Edit tour

Windows Analysis Report
MK9UBUl8t7.dll

Overview

General Information

Sample name:	MK9UBUl8t7.dll renamed because original name is a hash value
Original sample name:	3dbc8386e91b0e967982fe4aafbbd881.dll
Analysis ID:	1591271
MD5:	3dbc8386e91b0e967982fe4aafbbd881
SHA1:	64c4c9fe40c0f9bf354ecc4b731176be31f63605
SHA256:	12866963100f93d368d9fb48b4d0f30e4b7eb472f682edc9b1b9899af88bdc59
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5012 cmdline: loaddll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6324 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5644 cmdline: rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 4364 cmdline: C:\WINDOWS\mssecsvc.exe MD5: B6B99570116F243C44FDBE0BA9F28457)

tasksche.exe (PID: 2104 cmdline: C:\WINDOWS\tasksche.exe /i MD5: A789C1E681FAEDB49BB1AA2019E860F8)

rundll32.exe (PID: 6436 cmdline: rundll32.exe C:\Users\user\Desktop\MK9UBUl8t7.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1804 cmdline: rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 5960 cmdline: C:\WINDOWS\mssecsvc.exe MD5: B6B99570116F243C44FDBE0BA9F28457)

tasksche.exe (PID: 4616 cmdline: C:\WINDOWS\tasksche.exe /i MD5: A789C1E681FAEDB49BB1AA2019E860F8)

mssecsvc.exe (PID: 5140 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: B6B99570116F243C44FDBE0BA9F28457)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
MK9UBUl8t7.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
MK9UBUl8t7.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
MK9UBUl8t7.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\mssecsvc.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvc.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\mssecsvc.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvc.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvc.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000000.2220780305.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.2212673700.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.2205429511.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.2232690744.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.2212865403.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.2204915938.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.2236660623.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000002.2235508681.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000002.2236444659.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000C.00000000.2234860689.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.2232351876.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 4364	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 5140	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 5960	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvc.exe.214b8c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.214b8c8.9.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
8.2.mssecsvc.exe.1c57128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1c57128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1c57128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1c34104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1c34104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1c34104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1c34104.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1c25084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.1c25084.5.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.215a948.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.215a948.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.215a948.6.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.215a948.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.217d96c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.217d96c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.217d96c.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1c57128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1c57128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1c57128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.217d96c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.217d96c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.217d96c.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.215a948.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.215a948.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.215a948.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.214b8c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.214b8c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.214b8c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.214b8c8.9.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
8.2.mssecsvc.exe.1c300a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1c300a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1c300a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1c25084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1c25084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x289de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x279bb0:$x3: tasksche.exe 0x289dc0:$x3: tasksche.exe 0x289d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x289e14:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x24426c:$x7: mssecsvc.exe 0x25fb94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x279b88:$x8: C:\%s\qeriuwjhrf 0x289de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x244254:$s1: C:\%s\%s 0x25fb7c:$s1: C:\%s\%s 0x279b9c:$s1: C:\%s\%s 0x289d14:$s3: cmd.exe /c "%s" 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x276ed0:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$
8.2.mssecsvc.exe.1c25084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1c25084.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x289dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x289de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1c25084.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x27c8fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x250984:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2508d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x25225a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2820a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.21568e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.21568e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.21568e8.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1c34104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1c34104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1c34104.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 118 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: MK9UBUl8t7.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe	Avira: detection malicious, Label: TR/Ransom.Gen
Source: C:\Windows\mssecsvc.exe	Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 95%
Source: C:\WINDOWS\qeriuwjhrf (copy)	Virustotal: Detection: 89%	Perma Link
Source: C:\Windows\mssecsvc.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\mssecsvc.exe	Virustotal: Detection: 91%	Perma Link
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 95%
Source: C:\Windows\tasksche.exe	Virustotal: Detection: 89%	Perma Link

Multi AV Scanner detection for submitted file

Source: MK9UBUl8t7.dll	ReversingLabs: Detection: 94%
Source: MK9UBUl8t7.dll	Virustotal: Detection: 91%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected
Source: C:\Windows\mssecsvc.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MK9UBUl8t7.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 9_2_004018B9 CryptReleaseContext,

9_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: MK9UBUl8t7.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49969 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50618 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50619 version: TLS 1.2

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown

HTTPS traffic detected: 173.222.162.64:443 -> 192.168.2.6:49969 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.46
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.46
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.46
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.46
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 205.249.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.180
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.180
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.180
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.180
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.216.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.211
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.211
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.211
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.1
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.211
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.1
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.1
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.1
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.1
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.1
Source: unknown	TCP traffic detected without corresponding DNS query: 124.244.132.1

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50435
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50618
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown	Network traffic detected: HTTP traffic on port 50619 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50619
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50618 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50271
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 50271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50014 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50271 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50435 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50618 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:50619 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

9_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: MK9UBUl8t7.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvc.exe.1c34104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.215a948.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.215a948.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.214b8c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1c300a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.21568e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1c34104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.2212673700.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.2204915938.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2236444659.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.2232351876.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 4364, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 5140, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 5960, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\mssecsvc.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: MK9UBUl8t7.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: MK9UBUl8t7.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.214b8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.214b8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1c57128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1c57128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1c57128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1c34104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1c34104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1c34104.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1c25084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1c25084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.215a948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.215a948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.215a948.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.217d96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.217d96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.217d96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1c57128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1c57128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1c57128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.217d96c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.217d96c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.217d96c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.215a948.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.215a948.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.214b8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.214b8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.214b8c8.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1c300a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1c300a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.21568e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.21568e8.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1c34104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1c34104.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.2220780305.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.2205429511.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000000.2232690744.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2212865403.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.2236660623.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000002.2235508681.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000000.2234860689.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 9_2_00406C40	9_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402A76	9_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402E7E	9_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040350F	9_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00404C19	9_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040541F	9_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00403797	9_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 9_2_004043B7	9_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 9_2_004031BC	9_2_004031BC

