.1
Jan 14, 2025 20:58:11.394673109 CET	445	50266	37.56.78.1	192.168.2.6
Jan 14, 2025 20:58:11.394714117 CET	445	50266	37.56.78.1	192.168.2.6
Jan 14, 2025 20:58:12.699820042 CET	445	50272	43.54.236.1	192.168.2.6
Jan 14, 2025 20:58:12.699886084 CET	50272	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:58:12.833043098 CET	445	50278	23.233.104.1	192.168.2.6
Jan 14, 2025 20:58:12.833199024 CET	50278	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:58:14.032330990 CET	50343	445	192.168.2.6	125.52.121.2
Jan 14, 2025 20:58:14.032392979 CET	50415	445	192.168.2.6	89.1.159.2
Jan 14, 2025 20:58:14.032438040 CET	50319	445	192.168.2.6	26.20.34.2
Jan 14, 2025 20:58:14.032501936 CET	50396	445	192.168.2.6	97.239.252.2
Jan 14, 2025 20:58:14.032540083 CET	50302	445	192.168.2.6	115.153.235.2
Jan 14, 2025 20:58:14.032655001 CET	50272	445	192.168.2.6	43.54.236.1
Jan 14, 2025 20:58:14.032702923 CET	50278	445	192.168.2.6	23.233.104.1
Jan 14, 2025 20:58:14.032720089 CET	50286	445	192.168.2.6	137.253.225.1
Jan 14, 2025 20:58:14.032752991 CET	50291	445	192.168.2.6	52.252.59.1
Jan 14, 2025 20:58:14.032820940 CET	50309	445	192.168.2.6	14.86.25.1
Jan 14, 2025 20:58:14.032850981 CET	50379	445	192.168.2.6	89.75.246.2
Jan 14, 2025 20:58:14.032855988 CET	50433	445	192.168.2.6	177.147.64.3
Jan 14, 2025 20:58:14.032877922 CET	50428	445	192.168.2.6	38.202.131.1
Jan 14, 2025 20:58:14.032908916 CET	50327	445	192.168.2.6	26.197.227.1
Jan 14, 2025 20:58:14.032996893 CET	50336	445	192.168.2.6	49.158.7.1
Jan 14, 2025 20:58:14.033036947 CET	50348	445	192.168.2.6	158.143.48.1
Jan 14, 2025 20:58:14.033066034 CET	50352	445	192.168.2.6	116.178.208.1
Jan 14, 2025 20:58:14.033109903 CET	50359	445	192.168.2.6	18.241.31.1
Jan 14, 2025 20:58:14.033138037 CET	50370	445	192.168.2.6	72.217.90.2
Jan 14, 2025 20:58:14.033149004 CET	50362	445	192.168.2.6	49.79.158.2
Jan 14, 2025 20:58:14.033198118 CET	50364	445	192.168.2.6	201.118.194.1
Jan 14, 2025 20:58:14.033226013 CET	50377	445	192.168.2.6	44.86.39.2
Jan 14, 2025 20:58:14.033253908 CET	50371	445	192.168.2.6	116.90.121.1
Jan 14, 2025 20:58:14.033288002 CET	50382	445	192.168.2.6	114.252.160.1
Jan 14, 2025 20:58:14.033391953 CET	50399	445	192.168.2.6	194.163.210.1
Jan 14, 2025 20:58:14.033478022 CET	50450	445	192.168.2.6	12.102.130.2
Jan 14, 2025 20:58:14.033514023 CET	50527	445	192.168.2.6	53.130.241.1
Jan 14, 2025 20:58:14.033560038 CET	50469	445	192.168.2.6	131.241.117.1
Jan 14, 2025 20:58:14.033612013 CET	50491	445	192.168.2.6	193.228.157.3
Jan 14, 2025 20:58:14.033695936 CET	50511	445	192.168.2.6	98.102.89.2
Jan 14, 2025 20:58:15.664417982 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:15.664489031 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:15.664570093 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:15.665851116 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:15.665867090 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.453968048 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.454083920 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:16.456398964 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:16.456410885 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.456800938 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.459028006 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:16.459093094 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:16.459099054 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.459233999 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:16.499334097 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.632059097 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.632268906 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:16.632366896 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:16.632653952 CET	50637	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:16.632684946 CET	443	50637	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:39.568202972 CET	49706	80	192.168.2.6	2.23.77.188
Jan 14, 2025 20:58:39.568301916 CET	49703	443	192.168.2.6	40.126.32.72
Jan 14, 2025 20:58:39.573297024 CET	80	49706	2.23.77.188	192.168.2.6
Jan 14, 2025 20:58:39.573375940 CET	49706	80	192.168.2.6	2.23.77.188
Jan 14, 2025 20:58:39.573471069 CET	443	49703	40.126.32.72	192.168.2.6
Jan 14, 2025 20:58:39.573524952 CET	49703	443	192.168.2.6	40.126.32.72
Jan 14, 2025 20:58:42.114948988 CET	49707	443	192.168.2.6	40.126.32.72
Jan 14, 2025 20:58:42.312913895 CET	443	49707	40.126.32.72	192.168.2.6
Jan 14, 2025 20:58:42.313036919 CET	49707	443	192.168.2.6	40.126.32.72
Jan 14, 2025 20:58:53.842154026 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:53.842207909 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:53.842521906 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:53.843096972 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:53.843112946 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.620146990 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.620215893 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:54.628264904 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:54.628294945 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.628603935 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.633480072 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:54.633610964 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:54.633620977 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.633857965 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:54.675333977 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.803750992 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.803848982 CET	443	50639	40.113.103.199	192.168.2.6
Jan 14, 2025 20:58:54.803922892 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:54.804439068 CET	50639	443	192.168.2.6	40.113.103.199
Jan 14, 2025 20:58:54.804465055 CET	443	50639	40.113.103.199	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 20:57:07.396425009 CET	56557	53	192.168.2.6	1.1.1.1
Jan 14, 2025 20:57:07.405013084 CET	53	56557	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 20:57:07.396425009 CET	192.168.2.6	1.1.1.1	0x220a	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 20:57:07.405013084 CET	1.1.1.1	192.168.2.6	0x220a	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.167.228	A (IP address)	IN (0x0001)	false