Source: mssecsvc.exe.4.dr	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.6.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: MK9UBUl8t7.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: MK9UBUl8t7.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: MK9UBUl8t7.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.214b8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.214b8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1c57128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1c57128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1c57128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1c34104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1c34104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1c34104.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1c25084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1c25084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.215a948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.215a948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.215a948.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.217d96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.217d96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.217d96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1c57128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1c57128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1c57128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.217d96c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.217d96c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.217d96c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.215a948.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.215a948.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.214b8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.214b8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.214b8c8.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1c300a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1c300a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1c25084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.21568e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.21568e8.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1c34104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1c34104.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.2220780305.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.2205429511.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000000.2232690744.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2212865403.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.2236660623.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000002.2235508681.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000000.2234860689.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LocalPack-RU-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat\Wh
Source: mssecsvc.exe.4.dr	Binary string: C\Device\HarddiskVolume2\Windows\SoftwareDistribution\DataStore\Logs
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbohci.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-RemoteApplications-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\cdrom.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: 2\Device\HarddiskVolume2\Windows\System32\VSSVC.exe]
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Core~31bf3856ad364e35~x86~~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Core-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.catp
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\IPMIDrv.sys.muiUp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\errdev.sys
Source: mssecsvc.exe.4.dr	Binary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\fdc.sysm
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\GAGP30KX.SYS
Source: mssecsvc.exe.4.dr	Binary string: 1\Device\HarddiskVolume2\Windows\ehome\ehrecvr.exe
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\fastfat.sys
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sysp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini&
Source: mssecsvc.exe.4.dr	Binary string: f\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History-38:
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2534111~31bf3856ad364e35~x86~~6.1.1.0.catdop
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\rdbss.sys.mui\p
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: mssecsvc.exe.4.dr	Binary string: 4\Device\HarddiskVolume2\Windows\System32\devenum.dll.p
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\hidir.syswor
Source: mssecsvc.exe.4.dr	Binary string: h\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat'*
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sys
Source: mssecsvc.exe.4.dr	Binary string: 2\Device\HarddiskVolume2\Windows\Logs\SystemRestore
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\BrSerId.sys
Source: mssecsvc.exe.4.dr	Binary string: L\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\cef_200_percent.pak.zfsp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc003.catp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYSx
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~ja-JP~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sys
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\en-US\ipnat.sys.muip
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00a.cat
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xmlp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr002.cat.p
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\MTConfig.sys
Source: mssecsvc.exe.4.dr	Binary string: n\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2534111~31bf3856ad364e35~x86~~6.1.1.0.catDa
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~ja-JP~6.1.7601.17514.caty
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky009.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualXP-Licensing-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catndo
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysl\2
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky008.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys'*
Source: mssecsvc.exe.4.dr	Binary string: B\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\DRM\v3ks.secX
Source: mssecsvc.exe.4.dr	Binary string: 2\Device\HarddiskVolume2\Windows\System32\msdmo.dllF75p
Source: mssecsvc.exe.4.dr	Binary string: h\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookiesp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00h.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep004.catp
Source: mssecsvc.exe.4.dr	Binary string: C\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\ntfs.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prngt004.catW
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catH
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep005.cat
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sys
Source: mssecsvc.exe.4.dr	Binary string: y\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002V
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\ULIAGPKX.SYS
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat\Wp
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\wacompen.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep004.cat\
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\ULIAGPKX.SYS.mui
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-RemoteClient-Setup-LanguagePack~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat3p
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr009.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-Licensing-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntph.catw
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\intelide.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Xps-Foundation-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00d.catp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\partmgr.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr006.catH
Source: mssecsvc.exe.4.dr	Binary string: B\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\DRM\v3ks.blaX
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\wdf01000.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\ws2ifsl.sys.muip
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnnr003.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr003.cat:
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~x86~~6.1.7601.17514.catGtn
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx003.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc007.catp
Source: mssecsvc.exe.4.dr	Binary string: 4\Device\HarddiskVolume2\Windows\System32\httpapi.dllpp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00a.cat
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\flpydisk.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\CiAD0001.001R
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\BrSerId.sysC
Source: mssecsvc.exe.4.dr	Binary string: 2\Device\HarddiskVolume2\Windows\System32\Tasks\WPDGtn
Source: mssecsvc.exe.4.dr	Binary string: 2\Device\HarddiskVolume2\Windows\System32\msdtc.exe
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\2c07d841-785f-469b-81db-3ff900796688.png\
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\battc.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sysV
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem12.CAT
Source: mssecsvc.exe.4.dr	Binary string: x\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\SCPD
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc004.cat
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sys\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: Z\Device\HarddiskVolume2\System Volume Information\SystemRestore\FRStaging\Windows\System32'*
Source: mssecsvc.exe.4.dr	Binary string: #\Device\HarddiskVolume3\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2534111_SP1~31bf3856ad364e35~x86~~6.1.1.0.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr002.cat
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\errdev.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~x86~~6.1.7601.17514.cath
Source: mssecsvc.exe.4.dr	Binary string: A\Device\HarddiskVolume2\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pfp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\ru-RU\werui.dll.mui
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\portcls.sys.muie\H
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Aux~31bf3856ad364e35~x86~ru-RU~7.6.7600.320.cath
Source: mssecsvc.exe.4.dr	Binary string: 7\Device\HarddiskVolume2\Windows\System32\drivers\wd.sysh\
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnin002.catCp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\umpass.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMI-SNMP-Provider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catW
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5t
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_scsi.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnsa002.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~fr-FR~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exe
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sys
Source: mssecsvc.exe.4.dr	Binary string: o\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\windows-legacy-whql.cat
Source: mssecsvc.exe.4.dr	Binary string: +\Device\HarddiskVolume2\Windows\System32\en
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx004.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00h.catSp
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\hdaudbus.sys.muip
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exes\S
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CATWp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp004.catWp
Source: mssecsvc.exe.4.dr	Binary string: g\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host1-p
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Searchuser-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Core-UIComp~31bf3856ad364e35~x86~ru-RU~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00d.catCp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys0C
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00e.catS
Source: mssecsvc.exe.4.dr	Binary string: \|\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.datp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat:
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\modem.sys
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\processr.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: C\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\acpi.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sisraid2.sys
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\viac7.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnsh002.cat
Source: mssecsvc.exe.4.dr	Binary string: @\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\cef.pak.zfsp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-MiscRedirection-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: P\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep005.cat\p
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnnr004.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00e.catp
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\intelppm.sys.muih
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\hcw85cir.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Core-MiniLP~31bf3856ad364e35~x86~ru-RU~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\UAGP35.SYS.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00d.catGQp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catX
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~en-US~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpwd.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~en-US~6.1.7601.17514.catT
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00i.cat
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\hidbatt.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catn
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files\2c07d841-785f-469b-81db-3ff900796688.png
Source: mssecsvc.exe.4.dr	Binary string: ~\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Files'*
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\iirsp.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnxx002.catp
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Searchuser-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cate35p
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp005.catC
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catddp
Source: mssecsvc.exe.4.dr	Binary string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgamps.exeW
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976902~31bf3856ad364e35~x86~~6.1.1.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00l.catp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\rasacd.sysx
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\circlass.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00d.catp
Source: mssecsvc.exe.4.dr	Binary string: 8\Device\HarddiskVolume2\Program Files\AVG\Av\avgamps.exep
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OpticalMediaDisc-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas2.sys
Source: mssecsvc.exe.4.dr	Binary string: Y\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00x.cat
Source: mssecsvc.exe.4.dr	Binary string: r\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\desktop.ini:
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteAssistance-Package-Client~31bf3856ad364e35~x86~~6.1.7601.17514.cat95E
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\tdpipe.sys
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\ndiscap.sys.mui'*
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\msiscsi.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00f.cat
Source: mssecsvc.exe.4.dr	Binary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem11.CAT
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas.sys
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbSer.sys
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sys9
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnnr002.catp
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\tsusbhub.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00z.catp
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem2.CAT
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys95E
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr003.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr009.cat1p
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\irenum.sys
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\ipfltdrv.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cath
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SampleContent-Music-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat32\h
Source: mssecsvc.exe.4.dr	Binary string: 5\Device\HarddiskVolume2\Windows\System32\udhisapi.dll
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\HdAudio.sys.muip
Source: mssecsvc.exe.4.dr	Binary string: 7\Device\HarddiskVolume2\Windows\System32\MSMPEG2ENC.DLLp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sysC
Source: mssecsvc.exe.4.dr	Binary string: H\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\cef_200_percent.pak
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: ,\Device\HarddiskVolume2\Windows\System32\wfpp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep003.cat
Source: mssecsvc.exe.4.dr	Binary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe\W
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00a.catGQ
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\viac7.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx005.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\volsnap.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\nfrd960.sys
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sys\
Source: mssecsvc.exe.4.dr	Binary string: r\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5rdd"
Source: mssecsvc.exe.4.dr	Binary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sys
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\bthmodem.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00c.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc00b.catp
Source: mssecsvc.exe.4.dr	Binary string: B\Device\HarddiskVolume2\Windows\System32\drivers\en-US\srv.sys.mui'*
Source: mssecsvc.exe.4.dr	Binary string: 2\Device\HarddiskVolume2\Windows\System32\werui.dll'*
Source: mssecsvc.exe.4.dr	Binary string: x\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002H
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky005.cat\p
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ws2ifsl.sys
Source: mssecsvc.exe.4.dr	Binary string: T\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: r\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5p
Source: mssecsvc.exe.4.dr	Binary string: f\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.cat
Source: mssecsvc.exe.4.dr	Binary string: Z\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe4FC
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00w.cat
Source: mssecsvc.exe.4.dr	Binary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost8P
Source: mssecsvc.exe.4.dr	Binary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem12.CATp
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\msdsm.sys.muip
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Foundation-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: S\Device\HarddiskVolume2\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}um
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00i.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-RemoteApplications-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00v.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc00c.cat
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\stexstor.sys
Source: mssecsvc.exe.4.dr	Binary string: 3\Device\HarddiskVolume2\Windows\System32\wmpmde.dll
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr004.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Aux-TopLevel~31bf3856ad364e35~x86~~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\udfs.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prngt002.catW
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sermouse.sys
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffp_sd.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00b.cat
Source: mssecsvc.exe.4.dr	Binary string: c\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntprint.catPr
Source: mssecsvc.exe.4.dr	Binary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntexe.catp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00d.cat
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysot\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB2534111~31bf3856ad364e35~x86~~6.1.1.0.cat
Source: mssecsvc.exe.4.dr	Binary string: _\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\nt5.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00b.cat\p
Source: mssecsvc.exe.4.dr	Binary string: [\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\tssecsrv.sys
Source: mssecsvc.exe.4.dr	Binary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem10.CATp
Source: mssecsvc.exe.4.dr	Binary string: a\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem10.CAT
Source: mssecsvc.exe.4.dr	Binary string: f\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History68E:
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sbp2port.sys
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntph.catH
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr006.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976902_RTM~31bf3856ad364e35~x86~~6.1.1.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnle003.catp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: C\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\mpio.sys.muih
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\b57nd60x.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: z\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vhdmp.sys32\
Source: mssecsvc.exe.4.dr	Binary string: w\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Client-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catC\Pr
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep004.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnin003.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx006.cat
Source: mssecsvc.exe.4.dr	Binary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\fdc.sysD
Source: mssecsvc.exe.4.dr	Binary string: s\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0
Source: mssecsvc.exe.4.dr	Binary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\DRM\blackbox.binX
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys F
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\bxvbdx.sys
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sysi
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catskV
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WinOcr-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnts003.cat
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\scfilter.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00g.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx002.catp
Source: mssecsvc.exe.4.dr	Binary string: W\Device\HarddiskVolume2\Windows\System32\catroot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr008.cat1
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wacompen.sys
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntph.cat
Source: mssecsvc.exe.4.dr	Binary string: 7\Device\HarddiskVolume2\Windows\System32\drivers\wd.sys
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.inip
Source: mssecsvc.exe.4.dr	Binary string: o\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\U
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00y.cat
Source: mssecsvc.exe.4.dr	Binary string: Q\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-ActiveX~31bf3856ad364e35~x86~~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc006.cat
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\iirsp.sysrdd
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr00a.cat
Source: mssecsvc.exe.4.dr	Binary string: 1\Device\HarddiskVolume2\Windows\ehome\ehsched.exe
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: f\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Historyy
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sysr
Source: mssecsvc.exe.4.dr	Binary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976932~31bf3856ad364e35~x86~~6.1.0.17514.catlum
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Aux-AuxComp~31bf3856ad364e35~x86~ru-RU~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\rasacd.sys
Source: mssecsvc.exe.4.dr	Binary string: E\Device\HarddiskVolume2\Windows\System32\drivers\rdpvideominiport.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-RemoteClient-Setup-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat.cap
Source: mssecsvc.exe.4.dr	Binary string: >\Device\HarddiskVolume2\Windows\System32\drivers\fsdepends.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc005.catp
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\GAGP30KX.SYS.mui@p
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYScu
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr005.catGQ
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00d.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep002.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00c.catGQ
Source: mssecsvc.exe.4.dr	Binary string: h\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sysskV
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbuhci.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr005.cat
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\iaStorV.sysr*
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnsv002.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr00a.catp
Source: mssecsvc.exe.4.dr	Binary string: e\Device\HarddiskVolume2\Program Files\Windows Media Player\Network Sharing\MediaReceiverRegistrar.xmlp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat\Ap
Source: mssecsvc.exe.4.dr	Binary string: +\Device\HarddiskVolume2\Windows\System32\ruIE
Source: mssecsvc.exe.4.dr	Binary string: 2\Device\HarddiskVolume2\Windows\System32\wbem\Logs856p
Source: mssecsvc.exe.4.dr	Binary string: !\Device\HarddiskVolume3\
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx007.cat
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrSerWdm.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UltimateEdition~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sysd
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: g\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host
Source: mssecsvc.exe.4.dr	Binary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB976902~31bf3856ad364e35~x86~~6.1.1.17514.catCp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WindowsFoundation-LanguagePack-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catid4
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-VM-Setup-LanguagePack~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat32\p
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sysL
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB976902~31bf3856ad364e35~x86~~6.1.1.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\MTConfig.sys.muip
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat$0p
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-RemoteApplications-Client-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: h\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\CookiesC"
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~de-DE~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CAT
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\b57nd60x.sys
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\tdpipe.sysul
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr005.catHp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976932~31bf3856ad364e35~x86~~6.1.0.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca003.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr00a.cat1
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky007.catp
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\scfilter.sys
Source: mssecsvc.exe.4.dr	Binary string: @\Device\HarddiskVolume2\Windows\Prefetch\SVCHOST.EXE-007FEA55.pf
Source: mssecsvc.exe.4.dr	Binary string: >\Device\HarddiskVolume2\Windows\System32\drivers\filetrace.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00y.catGp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ShareMedia-ControlPanel-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB976902~31bf3856ad364e35~x86~~6.1.1.17514.cate\|
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Server-Help-Package.ClientUltimate~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00y.catp
Source: mssecsvc.exe.4.dr	Binary string: r\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.datp
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntpe.cat
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00g.catS
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mspqm.sysL
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00g.catp
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\terminpt.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualPC-USB-RPM-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cati
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\tcpip.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnkm004.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00z.cat
Source: mssecsvc.exe.4.dr	Binary string: j\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exeF75
Source: mssecsvc.exe.4.dr	Binary string: H\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976933~31bf3856ad364e35~x86~ja-JP~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \|\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.iniop
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Telnet-Server-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat\
Source: mssecsvc.exe.4.dr	Binary string: _\Device\HarddiskVolume2\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xmlcap
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\irenum.systr
Source: mssecsvc.exe.4.dr	Binary string: O\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Temp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Core-UIComp~31bf3856ad364e35~x86~~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sys
Source: mssecsvc.exe.4.dr	Binary string: 5\Device\HarddiskVolume2\Windows\System32\upnphost.dllp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-Publishing-WMIProvider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys\W
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnhp002.catWp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\isapnp.sysvip
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr004.catH
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnsv003.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-CommandLineTools-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UltimateEdition-wrapper~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnge001.catp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\viaide.sys
Source: mssecsvc.exe.4.dr	Binary string: E\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\NV_AGP.SYS.muip
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys
Source: mssecsvc.exe.4.dr	Binary string: L\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\cef_100_percent.pak.zfs1p
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Tuner-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\tssecsrv.sysp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep00e.catC
Source: mssecsvc.exe.4.dr	Binary string: c\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\ntprint.catHi
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Tuner-Drivers-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: }\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dllp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~x86~ru-RU~6.1.7601.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\isapnp.sys
Source: mssecsvc.exe.4.dr	Binary string: 4\Device\HarddiskVolume2\Windows\System32\ssdpsrv.dll
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbMdm.sys
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualXP-Licensing-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\umbus.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-1e83ab4c-09b2-4e1a-b4be-933406091d68.tmp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx008.cat
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\ndisuio.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnky003.cat\p
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.inip
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\ru-RU\erofflps.txt
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CATo
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_for_KB976902_RTM~31bf3856ad364e35~x86~~6.1.1.17514.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cath
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnod002.cat
Source: mssecsvc.exe.4.dr	Binary string: >\Device\HarddiskVolume2\Windows\System32\drivers\filetrace.sys/
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00e.cat
Source: mssecsvc.exe.4.dr	Binary string: w\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00b.cat
Source: mssecsvc.exe.4.dr	Binary string: F\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: >\Device\HarddiskVolume2\ProgramData\Microsoft\Search\Data\Temp
Source: mssecsvc.exe.4.dr	Binary string: G\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\vwifibus.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: ~\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows Media Player NSS\3.0\Icon Filesp
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem4.CATp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnca00f.catp
Source: mssecsvc.exe.4.dr	Binary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wimmount.sys
Source: mssecsvc.exe.4.dr	Binary string: `\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Shell-HomeGroup-Package~31bf3856ad364e35~x86~~6.1.7601.17514.catelfp
Source: mssecsvc.exe.4.dr	Binary string: ?\Device\HarddiskVolume2\Windows\System32\drivers\Synth3dVsc.sys
Source: mssecsvc.exe.4.dr	Binary string: 5\Device\HarddiskVolume2\Windows\System32\riched20.dllp
Source: mssecsvc.exe.4.dr	Binary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sysp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WUClient-SelfUpdate-Aux~31bf3856ad364e35~x86~~7.6.7600.320.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr004.catp
Source: mssecsvc.exe.4.dr	Binary string: D\Device\HarddiskVolume2\Windows\System32\drivers\ru-RU\rdpwd.sys.mui
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00e.catp
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-VirtualXP-Licensing-Package~31bf3856ad364e35~x86~~6.1.7601.17514.cat~
Source: mssecsvc.exe.4.dr	Binary string: +\Device\HarddiskVolume2\Windows\System32\ru
Source: mssecsvc.exe.4.dr	Binary string: 0\Device\HarddiskVolume2\Windows\System32\alg.exe-
Source: mssecsvc.exe.4.dr	Binary string: j\Device\HarddiskVolume2\Users\
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.datp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\serenum.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnkm003.catp
Source: mssecsvc.exe.4.dr	Binary string: r\Device\HarddiskVolume2\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE500Cp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnlx00x.catd
Source: mssecsvc.exe.4.dr	Binary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\cdfs.sys
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep002.cat
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\USBSTOR.SYS
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume3\$
Source: mssecsvc.exe.4.dr	Binary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\desktop.inidp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnep003.catpp
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnrc00a.cat
Source: mssecsvc.exe.4.dr	Binary string: d\Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\prnbr006.cat
Source: mssecsvc.exe.4.dr	Binary string: \Device\HarddiskVolume2\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows7SP1-KB976933~31bf3856ad364e35~x86~~6.1.0.17514.catp
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys
Source: mssecsvc.exe.4.dr	Binary string: <\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\cef.pakp

Source: mssecsvc.exe, 00000006.00000000.2205429511.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000000.2212865403.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000009.00000000.2220780305.000000000040E000.00000008.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.2232690744.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.2235508681.000000000040E000.00000008.00000001.01000000.00000007.sdmp, MK9UBUl8t7.dll, tasksche.exe.6.dr, mssecsvc.exe.4.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/3@0/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	8_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	9_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03

Source: MK9UBUl8t7.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MK9UBUl8t7.dll,PlayGame

Source: MK9UBUl8t7.dll	ReversingLabs: Detection: 94%
Source: MK9UBUl8t7.dll	Virustotal: Detection: 91%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MK9UBUl8t7.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\MK9UBUl8t7.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: MK9UBUl8t7.dll

Static file information: File size 5267459 > 1048576

Source: MK9UBUl8t7.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe

Code function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 9_2_00407710 push eax; ret		9_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 9_2_004076C8 push eax; ret		9_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 1488	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 1488	Thread sleep time: -184000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2680	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2680	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 1488	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 00000006.00000002.2222837596.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: mssecsvc.exe, 00000008.00000002.2851351259.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.2237225934.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\tasksche.exe

Code function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 9_2_004029CC free,GetProcessHeap,HeapFree,