Jan 14, 2025 20:57:07.405013084 CET	1.1.1.1	192.168.2.6	0x220a	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.166.228	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	104.16.167.228	80	5896	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 20:57:07.417496920 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 14, 2025 20:57:07.895226955 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 19:57:07 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 9020317bd8e442a9-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49712	104.16.167.228	80	4208	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 20:57:08.288737059 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 14, 2025 20:57:08.781863928 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 19:57:08 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902031817b7cf3bb-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49726	104.16.167.228	80	1924	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 20:57:09.380431890 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 14, 2025 20:57:09.842781067 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 19:57:09 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 902031882d99f5f8-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 19:57:04 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6c 79 6d 66 4f 43 34 59 37 45 79 68 33 72 55 66 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 35 64 33 64 35 39 37 36 39 64 32 34 62 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: lymfOC4Y7Eyh3rUf.1Context: a15d3d59769d24b9
2025-01-14 19:57:04 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 19:57:04 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6c 79 6d 66 4f 43 34 59 37 45 79 68 33 72 55 66 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 35 64 33 64 35 39 37 36 39 64 32 34 62 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 32 38 61 71 61 2b 59 31 32 54 4a 69 33 32 7a 50 47 62 55 56 32 2b 6a 58 44 2f 74 51 66 77 53 70 6e 56 63 69 70 77 74 49 49 79 37 46 58 4f 4f 5a 35 78 4a 51 4c 42 57 62 41 75 45 67 79 2b 68 57 68 68 6a 62 76 77 66 54 30 75 2f 79 54 51 78 54 49 38 6d 58 50 70 7a 43 49 6d 70 67 4a 35 47 53 59 47 6b 59 77 6a 63 4b 33 68 48 30 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: lymfOC4Y7Eyh3rUf.2Context: a15d3d59769d24b9<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV28aqa+Y12TJi32zPGbUV2+jXD/tQfwSpnVcipwtIIy7FXOOZ5xJQLBWbAuEgy+hWhhjbvwfT0u/yTQxTI8mXPpzCImpgJ5GSYGkYwjcK3hH0
2025-01-14 19:57:04 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6c 79 6d 66 4f 43 34 59 37 45 79 68 33 72 55 66 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 31 35 64 33 64 35 39 37 36 39 64 32 34 62 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: lymfOC4Y7Eyh3rUf.3Context: a15d3d59769d24b9<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 19:57:04 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 19:57:04 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6b 59 5a 30 5a 42 47 44 33 45 79 6c 30 47 72 44 57 37 48 4f 47 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: kYZ0ZBGD3Eyl0GrDW7HOGQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49752	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 19:57:12 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 30 4a 41 4f 47 78 63 36 6d 30 4f 68 46 6c 65 45 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 31 64 64 66 36 35 61 61 64 37 38 64 66 64 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 0JAOGxc6m0OhFleE.1Context: 91ddf65aad78dfdf
2025-01-14 19:57:12 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 19:57:12 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 30 4a 41 4f 47 78 63 36 6d 30 4f 68 46 6c 65 45 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 31 64 64 66 36 35 61 61 64 37 38 64 66 64 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 32 38 61 71 61 2b 59 31 32 54 4a 69 33 32 7a 50 47 62 55 56 32 2b 6a 58 44 2f 74 51 66 77 53 70 6e 56 63 69 70 77 74 49 49 79 37 46 58 4f 4f 5a 35 78 4a 51 4c 42 57 62 41 75 45 67 79 2b 68 57 68 68 6a 62 76 77 66 54 30 75 2f 79 54 51 78 54 49 38 6d 58 50 70 7a 43 49 6d 70 67 4a 35 47 53 59 47 6b 59 77 6a 63 4b 33 68 48 30 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 0JAOGxc6m0OhFleE.2Context: 91ddf65aad78dfdf<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV28aqa+Y12TJi32zPGbUV2+jXD/tQfwSpnVcipwtIIy7FXOOZ5xJQLBWbAuEgy+hWhhjbvwfT0u/yTQxTI8mXPpzCImpgJ5GSYGkYwjcK3hH0
2025-01-14 19:57:12 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 30 4a 41 4f 47 78 63 36 6d 30 4f 68 46 6c 65 45 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 31 64 64 66 36 35 61 61 64 37 38 64 66 64 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 0JAOGxc6m0OhFleE.3Context: 91ddf65aad78dfdf<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 19:57:12 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 19:57:12 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 45 65 4a 2f 30 77 61 51 56 45 79 42 4e 58 6a 6f 49 70 63 30 5a 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: EeJ/0waQVEyBNXjoIpc0Zw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	49990	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 19:57:25 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 31 59 47 53 50 68 77 2f 45 55 47 4f 6f 45 52 30 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 63 62 35 33 33 36 31 33 61 33 64 62 34 62 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 1YGSPhw/EUGOoER0.1Context: c1cb533613a3db4b
2025-01-14 19:57:25 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 19:57:25 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 31 59 47 53 50 68 77 2f 45 55 47 4f 6f 45 52 30 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 63 62 35 33 33 36 31 33 61 33 64 62 34 62 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 32 38 61 71 61 2b 59 31 32 54 4a 69 33 32 7a 50 47 62 55 56 32 2b 6a 58 44 2f 74 51 66 77 53 70 6e 56 63 69 70 77 74 49 49 79 37 46 58 4f 4f 5a 35 78 4a 51 4c 42 57 62 41 75 45 67 79 2b 68 57 68 68 6a 62 76 77 66 54 30 75 2f 79 54 51 78 54 49 38 6d 58 50 70 7a 43 49 6d 70 67 4a 35 47 53 59 47 6b 59 77 6a 63 4b 33 68 48 30 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 1YGSPhw/EUGOoER0.2Context: c1cb533613a3db4b<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV28aqa+Y12TJi32zPGbUV2+jXD/tQfwSpnVcipwtIIy7FXOOZ5xJQLBWbAuEgy+hWhhjbvwfT0u/yTQxTI8mXPpzCImpgJ5GSYGkYwjcK3hH0