9_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MK9UBUl8t7.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
MK9UBUl8t7.dll	92%	Virustotal		Browse
MK9UBUl8t7.dll	100%	Avira	TR/Ransom.Gen
MK9UBUl8t7.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvc.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\mssecsvc.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	95%	ReversingLabs	Win32.Ransomware.WannaCry
C:\WINDOWS\qeriuwjhrf (copy)	89%	Virustotal		Browse
C:\Windows\mssecsvc.exe	95%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\mssecsvc.exe	92%	Virustotal		Browse
C:\Windows\tasksche.exe	95%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	89%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.108.104.1	unknown	Ukraine	39431	ARGOCOM-ASUA	false
44.34.121.20	unknown	United States	20473	AS-CHOOPAUS	false
1.245.136.17	unknown	Korea Republic of	38415	GOEGN-AS-KRGuriNamyangjuOfficeOfEducationKR	false
88.216.195.1	unknown	Lithuania	47838	SOCIUSLT	false
75.63.94.202	unknown	United States	7018	ATT-INTERNET4US	false
40.247.205.105	unknown	United States	4249	LILLY-ASUS	false
120.56.168.1	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
120.56.168.209	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
44.34.121.1	unknown	United States	20473	AS-CHOOPAUS	false
126.245.102.1	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
128.126.138.90	unknown	United States	21497	UMC-ASUA	false
96.177.68.1	unknown	United States	7922	COMCAST-7922US	false
88.216.195.99	unknown	Lithuania	47838	SOCIUSLT	false
126.245.102.34	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
203.232.211.30	unknown	Korea Republic of	10198	CUP-AS-KRCatholicUniversityofPusanKR	false
124.244.132.211	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	false
158.225.208.1	unknown	Germany	702	UUNETUS	false
73.191.198.4	unknown	United States	7922	COMCAST-7922US	false
73.191.198.1	unknown	United States	7922	COMCAST-7922US	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228
192.168.2.100

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591271
Start date and time:	2025-01-14 21:02:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	MK9UBUl8t7.dll renamed because original name is a hash value
Original Sample Name:	3dbc8386e91b0e967982fe4aafbbd881.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/3@0/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 2.23.77.188, 13.85.23.206, 217.20.57.19, 52.165.164.15, 199.232.214.172, 13.107.246.45
Excluded domains from analysis (whitelisted): client.wns.windows.com, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 2104 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:03:39	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:04:12	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOEGN-AS-KRGuriNamyangjuOfficeOfEducationKR	mpsl.elf	Get hash	malicious	Mirai	Browse	1.242.249.105
	x86.elf	Get hash	malicious	Mirai	Browse	1.243.2.192
	armv6l.elf	Get hash	malicious	Unknown	Browse	1.247.133.207
	x86_64.elf	Get hash	malicious	Gafgyt, Mirai	Browse	1.245.87.235
	1.elf	Get hash	malicious	Unknown	Browse	1.242.19.224
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.247.132.84
	x86_64.elf	Get hash	malicious	Mirai, Moobot	Browse	1.244.165.129
	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	1.242.52.6
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.247.111.181
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	1.246.160.101
ARGOCOM-ASUA	yAnWn3BP4r.elf	Get hash	malicious	Mirai, Moobot	Browse	176.108.108.213
	z3cSdM9V7h.elf	Get hash	malicious	Gafgyt, Mirai	Browse	176.108.110.185
	vo5e83cPmv.elf	Get hash	malicious	Mirai, Moobot	Browse	193.93.17.187
	sora.arm	Get hash	malicious	Mirai	Browse	176.108.108.208
SOCIUSLT	armv5l.elf	Get hash	malicious	Unknown	Browse	88.216.240.224
	desDGzeznq.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	88.216.240.226
	jXBjxhHQgR.exe	Get hash	malicious	CMSBrute	Browse	88.216.223.2
	245f38b4b8a25754bf6e630f8e2acf59.ps1	Get hash	malicious	CobaltStrike, Metasploit	Browse	88.216.210.27
	https://www.wral.com/content/creative_services/promos/clickthru?ct=1&oaparams=2__bannerid=24__zoneid=2__cb=65bf79125e__oadest=http%3A%2F%2FSKBvb.cassini-avocats.fr?api=Z2FpbC5iYWxldHRpZUBjZWxpbmsuY29t	Get hash	malicious	Unknown	Browse	88.216.210.15
	PURZ3fCU46	Get hash	malicious	Mirai	Browse	88.216.240.249
AS-CHOOPAUS	i486.elf	Get hash	malicious	Unknown	Browse	108.61.212.84
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	45.76.251.57
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	45.76.251.57
	9d2h99wrj.exe	Get hash	malicious	Xmrig	Browse	192.248.189.11
	Solara.exe	Get hash	malicious	Python Stealer, Exela Stealer, Xmrig	Browse	80.240.16.67
	80P.exe	Get hash	malicious	I2PRAT	Browse	207.246.88.73
	4.elf	Get hash	malicious	Unknown	Browse	44.40.164.148
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	78.141.202.204
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	44.40.164.150
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, XWorm, Xmrig	Browse	192.248.189.11

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	173.222.162.64
	http://titanys.mindsetmatters.buzz	Get hash	malicious	ScreenConnect Tool	Browse	173.222.162.64
	Document_31055.pdf	Get hash	malicious	Unknown	Browse	173.222.162.64
	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	173.222.162.64
	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	173.222.162.64
	Subscription_Renewal_Receipt_2025.htm	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://forms.office.com/e/xknrfCPQkR	Get hash	malicious	HTMLPhisher	Browse	173.222.162.64
	https://github.com/MscrmTools/XrmToolBox/releases/download/v1.2024.9.69/XrmToolbox.zip	Get hash	malicious	Unknown	Browse	173.222.162.64
	https://bccab.dynartis.it/TI_loc.csv	Get hash	malicious	Unknown	Browse	173.222.162.64
	1736856908fb16676aec3e4c808c4bd5cde8e123cc70360266f85ec0ed17050bca6456c9dd274.dat-decoded.exe	Get hash	malicious	XWorm	Browse	173.222.162.64
3b5074b1b5d032e5620f69f9f700ff0e	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	40.113.110.67 40.115.3.253
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	40.113.110.67 40.115.3.253
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	40.113.110.67 40.115.3.253
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	40.113.110.67 40.115.3.253
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	40.113.110.67 40.115.3.253

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	5.403396494833484
Encrypted:	false
SSDEEP:	49152:nQqR6kQo6SAARdhnvxJM0H9PAMEcaEau3h:QqR6k36SAEdhvxWa9P593h
MD5:	A789C1E681FAEDB49BB1AA2019E860F8
SHA1:	D49EAEA0735812568205013A9B4D2C836BA83E7D
SHA-256:	3948AE66AF7AD4A8FAEDA063FBFFEB2524BCFC65F7B67C66DE8D5C582158D34C
SHA-512:	D3E429FE76C35A302E79F1EDFFF1F7129BCF7B40ABDF3C6146DB451AF76D4D88600AEFC4B507B502AD0B5110A8601A557D5D58BDFA78513AD1F9392E33C4F7FB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 95% Antivirus: Virustotal, Detection: 89%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvc.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3723264
Entropy (8bit):	5.474274375785465
Encrypted:	false
SSDEEP:	49152:VnjQqR6kQo6SAARdhnvxJM0H9PAMEcaEau3:Z8qR6k36SAEdhvxWa9P593
MD5:	B6B99570116F243C44FDBE0BA9F28457
SHA1:	56A837038D3B5DD40EC947D316D621F703EDA650
SHA-256:	F199E126337B785CA278FB8D9525EC2EE93391D2F66E77760220F3CBC7FB5F06
SHA-512:	96DDD3FF2FC8789BDF2B3287807F8EBEBC1CB4E7A2AABE706855A06FFAC6764161E274613E4719E26A757B66E2A0E23C6A95AD57A319D89A46F014A0E96BEB66
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95% Antivirus: Virustotal, Detection: 92%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	5.403396494833484
Encrypted:	false
SSDEEP:	49152:nQqR6kQo6SAARdhnvxJM0H9PAMEcaEau3h:QqR6k36SAEdhvxWa9P593h
MD5:	A789C1E681FAEDB49BB1AA2019E860F8
SHA1:	D49EAEA0735812568205013A9B4D2C836BA83E7D
SHA-256:	3948AE66AF7AD4A8FAEDA063FBFFEB2524BCFC65F7B67C66DE8D5C582158D34C
SHA-512:	D3E429FE76C35A302E79F1EDFFF1F7129BCF7B40ABDF3C6146DB451AF76D4D88600AEFC4B507B502AD0B5110A8601A557D5D58BDFA78513AD1F9392E33C4F7FB
Malicious:	true
Yara Hits:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95% Antivirus: Virustotal, Detection: 89%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.142873689357375
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MK9UBUl8t7.dll
File size:	5'267'459 bytes
MD5:	3dbc8386e91b0e967982fe4aafbbd881
SHA1:	64c4c9fe40c0f9bf354ecc4b731176be31f63605
SHA256:	12866963100f93d368d9fb48b4d0f30e4b7eb472f682edc9b1b9899af88bdc59
SHA512:	ea2a5b3114aea230803bf63d6700c221a28b8684a49d01bf11acc089f12232af9d0c369ea98e0f37855be8001975aecfcca660db535544d18cf29633b47ecb6d
SSDEEP:	49152:JnjQqR6kQo6SAARdhnvxJM0H9PAMEcaEau3:d8qR6k36SAEdhvxWa9P593
TLSH:	9E369D01D2E41A60D9F24AF72AB9DB109339AE55995BA76E1222410F0C73F1CDDE6F3C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FC13CF1780Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007FC13CF17828h
cmp esi, 01h
je 00007FC13CF17807h
cmp esi, 02h
jne 00007FC13CF17824h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FC13CF1780Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FC13CF1780Eh
push edi
push esi
push ebx
call 00007FC13CF1771Ah
test eax, eax
jne 00007FC13CF17806h
xor eax, eax
jmp 00007FC13CF17850h
push edi
push esi
push ebx
call 00007FC13CF175CCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FC13CF1780Eh
test eax, eax
jne 00007FC13CF17839h
push edi
push eax
push ebx
call 00007FC13CF176F6h
test esi, esi
je 00007FC13CF17807h
cmp esi, 03h
jne 00007FC13CF17828h
push edi
push esi
push ebx
call 00007FC13CF176E5h
test eax, eax
jne 00007FC13CF17805h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FC13CF17813h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FC13CF1780Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	affbfc517d9ac5d5ce4b9827d0bccb04	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.248260498046875

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:03:31.317401886 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:31.317413092 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:31.645472050 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:33.833195925 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:33.833246946 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:33.833336115 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:33.834196091 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:33.834214926 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.619448900 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.619620085 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:34.624321938 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:34.624332905 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.624584913 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.626526117 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:34.626526117 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:34.626552105 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.626729965 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:34.667341948 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.802093983 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.802196026 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:34.802309036 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:34.803253889 CET	49709	443	192.168.2.6	40.115.3.253
Jan 14, 2025 21:03:34.803272009 CET	443	49709	40.115.3.253	192.168.2.6
Jan 14, 2025 21:03:39.378760099 CET	49721	445	192.168.2.6	205.249.38.46
Jan 14, 2025 21:03:39.384217978 CET	445	49721	205.249.38.46	192.168.2.6
Jan 14, 2025 21:03:39.384310007 CET	49721	445	192.168.2.6	205.249.38.46
Jan 14, 2025 21:03:39.387955904 CET	49721	445	192.168.2.6	205.249.38.46
Jan 14, 2025 21:03:39.388288021 CET	49722	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:03:39.393877029 CET	445	49721	205.249.38.46	192.168.2.6
Jan 14, 2025 21:03:39.393948078 CET	49721	445	192.168.2.6	205.249.38.46
Jan 14, 2025 21:03:39.394047022 CET	445	49722	205.249.38.1	192.168.2.6
Jan 14, 2025 21:03:39.394112110 CET	49722	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:03:39.395087957 CET	49722	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:03:39.400876999 CET	445	49722	205.249.38.1	192.168.2.6
Jan 14, 2025 21:03:39.400935888 CET	49722	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:03:39.544105053 CET	49723	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:03:39.548953056 CET	445	49723	205.249.38.1	192.168.2.6
Jan 14, 2025 21:03:39.549038887 CET	49723	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:03:39.549078941 CET	49723	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:03:39.553916931 CET	445	49723	205.249.38.1	192.168.2.6
Jan 14, 2025 21:03:40.926759958 CET	49673	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:40.926841974 CET	49674	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:41.254751921 CET	49672	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:41.334841013 CET	49754	445	192.168.2.6	72.138.216.180
Jan 14, 2025 21:03:41.340008020 CET	445	49754	72.138.216.180	192.168.2.6
Jan 14, 2025 21:03:41.340099096 CET	49754	445	192.168.2.6	72.138.216.180
Jan 14, 2025 21:03:41.340166092 CET	49754	445	192.168.2.6	72.138.216.180
Jan 14, 2025 21:03:41.340532064 CET	49755	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:03:41.345165968 CET	445	49754	72.138.216.180	192.168.2.6
Jan 14, 2025 21:03:41.345278978 CET	49754	445	192.168.2.6	72.138.216.180
Jan 14, 2025 21:03:41.345401049 CET	445	49755	72.138.216.1	192.168.2.6
Jan 14, 2025 21:03:41.345525026 CET	49755	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:03:41.345604897 CET	49755	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:03:41.347491980 CET	49756	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:03:41.350506067 CET	445	49755	72.138.216.1	192.168.2.6
Jan 14, 2025 21:03:41.350564003 CET	49755	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:03:41.352422953 CET	445	49756	72.138.216.1	192.168.2.6
Jan 14, 2025 21:03:41.352495909 CET	49756	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:03:41.352605104 CET	49756	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:03:41.357621908 CET	445	49756	72.138.216.1	192.168.2.6
Jan 14, 2025 21:03:42.083268881 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.083311081 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:42.083381891 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.084165096 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.084183931 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:42.872504950 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:42.872594118 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.882095098 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.882117033 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:42.882333040 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:42.884378910 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.884378910 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.884408951 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:42.884545088 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:42.927335024 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:42.947611094 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 21:03:42.947701931 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:43.056694031 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:43.056763887 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:43.056827068 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:43.057035923 CET	49767	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:43.057056904 CET	443	49767	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:43.350451946 CET	49790	445	192.168.2.6	206.210.217.120
Jan 14, 2025 21:03:43.355381966 CET	445	49790	206.210.217.120	192.168.2.6
Jan 14, 2025 21:03:43.355470896 CET	49790	445	192.168.2.6	206.210.217.120
Jan 14, 2025 21:03:43.355509043 CET	49790	445	192.168.2.6	206.210.217.120
Jan 14, 2025 21:03:43.355690956 CET	49792	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:03:43.360539913 CET	445	49792	206.210.217.1	192.168.2.6
Jan 14, 2025 21:03:43.360591888 CET	445	49790	206.210.217.120	192.168.2.6
Jan 14, 2025 21:03:43.360613108 CET	49792	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:03:43.360641003 CET	49792	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:03:43.360783100 CET	49790	445	192.168.2.6	206.210.217.120
Jan 14, 2025 21:03:43.362443924 CET	49793	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:03:43.365734100 CET	445	49792	206.210.217.1	192.168.2.6
Jan 14, 2025 21:03:43.365791082 CET	49792	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:03:43.367280006 CET	445	49793	206.210.217.1	192.168.2.6
Jan 14, 2025 21:03:43.367355108 CET	49793	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:03:43.367400885 CET	49793	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:03:43.372131109 CET	445	49793	206.210.217.1	192.168.2.6
Jan 14, 2025 21:03:45.464027882 CET	49826	445	192.168.2.6	124.244.132.211
Jan 14, 2025 21:03:45.468982935 CET	445	49826	124.244.132.211	192.168.2.6
Jan 14, 2025 21:03:45.469055891 CET	49826	445	192.168.2.6	124.244.132.211
Jan 14, 2025 21:03:45.469155073 CET	49826	445	192.168.2.6	124.244.132.211
Jan 14, 2025 21:03:45.469425917 CET	49828	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:03:45.474272966 CET	445	49826	124.244.132.211	192.168.2.6
Jan 14, 2025 21:03:45.474288940 CET	445	49828	124.244.132.1	192.168.2.6
Jan 14, 2025 21:03:45.474318027 CET	49826	445	192.168.2.6	124.244.132.211
Jan 14, 2025 21:03:45.474385023 CET	49828	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:03:45.474467039 CET	49828	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:03:45.476902008 CET	49830	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:03:45.479811907 CET	445	49828	124.244.132.1	192.168.2.6
Jan 14, 2025 21:03:45.479861975 CET	49828	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:03:45.481782913 CET	445	49830	124.244.132.1	192.168.2.6
Jan 14, 2025 21:03:45.481842995 CET	49830	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:03:45.481928110 CET	49830	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:03:45.486730099 CET	445	49830	124.244.132.1	192.168.2.6
Jan 14, 2025 21:03:47.459666014 CET	49864	445	192.168.2.6	50.118.178.125
Jan 14, 2025 21:03:47.464571953 CET	445	49864	50.118.178.125	192.168.2.6
Jan 14, 2025 21:03:47.464688063 CET	49864	445	192.168.2.6	50.118.178.125
Jan 14, 2025 21:03:47.464737892 CET	49864	445	192.168.2.6	50.118.178.125
Jan 14, 2025 21:03:47.464937925 CET	49866	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:03:47.469762087 CET	445	49864	50.118.178.125	192.168.2.6
Jan 14, 2025 21:03:47.469774008 CET	445	49866	50.118.178.1	192.168.2.6
Jan 14, 2025 21:03:47.470026016 CET	49864	445	192.168.2.6	50.118.178.125
Jan 14, 2025 21:03:47.470058918 CET	49866	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:03:47.470208883 CET	49866	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:03:47.471434116 CET	49867	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:03:47.475169897 CET	445	49866	50.118.178.1	192.168.2.6
Jan 14, 2025 21:03:47.475231886 CET	49866	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:03:47.476257086 CET	445	49867	50.118.178.1	192.168.2.6
Jan 14, 2025 21:03:47.476376057 CET	49867	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:03:47.476376057 CET	49867	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:03:47.481219053 CET	445	49867	50.118.178.1	192.168.2.6
Jan 14, 2025 21:03:49.489167929 CET	49899	445	192.168.2.6	165.193.238.202
Jan 14, 2025 21:03:49.493951082 CET	445	49899	165.193.238.202	192.168.2.6
Jan 14, 2025 21:03:49.494019032 CET	49899	445	192.168.2.6	165.193.238.202
Jan 14, 2025 21:03:49.494103909 CET	49899	445	192.168.2.6	165.193.238.202
Jan 14, 2025 21:03:49.494323015 CET	49900	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:03:49.499030113 CET	445	49899	165.193.238.202	192.168.2.6
Jan 14, 2025 21:03:49.499078989 CET	49899	445	192.168.2.6	165.193.238.202
Jan 14, 2025 21:03:49.499115944 CET	445	49900	165.193.238.1	192.168.2.6
Jan 14, 2025 21:03:49.499183893 CET	49900	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:03:49.499238968 CET	49900	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:03:49.503637075 CET	49901	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:03:49.504168034 CET	445	49900	165.193.238.1	192.168.2.6
Jan 14, 2025 21:03:49.504214048 CET	49900	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:03:49.508450031 CET	445	49901	165.193.238.1	192.168.2.6
Jan 14, 2025 21:03:49.508538008 CET	49901	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:03:49.508586884 CET	49901	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:03:49.513423920 CET	445	49901	165.193.238.1	192.168.2.6
Jan 14, 2025 21:03:51.518625975 CET	49937	445	192.168.2.6	191.81.125.26
Jan 14, 2025 21:03:51.524070978 CET	445	49937	191.81.125.26	192.168.2.6
Jan 14, 2025 21:03:51.524138927 CET	49937	445	192.168.2.6	191.81.125.26
Jan 14, 2025 21:03:51.524228096 CET	49937	445	192.168.2.6	191.81.125.26
Jan 14, 2025 21:03:51.524369001 CET	49939	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:03:51.529794931 CET	445	49939	191.81.125.1	192.168.2.6
Jan 14, 2025 21:03:51.529864073 CET	49939	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:03:51.529911995 CET	49939	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:03:51.530038118 CET	445	49937	191.81.125.26	192.168.2.6
Jan 14, 2025 21:03:51.530087948 CET	49937	445	192.168.2.6	191.81.125.26
Jan 14, 2025 21:03:51.530324936 CET	49940	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:03:51.534900904 CET	445	49939	191.81.125.1	192.168.2.6
Jan 14, 2025 21:03:51.535046101 CET	49939	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:03:51.535072088 CET	445	49940	191.81.125.1	192.168.2.6
Jan 14, 2025 21:03:51.535125017 CET	49940	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:03:51.535166979 CET	49940	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:03:51.539925098 CET	445	49940	191.81.125.1	192.168.2.6
Jan 14, 2025 21:03:53.116785049 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:53.117187977 CET	49705	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:53.117319107 CET	49969	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:53.117415905 CET	443	49969	173.222.162.64	192.168.2.6
Jan 14, 2025 21:03:53.118846893 CET	49969	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:53.121669054 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 21:03:53.121934891 CET	443	49705	173.222.162.64	192.168.2.6
Jan 14, 2025 21:03:53.122495890 CET	49969	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:53.122535944 CET	443	49969	173.222.162.64	192.168.2.6
Jan 14, 2025 21:03:53.505383015 CET	49976	445	192.168.2.6	37.164.204.161
Jan 14, 2025 21:03:53.510301113 CET	445	49976	37.164.204.161	192.168.2.6
Jan 14, 2025 21:03:53.510389090 CET	49976	445	192.168.2.6	37.164.204.161
Jan 14, 2025 21:03:53.510443926 CET	49976	445	192.168.2.6	37.164.204.161
Jan 14, 2025 21:03:53.510622978 CET	49977	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:03:53.515499115 CET	445	49976	37.164.204.161	192.168.2.6
Jan 14, 2025 21:03:53.515511990 CET	445	49977	37.164.204.1	192.168.2.6
Jan 14, 2025 21:03:53.515563011 CET	49976	445	192.168.2.6	37.164.204.161
Jan 14, 2025 21:03:53.515616894 CET	49977	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:03:53.515657902 CET	49977	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:03:53.515966892 CET	49978	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:03:53.520576954 CET	445	49977	37.164.204.1	192.168.2.6
Jan 14, 2025 21:03:53.520637989 CET	49977	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:03:53.520766020 CET	445	49978	37.164.204.1	192.168.2.6
Jan 14, 2025 21:03:53.520827055 CET	49978	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:03:53.520878077 CET	49978	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:03:53.525651932 CET	445	49978	37.164.204.1	192.168.2.6
Jan 14, 2025 21:03:53.726160049 CET	443	49969	173.222.162.64	192.168.2.6
Jan 14, 2025 21:03:53.726248026 CET	49969	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:03:55.536375999 CET	50011	445	192.168.2.6	128.126.138.90
Jan 14, 2025 21:03:55.541254997 CET	445	50011	128.126.138.90	192.168.2.6
Jan 14, 2025 21:03:55.541315079 CET	50011	445	192.168.2.6	128.126.138.90
Jan 14, 2025 21:03:55.541444063 CET	50011	445	192.168.2.6	128.126.138.90
Jan 14, 2025 21:03:55.541668892 CET	50013	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:03:55.542325974 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:55.542334080 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:55.542381048 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:55.543283939 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:55.543292046 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:55.546199083 CET	445	50011	128.126.138.90	192.168.2.6
Jan 14, 2025 21:03:55.546250105 CET	50011	445	192.168.2.6	128.126.138.90
Jan 14, 2025 21:03:55.546489000 CET	445	50013	128.126.138.1	192.168.2.6
Jan 14, 2025 21:03:55.546549082 CET	50013	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:03:55.546700001 CET	50013	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:03:55.551537991 CET	445	50013	128.126.138.1	192.168.2.6
Jan 14, 2025 21:03:55.551608086 CET	50013	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:03:55.554255962 CET	50015	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:03:55.559025049 CET	445	50015	128.126.138.1	192.168.2.6
Jan 14, 2025 21:03:55.559092999 CET	50015	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:03:55.559124947 CET	50015	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:03:55.563853025 CET	445	50015	128.126.138.1	192.168.2.6
Jan 14, 2025 21:03:56.321926117 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:56.321989059 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:56.327580929 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:56.327588081 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:56.328046083 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:56.330446005 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:56.330538034 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:56.330543995 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:56.330741882 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:56.371330023 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:56.505424976 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:56.505506039 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:56.505621910 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:56.505923986 CET	50014	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:03:56.505938053 CET	443	50014	40.113.110.67	192.168.2.6
Jan 14, 2025 21:03:57.537872076 CET	50046	445	192.168.2.6	174.189.210.125
Jan 14, 2025 21:03:57.542824984 CET	445	50046	174.189.210.125	192.168.2.6
Jan 14, 2025 21:03:57.542898893 CET	50046	445	192.168.2.6	174.189.210.125
Jan 14, 2025 21:03:57.542995930 CET	50046	445	192.168.2.6	174.189.210.125
Jan 14, 2025 21:03:57.543164968 CET	50047	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:03:57.547885895 CET	445	50046	174.189.210.125	192.168.2.6
Jan 14, 2025 21:03:57.547970057 CET	50046	445	192.168.2.6	174.189.210.125
Jan 14, 2025 21:03:57.548032999 CET	445	50047	174.189.210.1	192.168.2.6