2025-01-14 19:57:25 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 31 59 47 53 50 68 77 2f 45 55 47 4f 6f 45 52 30 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 31 63 62 35 33 33 36 31 33 61 33 64 62 34 62 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 1YGSPhw/EUGOoER0.3Context: c1cb533613a3db4b<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 19:57:26 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 19:57:26 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 46 69 5a 31 73 6a 50 63 49 55 71 50 52 66 59 34 67 32 52 41 69 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: FiZ1sjPcIUqPRfY4g2RAiw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50232	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 19:57:46 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 74 70 33 34 37 33 59 6e 71 6b 69 47 4f 77 7a 72 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 39 65 65 64 66 35 31 63 36 38 33 33 66 36 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: tp3473YnqkiGOwzr.1Context: d9eedf51c6833f66
2025-01-14 19:57:46 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 19:57:46 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 74 70 33 34 37 33 59 6e 71 6b 69 47 4f 77 7a 72 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 39 65 65 64 66 35 31 63 36 38 33 33 66 36 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 32 38 61 71 61 2b 59 31 32 54 4a 69 33 32 7a 50 47 62 55 56 32 2b 6a 58 44 2f 74 51 66 77 53 70 6e 56 63 69 70 77 74 49 49 79 37 46 58 4f 4f 5a 35 78 4a 51 4c 42 57 62 41 75 45 67 79 2b 68 57 68 68 6a 62 76 77 66 54 30 75 2f 79 54 51 78 54 49 38 6d 58 50 70 7a 43 49 6d 70 67 4a 35 47 53 59 47 6b 59 77 6a 63 4b 33 68 48 30 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: tp3473YnqkiGOwzr.2Context: d9eedf51c6833f66<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV28aqa+Y12TJi32zPGbUV2+jXD/tQfwSpnVcipwtIIy7FXOOZ5xJQLBWbAuEgy+hWhhjbvwfT0u/yTQxTI8mXPpzCImpgJ5GSYGkYwjcK3hH0
2025-01-14 19:57:46 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 74 70 33 34 37 33 59 6e 71 6b 69 47 4f 77 7a 72 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 64 39 65 65 64 66 35 31 63 36 38 33 33 66 36 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: tp3473YnqkiGOwzr.3Context: d9eedf51c6833f66<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 19:57:46 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 19:57:46 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 2b 35 36 42 49 77 47 2b 37 45 53 2f 4c 74 54 50 6a 62 4d 4a 32 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: +56BIwG+7ES/LtTPjbMJ2g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50637	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 19:58:16 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6d 6d 79 65 59 4c 55 70 63 45 61 50 7a 72 38 6e 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 64 62 38 63 39 63 61 66 63 64 61 36 34 33 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: mmyeYLUpcEaPzr8n.1Context: cdb8c9cafcda643f
2025-01-14 19:58:16 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 19:58:16 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6d 6d 79 65 59 4c 55 70 63 45 61 50 7a 72 38 6e 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 64 62 38 63 39 63 61 66 63 64 61 36 34 33 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 32 38 61 71 61 2b 59 31 32 54 4a 69 33 32 7a 50 47 62 55 56 32 2b 6a 58 44 2f 74 51 66 77 53 70 6e 56 63 69 70 77 74 49 49 79 37 46 58 4f 4f 5a 35 78 4a 51 4c 42 57 62 41 75 45 67 79 2b 68 57 68 68 6a 62 76 77 66 54 30 75 2f 79 54 51 78 54 49 38 6d 58 50 70 7a 43 49 6d 70 67 4a 35 47 53 59 47 6b 59 77 6a 63 4b 33 68 48 30 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: mmyeYLUpcEaPzr8n.2Context: cdb8c9cafcda643f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV28aqa+Y12TJi32zPGbUV2+jXD/tQfwSpnVcipwtIIy7FXOOZ5xJQLBWbAuEgy+hWhhjbvwfT0u/yTQxTI8mXPpzCImpgJ5GSYGkYwjcK3hH0
2025-01-14 19:58:16 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6d 6d 79 65 59 4c 55 70 63 45 61 50 7a 72 38 6e 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 64 62 38 63 39 63 61 66 63 64 61 36 34 33 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: mmyeYLUpcEaPzr8n.3Context: cdb8c9cafcda643f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 19:58:16 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 19:58:16 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 73 63 6e 61 5a 42 73 79 6b 30 69 43 6f 57 49 6a 53 75 78 39 33 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: scnaZBsyk0iCoWIjSux93A.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50639	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 19:58:54 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 64 7a 54 4f 47 51 76 71 79 45 6d 6b 76 38 79 4c 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 61 31 39 36 39 33 37 34 38 66 36 66 30 39 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: dzTOGQvqyEmkv8yL.1Context: 4a19693748f6f094
2025-01-14 19:58:54 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 19:58:54 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 64 7a 54 4f 47 51 76 71 79 45 6d 6b 76 38 79 4c 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 61 31 39 36 39 33 37 34 38 66 36 66 30 39 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 56 32 38 61 71 61 2b 59 31 32 54 4a 69 33 32 7a 50 47 62 55 56 32 2b 6a 58 44 2f 74 51 66 77 53 70 6e 56 63 69 70 77 74 49 49 79 37 46 58 4f 4f 5a 35 78 4a 51 4c 42 57 62 41 75 45 67 79 2b 68 57 68 68 6a 62 76 77 66 54 30 75 2f 79 54 51 78 54 49 38 6d 58 50 70 7a 43 49 6d 70 67 4a 35 47 53 59 47 6b 59 77 6a 63 4b 33 68 48 30 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: dzTOGQvqyEmkv8yL.2Context: 4a19693748f6f094<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAV28aqa+Y12TJi32zPGbUV2+jXD/tQfwSpnVcipwtIIy7FXOOZ5xJQLBWbAuEgy+hWhhjbvwfT0u/yTQxTI8mXPpzCImpgJ5GSYGkYwjcK3hH0
2025-01-14 19:58:54 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 64 7a 54 4f 47 51 76 71 79 45 6d 6b 76 38 79 4c 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 34 61 31 39 36 39 33 37 34 38 66 36 66 30 39 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: dzTOGQvqyEmkv8yL.3Context: 4a19693748f6f094<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 19:58:54 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 19:58:54 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 42 31 4e 6f 42 58 2b 77 35 6b 2b 4a 35 6c 6b 78 53 37 41 31 72 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: B1NoBX+w5k+J5lkxS7A1rg.0Payload parsing failed.