Jan 14, 2025 21:03:57.548155069 CET	50047	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:03:57.548216105 CET	50047	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:03:57.548703909 CET	50048	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:03:57.553359985 CET	445	50047	174.189.210.1	192.168.2.6
Jan 14, 2025 21:03:57.553597927 CET	445	50048	174.189.210.1	192.168.2.6
Jan 14, 2025 21:03:57.553622961 CET	50047	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:03:57.553689003 CET	50048	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:03:57.553761959 CET	50048	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:03:57.558571100 CET	445	50048	174.189.210.1	192.168.2.6
Jan 14, 2025 21:03:59.553081989 CET	50082	445	192.168.2.6	198.201.242.195
Jan 14, 2025 21:03:59.557955027 CET	445	50082	198.201.242.195	192.168.2.6
Jan 14, 2025 21:03:59.558022976 CET	50082	445	192.168.2.6	198.201.242.195
Jan 14, 2025 21:03:59.558140993 CET	50082	445	192.168.2.6	198.201.242.195
Jan 14, 2025 21:03:59.558352947 CET	50084	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:03:59.562999964 CET	445	50082	198.201.242.195	192.168.2.6
Jan 14, 2025 21:03:59.563057899 CET	50082	445	192.168.2.6	198.201.242.195
Jan 14, 2025 21:03:59.563138008 CET	445	50084	198.201.242.1	192.168.2.6
Jan 14, 2025 21:03:59.563195944 CET	50084	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:03:59.563254118 CET	50084	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:03:59.563579082 CET	50085	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:03:59.568176031 CET	445	50084	198.201.242.1	192.168.2.6
Jan 14, 2025 21:03:59.568238974 CET	50084	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:03:59.568363905 CET	445	50085	198.201.242.1	192.168.2.6
Jan 14, 2025 21:03:59.568716049 CET	50085	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:03:59.568747044 CET	50085	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:03:59.573574066 CET	445	50085	198.201.242.1	192.168.2.6
Jan 14, 2025 21:04:01.274348974 CET	445	49723	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:01.274492979 CET	445	49723	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:01.274504900 CET	49723	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:01.274569988 CET	49723	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:01.274596930 CET	49723	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:01.274669886 CET	49723	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:01.284485102 CET	445	49723	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:01.284499884 CET	445	49723	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:01.284565926 CET	445	49723	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:01.568697929 CET	50113	445	192.168.2.6	35.27.167.198
Jan 14, 2025 21:04:01.575887918 CET	445	50113	35.27.167.198	192.168.2.6
Jan 14, 2025 21:04:01.575957060 CET	50113	445	192.168.2.6	35.27.167.198
Jan 14, 2025 21:04:01.576071978 CET	50113	445	192.168.2.6	35.27.167.198
Jan 14, 2025 21:04:01.576234102 CET	50115	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:01.581897020 CET	445	50115	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:01.581916094 CET	445	50113	35.27.167.198	192.168.2.6
Jan 14, 2025 21:04:01.581957102 CET	50115	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:01.581985950 CET	50113	445	192.168.2.6	35.27.167.198
Jan 14, 2025 21:04:01.582118988 CET	50115	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:01.582485914 CET	50116	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:01.587886095 CET	445	50115	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:01.587943077 CET	50115	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:01.588239908 CET	445	50116	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:01.588335037 CET	50116	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:01.588387012 CET	50116	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:01.593142986 CET	445	50116	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:02.727950096 CET	445	49756	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:02.728024960 CET	49756	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:02.728105068 CET	49756	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:02.728177071 CET	49756	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:02.732881069 CET	445	49756	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:02.732973099 CET	445	49756	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:03.583430052 CET	50146	445	192.168.2.6	158.225.208.93
Jan 14, 2025 21:04:03.588608027 CET	445	50146	158.225.208.93	192.168.2.6
Jan 14, 2025 21:04:03.588716984 CET	50146	445	192.168.2.6	158.225.208.93
Jan 14, 2025 21:04:03.588716984 CET	50146	445	192.168.2.6	158.225.208.93
Jan 14, 2025 21:04:03.588968039 CET	50147	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:03.593842030 CET	445	50146	158.225.208.93	192.168.2.6
Jan 14, 2025 21:04:03.593914032 CET	50146	445	192.168.2.6	158.225.208.93
Jan 14, 2025 21:04:03.594280005 CET	445	50147	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:03.594348907 CET	50147	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:03.594443083 CET	50147	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:03.594818115 CET	50148	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:03.599978924 CET	445	50148	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:03.600037098 CET	50148	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:03.600064993 CET	50148	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:03.600223064 CET	445	50147	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:03.600502968 CET	445	50147	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:03.600553036 CET	50147	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:03.604803085 CET	445	50148	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:04.286648989 CET	50159	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:04.291492939 CET	445	50159	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:04.291564941 CET	50159	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:04.291610956 CET	50159	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:04.296395063 CET	445	50159	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:04.737667084 CET	445	49793	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:04.737767935 CET	49793	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:04.737920046 CET	49793	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:04.737920046 CET	49793	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:04.742749929 CET	445	49793	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:04.742764950 CET	445	49793	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:05.598962069 CET	50175	445	192.168.2.6	44.34.121.20
Jan 14, 2025 21:04:05.603761911 CET	445	50175	44.34.121.20	192.168.2.6
Jan 14, 2025 21:04:05.603831053 CET	50175	445	192.168.2.6	44.34.121.20
Jan 14, 2025 21:04:05.603863001 CET	50175	445	192.168.2.6	44.34.121.20
Jan 14, 2025 21:04:05.604017019 CET	50176	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:05.608807087 CET	445	50175	44.34.121.20	192.168.2.6
Jan 14, 2025 21:04:05.608819008 CET	445	50176	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:05.608866930 CET	50175	445	192.168.2.6	44.34.121.20
Jan 14, 2025 21:04:05.608902931 CET	50176	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:05.608994007 CET	50176	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:05.609431982 CET	50177	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:05.613900900 CET	445	50176	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:05.613953114 CET	50176	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:05.614336967 CET	445	50177	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:05.614413023 CET	50177	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:05.614456892 CET	50177	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:05.619256020 CET	445	50177	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:05.739515066 CET	50179	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:05.744436979 CET	445	50179	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:05.744554996 CET	50179	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:05.744601965 CET	50179	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:05.749388933 CET	445	50179	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:06.854032040 CET	445	49830	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:06.855150938 CET	49830	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:06.855194092 CET	49830	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:06.855288029 CET	49830	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:06.860471964 CET	445	49830	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:06.860482931 CET	445	49830	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:07.614716053 CET	50191	445	192.168.2.6	96.177.68.143
Jan 14, 2025 21:04:07.619554996 CET	445	50191	96.177.68.143	192.168.2.6
Jan 14, 2025 21:04:07.619751930 CET	50191	445	192.168.2.6	96.177.68.143
Jan 14, 2025 21:04:07.619947910 CET	50192	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:07.620003939 CET	50191	445	192.168.2.6	96.177.68.143
Jan 14, 2025 21:04:07.624758005 CET	445	50192	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:07.624788046 CET	445	50191	96.177.68.143	192.168.2.6
Jan 14, 2025 21:04:07.624875069 CET	50192	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:07.624939919 CET	50191	445	192.168.2.6	96.177.68.143
Jan 14, 2025 21:04:07.624984026 CET	50192	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:07.625390053 CET	50193	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:07.629856110 CET	445	50192	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:07.629925966 CET	50192	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:07.630247116 CET	445	50193	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:07.630332947 CET	50193	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:07.630332947 CET	50193	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:07.635133982 CET	445	50193	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:07.739535093 CET	50194	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:07.745285988 CET	445	50194	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:07.747881889 CET	50194	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:07.747970104 CET	50194	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:07.752717018 CET	445	50194	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:08.831526041 CET	445	49867	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:08.831578970 CET	49867	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:08.831643105 CET	49867	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:08.831712008 CET	49867	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:08.836455107 CET	445	49867	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:08.836467028 CET	445	49867	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:09.630692959 CET	50206	445	192.168.2.6	40.247.205.105
Jan 14, 2025 21:04:09.777091980 CET	445	50206	40.247.205.105	192.168.2.6
Jan 14, 2025 21:04:09.777151108 CET	50206	445	192.168.2.6	40.247.205.105
Jan 14, 2025 21:04:09.777204990 CET	50206	445	192.168.2.6	40.247.205.105
Jan 14, 2025 21:04:09.777381897 CET	50208	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:09.783512115 CET	445	50208	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:09.783526897 CET	445	50206	40.247.205.105	192.168.2.6
Jan 14, 2025 21:04:09.783602953 CET	50206	445	192.168.2.6	40.247.205.105
Jan 14, 2025 21:04:09.783622026 CET	50208	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:09.783740044 CET	50208	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:09.784138918 CET	50209	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:09.788556099 CET	445	50208	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:09.788610935 CET	50208	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:09.788975954 CET	445	50209	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:09.789038897 CET	50209	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:09.789061069 CET	50209	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:09.793832064 CET	445	50209	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:09.864552975 CET	50210	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:09.869394064 CET	445	50210	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:09.869519949 CET	50210	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:09.869568110 CET	50210	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:09.874289989 CET	445	50210	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:10.879399061 CET	445	49901	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:10.879580975 CET	49901	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:10.879698038 CET	49901	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:10.879875898 CET	49901	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:10.884500027 CET	445	49901	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:10.884666920 CET	445	49901	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:11.646255970 CET	50224	445	192.168.2.6	120.56.168.209
Jan 14, 2025 21:04:11.651092052 CET	445	50224	120.56.168.209	192.168.2.6
Jan 14, 2025 21:04:11.651221037 CET	50224	445	192.168.2.6	120.56.168.209
Jan 14, 2025 21:04:11.651309013 CET	50224	445	192.168.2.6	120.56.168.209
Jan 14, 2025 21:04:11.651563883 CET	50225	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:11.656433105 CET	445	50225	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:11.656544924 CET	50225	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:11.656646013 CET	445	50224	120.56.168.209	192.168.2.6
Jan 14, 2025 21:04:11.656653881 CET	50225	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:11.656733036 CET	50224	445	192.168.2.6	120.56.168.209
Jan 14, 2025 21:04:11.657147884 CET	50226	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:11.661638975 CET	445	50225	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:11.661716938 CET	50225	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:11.661984921 CET	445	50226	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:11.662071943 CET	50226	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:11.662111044 CET	50226	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:11.666918993 CET	445	50226	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:11.833375931 CET	50228	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:11.838773966 CET	445	50228	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:11.838927031 CET	50228	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:11.839026928 CET	50228	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:11.843880892 CET	445	50228	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:12.895304918 CET	445	49940	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:12.895421982 CET	49940	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:12.895457983 CET	49940	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:12.895499945 CET	49940	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:12.900480032 CET	445	49940	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:12.900511980 CET	445	49940	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:12.977658987 CET	443	49969	173.222.162.64	192.168.2.6
Jan 14, 2025 21:04:12.977766991 CET	49969	443	192.168.2.6	173.222.162.64
Jan 14, 2025 21:04:13.661643028 CET	50239	445	192.168.2.6	189.120.246.62
Jan 14, 2025 21:04:13.667223930 CET	445	50239	189.120.246.62	192.168.2.6
Jan 14, 2025 21:04:13.667346954 CET	50239	445	192.168.2.6	189.120.246.62
Jan 14, 2025 21:04:13.667402029 CET	50239	445	192.168.2.6	189.120.246.62
Jan 14, 2025 21:04:13.667586088 CET	50240	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:13.672530890 CET	445	50239	189.120.246.62	192.168.2.6
Jan 14, 2025 21:04:13.672888041 CET	445	50240	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:13.672991037 CET	50240	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:13.672991037 CET	50240	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:13.673181057 CET	445	50239	189.120.246.62	192.168.2.6
Jan 14, 2025 21:04:13.673255920 CET	50239	445	192.168.2.6	189.120.246.62
Jan 14, 2025 21:04:13.673367977 CET	50241	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:13.678658962 CET	445	50241	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:13.678688049 CET	445	50240	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:13.678723097 CET	50241	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:13.678742886 CET	50240	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:13.678766012 CET	50241	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:13.683566093 CET	445	50241	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:13.895661116 CET	50246	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:13.900516033 CET	445	50246	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:13.900589943 CET	50246	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:13.900635004 CET	50246	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:13.905400991 CET	445	50246	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:14.895359993 CET	445	49978	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:14.895587921 CET	49978	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:14.895587921 CET	49978	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:14.895629883 CET	49978	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:14.900893927 CET	445	49978	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:14.900954962 CET	445	49978	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:15.536705017 CET	50257	445	192.168.2.6	74.120.194.249
Jan 14, 2025 21:04:15.541538000 CET	445	50257	74.120.194.249	192.168.2.6
Jan 14, 2025 21:04:15.541620970 CET	50257	445	192.168.2.6	74.120.194.249
Jan 14, 2025 21:04:15.541652918 CET	50257	445	192.168.2.6	74.120.194.249
Jan 14, 2025 21:04:15.541769981 CET	50258	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:15.546648979 CET	445	50257	74.120.194.249	192.168.2.6
Jan 14, 2025 21:04:15.546658993 CET	445	50258	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:15.546715975 CET	50257	445	192.168.2.6	74.120.194.249
Jan 14, 2025 21:04:15.546746016 CET	50258	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:15.546843052 CET	50258	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:15.547133923 CET	50259	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:15.551701069 CET	445	50258	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:15.551755905 CET	50258	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:15.551996946 CET	445	50259	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:15.552057981 CET	50259	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:15.552095890 CET	50259	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:15.556901932 CET	445	50259	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:15.911447048 CET	50261	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:15.916230917 CET	445	50261	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:15.916466951 CET	50261	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:15.916498899 CET	50261	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:15.921214104 CET	445	50261	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:16.909555912 CET	445	50015	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:16.909634113 CET	50015	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:16.909676075 CET	50015	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:16.909724951 CET	50015	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:16.914426088 CET	445	50015	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:16.914478064 CET	445	50015	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:17.264624119 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:17.264661074 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:17.264745951 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:17.265362024 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:17.265381098 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:17.286674976 CET	50272	445	192.168.2.6	88.216.195.99
Jan 14, 2025 21:04:17.291495085 CET	445	50272	88.216.195.99	192.168.2.6
Jan 14, 2025 21:04:17.291574001 CET	50272	445	192.168.2.6	88.216.195.99
Jan 14, 2025 21:04:17.291591883 CET	50272	445	192.168.2.6	88.216.195.99
Jan 14, 2025 21:04:17.291727066 CET	50273	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:17.296567917 CET	445	50272	88.216.195.99	192.168.2.6
Jan 14, 2025 21:04:17.296578884 CET	445	50273	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:17.296618938 CET	50272	445	192.168.2.6	88.216.195.99
Jan 14, 2025 21:04:17.296664000 CET	50273	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:17.296725988 CET	50273	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:17.296998978 CET	50274	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:17.301572084 CET	445	50273	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:17.301657915 CET	50273	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:17.301794052 CET	445	50274	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:17.302006960 CET	50274	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:17.302006960 CET	50274	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:17.306904078 CET	445	50274	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:17.911358118 CET	50280	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:17.917253017 CET	445	50280	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:17.917356968 CET	50280	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:17.917376995 CET	50280	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:17.922215939 CET	445	50280	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:18.068964005 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.069063902 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:18.071003914 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:18.071017981 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.071820974 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.073731899 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:18.073788881 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:18.073797941 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.073940039 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:18.119333029 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.249437094 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.249634981 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.249782085 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:18.250176907 CET	50271	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:18.250195026 CET	443	50271	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:18.909677982 CET	445	50048	174.189.210.1	192.168.2.6
Jan 14, 2025 21:04:18.909785986 CET	50048	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:18.909879923 CET	50048	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:18.909981012 CET	50048	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:18.914611101 CET	445	50048	174.189.210.1	192.168.2.6
Jan 14, 2025 21:04:18.914756060 CET	445	50048	174.189.210.1	192.168.2.6
Jan 14, 2025 21:04:18.927335978 CET	50287	445	192.168.2.6	126.245.102.34
Jan 14, 2025 21:04:18.933126926 CET	445	50287	126.245.102.34	192.168.2.6
Jan 14, 2025 21:04:18.933232069 CET	50287	445	192.168.2.6	126.245.102.34
Jan 14, 2025 21:04:18.933276892 CET	50287	445	192.168.2.6	126.245.102.34
Jan 14, 2025 21:04:18.933512926 CET	50288	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:18.938333988 CET	445	50287	126.245.102.34	192.168.2.6
Jan 14, 2025 21:04:18.938396931 CET	50287	445	192.168.2.6	126.245.102.34
Jan 14, 2025 21:04:18.938399076 CET	445	50288	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:18.938473940 CET	50288	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:18.938570023 CET	50288	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:18.938934088 CET	50289	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:18.944461107 CET	445	50288	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:18.944534063 CET	50288	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:18.944786072 CET	445	50289	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:18.944865942 CET	50289	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:18.944910049 CET	50289	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:18.949815989 CET	445	50289	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:19.911365986 CET	50299	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:19.916269064 CET	445	50299	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:19.916366100 CET	50299	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:19.916400909 CET	50299	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:19.921184063 CET	445	50299	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:20.458719969 CET	50301	445	192.168.2.6	75.63.94.202
Jan 14, 2025 21:04:20.463567019 CET	445	50301	75.63.94.202	192.168.2.6
Jan 14, 2025 21:04:20.463644028 CET	50301	445	192.168.2.6	75.63.94.202
Jan 14, 2025 21:04:20.463721037 CET	50301	445	192.168.2.6	75.63.94.202
Jan 14, 2025 21:04:20.463985920 CET	50302	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:20.468791962 CET	445	50301	75.63.94.202	192.168.2.6
Jan 14, 2025 21:04:20.468806982 CET	445	50302	75.63.94.1	192.168.2.6
Jan 14, 2025 21:04:20.468849897 CET	50301	445	192.168.2.6	75.63.94.202
Jan 14, 2025 21:04:20.468900919 CET	50302	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:20.468970060 CET	50302	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:20.469316959 CET	50303	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:20.473943949 CET	445	50302	75.63.94.1	192.168.2.6
Jan 14, 2025 21:04:20.473994017 CET	50302	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:20.474090099 CET	445	50303	75.63.94.1	192.168.2.6
Jan 14, 2025 21:04:20.474143982 CET	50303	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:20.474195004 CET	50303	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:20.479149103 CET	445	50303	75.63.94.1	192.168.2.6
Jan 14, 2025 21:04:20.943384886 CET	445	50085	198.201.242.1	192.168.2.6
Jan 14, 2025 21:04:20.943485975 CET	50085	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:04:20.943541050 CET	50085	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:04:20.943603992 CET	50085	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:04:20.948360920 CET	445	50085	198.201.242.1	192.168.2.6
Jan 14, 2025 21:04:20.948416948 CET	445	50085	198.201.242.1	192.168.2.6
Jan 14, 2025 21:04:21.881119967 CET	50313	445	192.168.2.6	176.108.104.242
Jan 14, 2025 21:04:21.885977030 CET	445	50313	176.108.104.242	192.168.2.6
Jan 14, 2025 21:04:21.886100054 CET	50313	445	192.168.2.6	176.108.104.242
Jan 14, 2025 21:04:21.890989065 CET	50313	445	192.168.2.6	176.108.104.242
Jan 14, 2025 21:04:21.891268015 CET	50314	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:21.895857096 CET	445	50313	176.108.104.242	192.168.2.6
Jan 14, 2025 21:04:21.895930052 CET	50313	445	192.168.2.6	176.108.104.242
Jan 14, 2025 21:04:21.896065950 CET	445	50314	176.108.104.1	192.168.2.6
Jan 14, 2025 21:04:21.896123886 CET	50314	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:21.896209002 CET	50314	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:21.896544933 CET	50315	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:21.901155949 CET	445	50314	176.108.104.1	192.168.2.6
Jan 14, 2025 21:04:21.901201010 CET	50314	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:21.901375055 CET	445	50315	176.108.104.1	192.168.2.6
Jan 14, 2025 21:04:21.901433945 CET	50315	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:21.901470900 CET	50315	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:21.906232119 CET	445	50315	176.108.104.1	192.168.2.6
Jan 14, 2025 21:04:21.911202908 CET	50316	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:21.915949106 CET	445	50316	174.189.210.1	192.168.2.6
Jan 14, 2025 21:04:21.916011095 CET	50316	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:21.916049957 CET	50316	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:21.920847893 CET	445	50316	174.189.210.1	192.168.2.6
Jan 14, 2025 21:04:22.957268953 CET	445	50116	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:22.957396984 CET	50116	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:22.957554102 CET	50116	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:22.957619905 CET	50116	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:22.962416887 CET	445	50116	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:22.962430954 CET	445	50116	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:23.208801031 CET	50320	445	192.168.2.6	52.136.227.46
Jan 14, 2025 21:04:23.213800907 CET	445	50320	52.136.227.46	192.168.2.6
Jan 14, 2025 21:04:23.213951111 CET	50320	445	192.168.2.6	52.136.227.46
Jan 14, 2025 21:04:23.213951111 CET	50320	445	192.168.2.6	52.136.227.46
Jan 14, 2025 21:04:23.214073896 CET	50321	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:23.219001055 CET	445	50321	52.136.227.1	192.168.2.6
Jan 14, 2025 21:04:23.219186068 CET	50321	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:23.219350100 CET	50321	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:23.219734907 CET	50322	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:23.220266104 CET	445	50320	52.136.227.46	192.168.2.6
Jan 14, 2025 21:04:23.224231958 CET	445	50321	52.136.227.1	192.168.2.6
Jan 14, 2025 21:04:23.224569082 CET	445	50322	52.136.227.1	192.168.2.6
Jan 14, 2025 21:04:23.224644899 CET	50322	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:23.224668980 CET	50322	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:23.229518890 CET	445	50322	52.136.227.1	192.168.2.6
Jan 14, 2025 21:04:23.241723061 CET	445	50320	52.136.227.46	192.168.2.6
Jan 14, 2025 21:04:23.241885900 CET	50320	445	192.168.2.6	52.136.227.46
Jan 14, 2025 21:04:23.243563890 CET	445	50321	52.136.227.1	192.168.2.6
Jan 14, 2025 21:04:23.243619919 CET	50321	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:23.960855961 CET	50323	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:04:23.965950012 CET	445	50323	198.201.242.1	192.168.2.6
Jan 14, 2025 21:04:23.966070890 CET	50323	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:04:23.966119051 CET	50323	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:04:23.971374989 CET	445	50323	198.201.242.1	192.168.2.6
Jan 14, 2025 21:04:24.443317890 CET	50324	445	192.168.2.6	126.60.173.151
Jan 14, 2025 21:04:24.448144913 CET	445	50324	126.60.173.151	192.168.2.6
Jan 14, 2025 21:04:24.448221922 CET	50324	445	192.168.2.6	126.60.173.151
Jan 14, 2025 21:04:24.448323965 CET	50324	445	192.168.2.6	126.60.173.151
Jan 14, 2025 21:04:24.448654890 CET	50325	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:24.453162909 CET	445	50324	126.60.173.151	192.168.2.6
Jan 14, 2025 21:04:24.453214884 CET	50324	445	192.168.2.6	126.60.173.151
Jan 14, 2025 21:04:24.453428030 CET	445	50325	126.60.173.1	192.168.2.6
Jan 14, 2025 21:04:24.453567028 CET	50325	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:24.453613997 CET	50325	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:24.453999996 CET	50326	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:24.458792925 CET	445	50325	126.60.173.1	192.168.2.6
Jan 14, 2025 21:04:24.458827019 CET	445	50326	126.60.173.1	192.168.2.6
Jan 14, 2025 21:04:24.458856106 CET	50325	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:24.458913088 CET	50326	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:24.459116936 CET	50326	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:24.463907003 CET	445	50326	126.60.173.1	192.168.2.6
Jan 14, 2025 21:04:24.959228992 CET	445	50148	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:24.959347010 CET	50148	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:24.959407091 CET	50148	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:24.959465981 CET	50148	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:24.964334965 CET	445	50148	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:24.964359045 CET	445	50148	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:25.599344015 CET	50327	445	192.168.2.6	1.245.136.17
Jan 14, 2025 21:04:25.604151011 CET	445	50327	1.245.136.17	192.168.2.6
Jan 14, 2025 21:04:25.604244947 CET	50327	445	192.168.2.6	1.245.136.17
Jan 14, 2025 21:04:25.604260921 CET	50327	445	192.168.2.6	1.245.136.17
Jan 14, 2025 21:04:25.604408979 CET	50328	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:25.609132051 CET	445	50328	1.245.136.1	192.168.2.6
Jan 14, 2025 21:04:25.609205008 CET	50328	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:25.609214067 CET	445	50327	1.245.136.17	192.168.2.6
Jan 14, 2025 21:04:25.609225035 CET	50328	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:25.609261990 CET	50327	445	192.168.2.6	1.245.136.17
Jan 14, 2025 21:04:25.609483004 CET	50329	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:25.614073038 CET	445	50328	1.245.136.1	192.168.2.6
Jan 14, 2025 21:04:25.614223003 CET	50328	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:25.614242077 CET	445	50329	1.245.136.1	192.168.2.6
Jan 14, 2025 21:04:25.614317894 CET	50329	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:25.614363909 CET	50329	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:25.619131088 CET	445	50329	1.245.136.1	192.168.2.6
Jan 14, 2025 21:04:25.644514084 CET	445	50159	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:25.644597054 CET	50159	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:25.644650936 CET	50159	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:25.644701958 CET	50159	445	192.168.2.6	205.249.38.1
Jan 14, 2025 21:04:25.649852037 CET	445	50159	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:25.650202036 CET	445	50159	205.249.38.1	192.168.2.6
Jan 14, 2025 21:04:25.708453894 CET	50330	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:25.713469982 CET	445	50330	205.249.38.2	192.168.2.6
Jan 14, 2025 21:04:25.713560104 CET	50330	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:25.713597059 CET	50330	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:25.713975906 CET	50331	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:25.718602896 CET	445	50330	205.249.38.2	192.168.2.6
Jan 14, 2025 21:04:25.718672037 CET	50330	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:25.718955994 CET	445	50331	205.249.38.2	192.168.2.6
Jan 14, 2025 21:04:25.719038963 CET	50331	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:25.719094038 CET	50331	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:25.724100113 CET	445	50331	205.249.38.2	192.168.2.6
Jan 14, 2025 21:04:25.958465099 CET	50332	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:25.963320971 CET	445	50332	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:25.963499069 CET	50332	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:25.963499069 CET	50332	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:25.968365908 CET	445	50332	35.27.167.1	192.168.2.6
Jan 14, 2025 21:04:26.677514076 CET	50333	445	192.168.2.6	203.173.144.21
Jan 14, 2025 21:04:26.682405949 CET	445	50333	203.173.144.21	192.168.2.6