Target ID:	0
Start time:	14:57:05
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll"
Imagebase:	0x100000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:57:05
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:57:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:57:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\mCgW5qofxC.dll,PlayGame
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:57:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",#1
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:57:05
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	FC9B6711FD800ECCBF960932F0E9B75B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2184434328.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2184692680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.2184692680.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:57:07
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	FC9B6711FD800ECCBF960932F0E9B75B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2852248132.00000000023DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2852248132.00000000023DE000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2200457017.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2200675746.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2200675746.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2848443868.0000000001EBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2848443868.0000000001EBD000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:57:08
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	16A8FDD68114C10EAE3C843FAFF5916B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.2209536984.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 94%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:57:08
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\mCgW5qofxC.dll",PlayGame
Imagebase:	0x240000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:57:08
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	FC9B6711FD800ECCBF960932F0E9B75B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.2212468574.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.2212468574.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.2221303870.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.2211938201.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.2221455318.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.2221455318.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	14:57:09
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	16A8FDD68114C10EAE3C843FAFF5916B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.2220670094.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.2220295913.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F940EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CloseHandle, xrefs: 00407D29
tasksche.exe, xrefs: 00407DEA
CreateFileA, xrefs: 00407D0F
C:\%s\qeriuwjhrf, xrefs: 00407E12
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000006.00000002.2210313922.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2210233834.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210336557.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210432736.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2210313922.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2210233834.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210336557.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210432736.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.2210313922.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2210233834.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210336557.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210432736.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F940EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.2210313922.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2210233834.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210336557.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210432736.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F940EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2210313922.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2210233834.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210336557.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210360491.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210432736.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2210521733.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 4208, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F940EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2846322215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2846304244.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846339586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846422098.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846547321.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2846322215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2846304244.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846339586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846422098.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846547321.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F940EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000008.00000002.2846322215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2846304244.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846339586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846422098.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846547321.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F940EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