Jan 14, 2025 21:04:26.682554960 CET	50333	445	192.168.2.6	203.173.144.21
Jan 14, 2025 21:04:26.682609081 CET	50333	445	192.168.2.6	203.173.144.21
Jan 14, 2025 21:04:26.682770014 CET	50334	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:26.687582016 CET	445	50334	203.173.144.1	192.168.2.6
Jan 14, 2025 21:04:26.687597036 CET	445	50333	203.173.144.21	192.168.2.6
Jan 14, 2025 21:04:26.687695980 CET	50333	445	192.168.2.6	203.173.144.21
Jan 14, 2025 21:04:26.687712908 CET	50334	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:26.687868118 CET	50334	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:26.688247919 CET	50335	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:26.692796946 CET	445	50334	203.173.144.1	192.168.2.6
Jan 14, 2025 21:04:26.692853928 CET	50334	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:26.693087101 CET	445	50335	203.173.144.1	192.168.2.6
Jan 14, 2025 21:04:26.693149090 CET	50335	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:26.693182945 CET	50335	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:26.697926998 CET	445	50335	203.173.144.1	192.168.2.6
Jan 14, 2025 21:04:26.988107920 CET	445	50177	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:26.988305092 CET	50177	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:26.988439083 CET	50177	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:26.988498926 CET	50177	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:26.993202925 CET	445	50177	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:26.993247986 CET	445	50177	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:27.114888906 CET	445	50179	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:27.114978075 CET	50179	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:27.115056992 CET	50179	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:27.115150928 CET	50179	445	192.168.2.6	72.138.216.1
Jan 14, 2025 21:04:27.119806051 CET	445	50179	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:27.119888067 CET	445	50179	72.138.216.1	192.168.2.6
Jan 14, 2025 21:04:27.177627087 CET	50336	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:27.182539940 CET	445	50336	72.138.216.2	192.168.2.6
Jan 14, 2025 21:04:27.182626009 CET	50336	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:27.182780981 CET	50336	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:27.183197021 CET	50337	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:27.187685013 CET	445	50336	72.138.216.2	192.168.2.6
Jan 14, 2025 21:04:27.187787056 CET	50336	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:27.188040018 CET	445	50337	72.138.216.2	192.168.2.6
Jan 14, 2025 21:04:27.188116074 CET	50337	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:27.188188076 CET	50337	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:27.192962885 CET	445	50337	72.138.216.2	192.168.2.6
Jan 14, 2025 21:04:27.692989111 CET	50338	445	192.168.2.6	41.8.233.159
Jan 14, 2025 21:04:27.698198080 CET	445	50338	41.8.233.159	192.168.2.6
Jan 14, 2025 21:04:27.698301077 CET	50338	445	192.168.2.6	41.8.233.159
Jan 14, 2025 21:04:27.698359966 CET	50338	445	192.168.2.6	41.8.233.159
Jan 14, 2025 21:04:27.698520899 CET	50339	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:27.703655958 CET	445	50339	41.8.233.1	192.168.2.6
Jan 14, 2025 21:04:27.703758001 CET	50339	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:27.703824997 CET	50339	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:27.704008102 CET	445	50338	41.8.233.159	192.168.2.6
Jan 14, 2025 21:04:27.704065084 CET	50338	445	192.168.2.6	41.8.233.159
Jan 14, 2025 21:04:27.704204082 CET	50340	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:27.709074974 CET	445	50339	41.8.233.1	192.168.2.6
Jan 14, 2025 21:04:27.709167004 CET	50339	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:27.709228039 CET	445	50340	41.8.233.1	192.168.2.6
Jan 14, 2025 21:04:27.709291935 CET	50340	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:27.709321976 CET	50340	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:27.714056969 CET	445	50340	41.8.233.1	192.168.2.6
Jan 14, 2025 21:04:27.973882914 CET	50341	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:27.978744030 CET	445	50341	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:27.978843927 CET	50341	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:27.978880882 CET	50341	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:27.983938932 CET	445	50341	158.225.208.1	192.168.2.6
Jan 14, 2025 21:04:28.630511045 CET	50342	445	192.168.2.6	210.31.103.65
Jan 14, 2025 21:04:28.635353088 CET	445	50342	210.31.103.65	192.168.2.6
Jan 14, 2025 21:04:28.635474920 CET	50342	445	192.168.2.6	210.31.103.65
Jan 14, 2025 21:04:28.635531902 CET	50342	445	192.168.2.6	210.31.103.65
Jan 14, 2025 21:04:28.635742903 CET	50343	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:28.640635014 CET	445	50342	210.31.103.65	192.168.2.6
Jan 14, 2025 21:04:28.640662909 CET	445	50343	210.31.103.1	192.168.2.6
Jan 14, 2025 21:04:28.640714884 CET	50342	445	192.168.2.6	210.31.103.65
Jan 14, 2025 21:04:28.640770912 CET	50343	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:28.640918970 CET	50343	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:28.641304016 CET	50344	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:28.645713091 CET	445	50343	210.31.103.1	192.168.2.6
Jan 14, 2025 21:04:28.645773888 CET	50343	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:28.646034002 CET	445	50344	210.31.103.1	192.168.2.6
Jan 14, 2025 21:04:28.646090984 CET	50344	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:28.646147013 CET	50344	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:28.650903940 CET	445	50344	210.31.103.1	192.168.2.6
Jan 14, 2025 21:04:29.005841017 CET	445	50193	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:29.005949020 CET	50193	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:29.005997896 CET	50193	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:29.006011963 CET	50193	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:29.010960102 CET	445	50193	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:29.010972977 CET	445	50193	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:29.132678032 CET	445	50194	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:29.132751942 CET	50194	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:29.132801056 CET	50194	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:29.133001089 CET	50194	445	192.168.2.6	206.210.217.1
Jan 14, 2025 21:04:29.137583017 CET	445	50194	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:29.137789011 CET	445	50194	206.210.217.1	192.168.2.6
Jan 14, 2025 21:04:29.192727089 CET	50345	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:29.197685957 CET	445	50345	206.210.217.2	192.168.2.6
Jan 14, 2025 21:04:29.197802067 CET	50345	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:29.197841883 CET	50345	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:29.198299885 CET	50346	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:29.203154087 CET	445	50346	206.210.217.2	192.168.2.6
Jan 14, 2025 21:04:29.203290939 CET	50346	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:29.203350067 CET	50346	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:29.204231024 CET	445	50345	206.210.217.2	192.168.2.6
Jan 14, 2025 21:04:29.208118916 CET	445	50346	206.210.217.2	192.168.2.6
Jan 14, 2025 21:04:29.217573881 CET	445	50345	206.210.217.2	192.168.2.6
Jan 14, 2025 21:04:29.217752934 CET	50345	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:29.505610943 CET	50348	445	192.168.2.6	73.191.198.4
Jan 14, 2025 21:04:29.510548115 CET	445	50348	73.191.198.4	192.168.2.6
Jan 14, 2025 21:04:29.510802984 CET	50348	445	192.168.2.6	73.191.198.4
Jan 14, 2025 21:04:29.510844946 CET	50348	445	192.168.2.6	73.191.198.4
Jan 14, 2025 21:04:29.511096954 CET	50349	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:29.515779972 CET	445	50348	73.191.198.4	192.168.2.6
Jan 14, 2025 21:04:29.515856981 CET	50348	445	192.168.2.6	73.191.198.4
Jan 14, 2025 21:04:29.515887976 CET	445	50349	73.191.198.1	192.168.2.6
Jan 14, 2025 21:04:29.515953064 CET	50349	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:29.515985012 CET	50349	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:29.516470909 CET	50350	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:29.520939112 CET	445	50349	73.191.198.1	192.168.2.6
Jan 14, 2025 21:04:29.521014929 CET	50349	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:29.521265984 CET	445	50350	73.191.198.1	192.168.2.6
Jan 14, 2025 21:04:29.521421909 CET	50350	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:29.521421909 CET	50350	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:29.526351929 CET	445	50350	73.191.198.1	192.168.2.6
Jan 14, 2025 21:04:29.989923954 CET	50351	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:29.994781017 CET	445	50351	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:29.994863033 CET	50351	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:29.994904995 CET	50351	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:29.999713898 CET	445	50351	44.34.121.1	192.168.2.6
Jan 14, 2025 21:04:30.333633900 CET	50352	445	192.168.2.6	187.188.199.109
Jan 14, 2025 21:04:30.338443041 CET	445	50352	187.188.199.109	192.168.2.6
Jan 14, 2025 21:04:30.338542938 CET	50352	445	192.168.2.6	187.188.199.109
Jan 14, 2025 21:04:30.338614941 CET	50352	445	192.168.2.6	187.188.199.109
Jan 14, 2025 21:04:30.338835001 CET	50353	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:30.343502998 CET	445	50352	187.188.199.109	192.168.2.6
Jan 14, 2025 21:04:30.343636036 CET	445	50353	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:30.343722105 CET	50352	445	192.168.2.6	187.188.199.109
Jan 14, 2025 21:04:30.343746901 CET	50353	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:30.343826056 CET	50353	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:30.344199896 CET	50354	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:30.348835945 CET	445	50353	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:30.349087954 CET	445	50354	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:30.349184036 CET	50353	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:30.349208117 CET	50354	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:30.349251032 CET	50354	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:30.354126930 CET	445	50354	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:31.099291086 CET	50355	445	192.168.2.6	203.232.211.30
Jan 14, 2025 21:04:31.104114056 CET	445	50355	203.232.211.30	192.168.2.6
Jan 14, 2025 21:04:31.104214907 CET	50355	445	192.168.2.6	203.232.211.30
Jan 14, 2025 21:04:31.104264975 CET	50355	445	192.168.2.6	203.232.211.30
Jan 14, 2025 21:04:31.104552031 CET	50356	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:31.109122038 CET	445	50355	203.232.211.30	192.168.2.6
Jan 14, 2025 21:04:31.109181881 CET	50355	445	192.168.2.6	203.232.211.30
Jan 14, 2025 21:04:31.109353065 CET	445	50356	203.232.211.1	192.168.2.6
Jan 14, 2025 21:04:31.109508038 CET	50356	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:31.109508038 CET	50356	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:31.109819889 CET	50357	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:31.114433050 CET	445	50356	203.232.211.1	192.168.2.6
Jan 14, 2025 21:04:31.114612103 CET	50356	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:31.114617109 CET	445	50357	203.232.211.1	192.168.2.6
Jan 14, 2025 21:04:31.114669085 CET	50357	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:31.114691019 CET	50357	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:31.119395018 CET	445	50357	203.232.211.1	192.168.2.6
Jan 14, 2025 21:04:31.144455910 CET	445	50209	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:31.144546032 CET	50209	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:31.144608974 CET	50209	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:31.144700050 CET	50209	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:31.149353027 CET	445	50209	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:31.149485111 CET	445	50209	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:31.224266052 CET	445	50210	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:31.224406004 CET	50210	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:31.224478006 CET	50210	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:31.224539042 CET	50210	445	192.168.2.6	124.244.132.1
Jan 14, 2025 21:04:31.229299068 CET	445	50210	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:31.229317904 CET	445	50210	124.244.132.1	192.168.2.6
Jan 14, 2025 21:04:31.286806107 CET	50358	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:31.291768074 CET	445	50358	124.244.132.2	192.168.2.6
Jan 14, 2025 21:04:31.291883945 CET	50358	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:31.291929960 CET	50358	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:31.292520046 CET	50359	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:31.296894073 CET	445	50358	124.244.132.2	192.168.2.6
Jan 14, 2025 21:04:31.296996117 CET	50358	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:31.297359943 CET	445	50359	124.244.132.2	192.168.2.6
Jan 14, 2025 21:04:31.297456980 CET	50359	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:31.297545910 CET	50359	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:31.302686930 CET	445	50359	124.244.132.2	192.168.2.6
Jan 14, 2025 21:04:31.910696030 CET	445	50354	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:31.910826921 CET	50354	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:31.910826921 CET	50354	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:31.910873890 CET	50354	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:31.915676117 CET	445	50354	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:31.915689945 CET	445	50354	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:32.020967960 CET	50361	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:32.025753021 CET	445	50361	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:32.025827885 CET	50361	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:32.025897026 CET	50361	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:32.030641079 CET	445	50361	96.177.68.1	192.168.2.6
Jan 14, 2025 21:04:33.022723913 CET	445	50226	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:33.022883892 CET	50226	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:33.022927999 CET	50226	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:33.022984982 CET	50226	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:33.027832031 CET	445	50226	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:33.027843952 CET	445	50226	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:33.217835903 CET	445	50228	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:33.217935085 CET	50228	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:33.218015909 CET	50228	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:33.218092918 CET	50228	445	192.168.2.6	50.118.178.1
Jan 14, 2025 21:04:33.224828959 CET	445	50228	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:33.224973917 CET	445	50228	50.118.178.1	192.168.2.6
Jan 14, 2025 21:04:33.270826101 CET	50365	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:33.275626898 CET	445	50365	50.118.178.2	192.168.2.6
Jan 14, 2025 21:04:33.275718927 CET	50365	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:33.275794029 CET	50365	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:33.276130915 CET	50366	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:33.280657053 CET	445	50365	50.118.178.2	192.168.2.6
Jan 14, 2025 21:04:33.280738115 CET	50365	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:33.280860901 CET	445	50366	50.118.178.2	192.168.2.6
Jan 14, 2025 21:04:33.280924082 CET	50366	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:33.280971050 CET	50366	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:33.285706997 CET	445	50366	50.118.178.2	192.168.2.6
Jan 14, 2025 21:04:34.145813942 CET	50370	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:34.150737047 CET	445	50370	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:34.150831938 CET	50370	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:34.150871038 CET	50370	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:34.155656099 CET	445	50370	40.247.205.1	192.168.2.6
Jan 14, 2025 21:04:34.911596060 CET	50376	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:34.916568995 CET	445	50376	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:34.916702032 CET	50376	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:34.916778088 CET	50376	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:34.921574116 CET	445	50376	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:35.035418034 CET	445	50241	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:35.035492897 CET	50241	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:35.035537004 CET	50241	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:35.035587072 CET	50241	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:35.040463924 CET	445	50241	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:35.040524960 CET	445	50241	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:35.256277084 CET	445	50246	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:35.256350040 CET	50246	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:35.256500959 CET	50246	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:35.256578922 CET	50246	445	192.168.2.6	165.193.238.1
Jan 14, 2025 21:04:35.261290073 CET	445	50246	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:35.261359930 CET	445	50246	165.193.238.1	192.168.2.6
Jan 14, 2025 21:04:35.317878008 CET	50379	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:35.322734118 CET	445	50379	165.193.238.2	192.168.2.6
Jan 14, 2025 21:04:35.322813034 CET	50379	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:35.322885036 CET	50379	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:35.323247910 CET	50380	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:35.328064919 CET	445	50380	165.193.238.2	192.168.2.6
Jan 14, 2025 21:04:35.328161955 CET	445	50379	165.193.238.2	192.168.2.6
Jan 14, 2025 21:04:35.328197002 CET	50380	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:35.328197956 CET	50380	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:35.328211069 CET	50379	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:35.333030939 CET	445	50380	165.193.238.2	192.168.2.6
Jan 14, 2025 21:04:36.036360025 CET	50387	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:36.042319059 CET	445	50387	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:36.043936968 CET	50387	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:36.043966055 CET	50387	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:36.049875975 CET	445	50387	120.56.168.1	192.168.2.6
Jan 14, 2025 21:04:36.476710081 CET	445	50376	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:36.476917982 CET	50376	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:36.476973057 CET	50376	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:36.477020979 CET	50376	445	192.168.2.6	187.188.199.1
Jan 14, 2025 21:04:36.485833883 CET	445	50376	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:36.486005068 CET	445	50376	187.188.199.1	192.168.2.6
Jan 14, 2025 21:04:36.536577940 CET	50394	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:36.545923948 CET	445	50394	187.188.199.2	192.168.2.6
Jan 14, 2025 21:04:36.546082020 CET	50394	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:36.546195030 CET	50394	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:36.546674967 CET	50395	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:36.554450035 CET	445	50394	187.188.199.2	192.168.2.6
Jan 14, 2025 21:04:36.554462910 CET	445	50395	187.188.199.2	192.168.2.6
Jan 14, 2025 21:04:36.554550886 CET	50394	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:36.554600000 CET	50395	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:36.554672003 CET	50395	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:36.559938908 CET	445	50395	187.188.199.2	192.168.2.6
Jan 14, 2025 21:04:36.930052996 CET	445	50259	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:36.930139065 CET	50259	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:36.930176020 CET	50259	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:36.930221081 CET	50259	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:36.935148954 CET	445	50259	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:36.935309887 CET	445	50259	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:37.306606054 CET	445	50261	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:37.306683064 CET	50261	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:37.311208010 CET	50261	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:37.311235905 CET	50261	445	192.168.2.6	191.81.125.1
Jan 14, 2025 21:04:37.316765070 CET	445	50261	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:37.316777945 CET	445	50261	191.81.125.1	192.168.2.6
Jan 14, 2025 21:04:37.378855944 CET	50403	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:37.383754015 CET	445	50403	191.81.125.2	192.168.2.6
Jan 14, 2025 21:04:37.383826017 CET	50403	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:37.387732029 CET	50403	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:37.392880917 CET	445	50403	191.81.125.2	192.168.2.6
Jan 14, 2025 21:04:37.392956972 CET	50403	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:37.396939039 CET	50404	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:37.401974916 CET	445	50404	191.81.125.2	192.168.2.6
Jan 14, 2025 21:04:37.402033091 CET	50404	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:37.402066946 CET	50404	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:37.406892061 CET	445	50404	191.81.125.2	192.168.2.6
Jan 14, 2025 21:04:38.036416054 CET	50414	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:38.041636944 CET	445	50414	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:38.041744947 CET	50414	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:38.048243999 CET	50414	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:38.053438902 CET	445	50414	189.120.246.1	192.168.2.6
Jan 14, 2025 21:04:38.675947905 CET	445	50274	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:38.676100969 CET	50274	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:38.676136017 CET	50274	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:38.676165104 CET	50274	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:38.681026936 CET	445	50274	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:38.681040049 CET	445	50274	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:39.200135946 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:39.200193882 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:39.200297117 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:39.200949907 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:39.200997114 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:39.285231113 CET	445	50280	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:39.285419941 CET	50280	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:39.285419941 CET	50280	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:39.285419941 CET	50280	445	192.168.2.6	37.164.204.1
Jan 14, 2025 21:04:39.290271044 CET	445	50280	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:39.290338993 CET	445	50280	37.164.204.1	192.168.2.6
Jan 14, 2025 21:04:39.348938942 CET	50439	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:39.353847027 CET	445	50439	37.164.204.2	192.168.2.6
Jan 14, 2025 21:04:39.354095936 CET	50439	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:39.354095936 CET	50439	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:39.354382992 CET	50440	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:39.359105110 CET	445	50439	37.164.204.2	192.168.2.6
Jan 14, 2025 21:04:39.359198093 CET	50439	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:39.359286070 CET	445	50440	37.164.204.2	192.168.2.6
Jan 14, 2025 21:04:39.359361887 CET	50440	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:39.359397888 CET	50440	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:39.364255905 CET	445	50440	37.164.204.2	192.168.2.6
Jan 14, 2025 21:04:39.942749977 CET	50455	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:39.947599888 CET	445	50455	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:39.947673082 CET	50455	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:39.947797060 CET	50455	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:39.952599049 CET	445	50455	74.120.194.1	192.168.2.6
Jan 14, 2025 21:04:39.981194019 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:39.981271029 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:39.983338118 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:39.983352900 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:39.983599901 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:39.985495090 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:39.985549927 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:39.985554934 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:39.985884905 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:40.027333975 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:41.081265926 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:41.081355095 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:41.081962109 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:41.082000017 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:41.082015038 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:41.082015038 CET	50435	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:04:41.082024097 CET	443	50435	40.113.110.67	192.168.2.6
Jan 14, 2025 21:04:41.084492922 CET	445	50289	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:41.084572077 CET	445	50289	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:41.084614038 CET	445	50289	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:41.084651947 CET	50289	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:41.084673882 CET	50289	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:41.084697962 CET	50289	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:41.084747076 CET	50289	445	192.168.2.6	126.245.102.1
Jan 14, 2025 21:04:41.103944063 CET	445	50289	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:41.103957891 CET	445	50289	126.245.102.1	192.168.2.6
Jan 14, 2025 21:04:41.304749012 CET	445	50299	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:41.304883957 CET	50299	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:41.304929018 CET	50299	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:41.304966927 CET	50299	445	192.168.2.6	128.126.138.1
Jan 14, 2025 21:04:41.310127974 CET	445	50299	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:41.310158968 CET	445	50299	128.126.138.1	192.168.2.6
Jan 14, 2025 21:04:41.365124941 CET	50498	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:41.370961905 CET	445	50498	128.126.138.2	192.168.2.6
Jan 14, 2025 21:04:41.371053934 CET	50498	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:41.371155977 CET	50498	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:41.371537924 CET	50499	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:41.376247883 CET	445	50498	128.126.138.2	192.168.2.6
Jan 14, 2025 21:04:41.376349926 CET	50498	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:41.376390934 CET	445	50499	128.126.138.2	192.168.2.6
Jan 14, 2025 21:04:41.376456976 CET	50499	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:41.376485109 CET	50499	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:41.381233931 CET	445	50499	128.126.138.2	192.168.2.6
Jan 14, 2025 21:04:41.677000999 CET	50513	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:41.683548927 CET	445	50513	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:41.683670044 CET	50513	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:41.683722019 CET	50513	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:04:41.691395044 CET	445	50513	88.216.195.1	192.168.2.6
Jan 14, 2025 21:04:41.896301985 CET	445	50303	75.63.94.1	192.168.2.6
Jan 14, 2025 21:04:41.896365881 CET	50303	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:41.896399021 CET	50303	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:41.896431923 CET	50303	445	192.168.2.6	75.63.94.1
Jan 14, 2025 21:04:41.902359962 CET	445	50303	75.63.94.1	192.168.2.6
Jan 14, 2025 21:04:41.902369976 CET	445	50303	75.63.94.1	192.168.2.6
Jan 14, 2025 21:04:43.304971933 CET	445	50315	176.108.104.1	192.168.2.6
Jan 14, 2025 21:04:43.305030107 CET	50315	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:43.348678112 CET	445	50316	174.189.210.1	192.168.2.6
Jan 14, 2025 21:04:43.348737001 CET	50316	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:43.872152090 CET	50359	445	192.168.2.6	124.244.132.2
Jan 14, 2025 21:04:43.872178078 CET	50440	445	192.168.2.6	37.164.204.2
Jan 14, 2025 21:04:43.872243881 CET	50346	445	192.168.2.6	206.210.217.2
Jan 14, 2025 21:04:43.872323990 CET	50331	445	192.168.2.6	205.249.38.2
Jan 14, 2025 21:04:43.872348070 CET	50316	445	192.168.2.6	174.189.210.1
Jan 14, 2025 21:04:43.872386932 CET	50337	445	192.168.2.6	72.138.216.2
Jan 14, 2025 21:04:43.872415066 CET	50404	445	192.168.2.6	191.81.125.2
Jan 14, 2025 21:04:43.872453928 CET	50380	445	192.168.2.6	165.193.238.2
Jan 14, 2025 21:04:43.872514963 CET	50315	445	192.168.2.6	176.108.104.1
Jan 14, 2025 21:04:43.872551918 CET	50322	445	192.168.2.6	52.136.227.1
Jan 14, 2025 21:04:43.872571945 CET	50323	445	192.168.2.6	198.201.242.1
Jan 14, 2025 21:04:43.872600079 CET	50326	445	192.168.2.6	126.60.173.1
Jan 14, 2025 21:04:43.872631073 CET	50329	445	192.168.2.6	1.245.136.1
Jan 14, 2025 21:04:43.872731924 CET	50332	445	192.168.2.6	35.27.167.1
Jan 14, 2025 21:04:43.872731924 CET	50335	445	192.168.2.6	203.173.144.1
Jan 14, 2025 21:04:43.872747898 CET	50340	445	192.168.2.6	41.8.233.1
Jan 14, 2025 21:04:43.872787952 CET	50341	445	192.168.2.6	158.225.208.1
Jan 14, 2025 21:04:43.872807980 CET	50344	445	192.168.2.6	210.31.103.1
Jan 14, 2025 21:04:43.872836113 CET	50350	445	192.168.2.6	73.191.198.1
Jan 14, 2025 21:04:43.872854948 CET	50351	445	192.168.2.6	44.34.121.1
Jan 14, 2025 21:04:43.872910023 CET	50395	445	192.168.2.6	187.188.199.2
Jan 14, 2025 21:04:43.872930050 CET	50361	445	192.168.2.6	96.177.68.1
Jan 14, 2025 21:04:43.872953892 CET	50357	445	192.168.2.6	203.232.211.1
Jan 14, 2025 21:04:43.872980118 CET	50370	445	192.168.2.6	40.247.205.1
Jan 14, 2025 21:04:43.873018026 CET	50366	445	192.168.2.6	50.118.178.2
Jan 14, 2025 21:04:43.873054981 CET	50387	445	192.168.2.6	120.56.168.1
Jan 14, 2025 21:04:43.873099089 CET	50414	445	192.168.2.6	189.120.246.1
Jan 14, 2025 21:04:43.873168945 CET	50455	445	192.168.2.6	74.120.194.1
Jan 14, 2025 21:04:43.873291969 CET	50499	445	192.168.2.6	128.126.138.2
Jan 14, 2025 21:04:43.873353004 CET	50513	445	192.168.2.6	88.216.195.1
Jan 14, 2025 21:05:05.092864037 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.092911005 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:05.093041897 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.093847990 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.093879938 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:05.894543886 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:05.894692898 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.898957014 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.898969889 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:05.899624109 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:05.901468992 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.901535034 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.901542902 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:05.901681900 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:05.947335958 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:06.071959972 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:06.072187901 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:06.072249889 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:06.072489977 CET	50618	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:06.072511911 CET	443	50618	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:11.281224012 CET	49706	80	192.168.2.6	2.17.190.73
Jan 14, 2025 21:05:11.281285048 CET	49704	80	192.168.2.6	199.232.210.172
Jan 14, 2025 21:05:11.281366110 CET	49703	443	192.168.2.6	40.126.32.133
Jan 14, 2025 21:05:11.286860943 CET	80	49706	2.17.190.73	192.168.2.6
Jan 14, 2025 21:05:11.287026882 CET	49706	80	192.168.2.6	2.17.190.73
Jan 14, 2025 21:05:11.287307024 CET	80	49704	199.232.210.172	192.168.2.6
Jan 14, 2025 21:05:11.287324905 CET	443	49703	40.126.32.133	192.168.2.6
Jan 14, 2025 21:05:11.287372112 CET	49704	80	192.168.2.6	199.232.210.172
Jan 14, 2025 21:05:11.287384987 CET	49703	443	192.168.2.6	40.126.32.133
Jan 14, 2025 21:05:13.849024057 CET	49707	443	192.168.2.6	40.126.32.133
Jan 14, 2025 21:05:13.855834961 CET	443	49707	40.126.32.133	192.168.2.6
Jan 14, 2025 21:05:13.855911970 CET	49707	443	192.168.2.6	40.126.32.133
Jan 14, 2025 21:05:38.110097885 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.110138893 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:38.110219955 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.110780001 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.110797882 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:38.909538031 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:38.909785032 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.912250996 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.912259102 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:38.913176060 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:38.915193081 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.915317059 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.915322065 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:38.915529013 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:38.963332891 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:39.085845947 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:39.086148977 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:39.086241007 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:39.086555004 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:39.086570978 CET	443	50619	40.113.110.67	192.168.2.6
Jan 14, 2025 21:05:39.086606979 CET	50619	443	192.168.2.6	40.113.110.67
Jan 14, 2025 21:05:43.915173054 CET	50620	445	192.168.2.6	153.10.92.189
Jan 14, 2025 21:05:43.920121908 CET	445	50620	153.10.92.189	192.168.2.6
Jan 14, 2025 21:05:43.920273066 CET	50620	445	192.168.2.6	153.10.92.189
Jan 14, 2025 21:05:43.920273066 CET	50620	445	192.168.2.6	153.10.92.189
Jan 14, 2025 21:05:43.920944929 CET	50621	445	192.168.2.6	153.10.92.1
Jan 14, 2025 21:05:43.925