kernel32.dll, xrefs: 00407CEA
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\%s, xrefs: 00407DFB
tasksche.exe, xrefs: 00407DEA
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000008.00000002.2846322215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2846304244.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846339586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846422098.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846547321.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2846322215.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2846304244.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846339586.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846354979.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846407296.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846422098.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846547321.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2846653961.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 1372, Parent PID: 5896COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/..\, xrefs: 00406E03
\..\, xrefs: 00406DD9
\../, xrefs: 00406DE7
/../, xrefs: 00406DF5

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptGenKey, xrefs: 00401AAD
CryptImportKey, xrefs: 00401A79
advapi32.dll, xrefs: 00401A55
CryptDecrypt, xrefs: 00401AA0
CryptEncrypt, xrefs: 00401A93
CryptDestroyKey, xrefs: 00401A86
CryptAcquireContextA, xrefs: 00401A71

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

CloseHandle, xrefs: 0040178C
WriteFile, xrefs: 0040174B
MoveFileW, xrefs: 00401765
kernel32.dll, xrefs: 00401727
CreateFileW, xrefs: 00401743
ReadFile, xrefs: 00401758
MoveFileExW, xrefs: 00401772
DeleteFileW, xrefs: 0040177F

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 004072F6
%s%s, xrefs: 00407389
\, xrefs: 00407358
:, xrefs: 0040736E

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON

Download Yara Rule

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

tasksche.exe, xrefs: 00402061, 0040206D, 00402075
attrib +h ., xrefs: 004020DC
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
TaskStart, xrefs: 00402145
t.wnry, xrefs: 00402125

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

WanaCrypt0r, xrefs: 00401145
Software\, xrefs: 0040110A
0@, xrefs: 00401157

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

GetNativeSystemInfo, xrefs: 004022A1
kernel32.dll, xrefs: 0040228C
?!@, xrefs: 004021F8

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08
%s%d, xrefs: 00401F10

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000009.00000002.2209907174.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2209891624.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209924244.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209940443.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2209956155.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mCgW5qofxC.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvc.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
mCgW5qofxC.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON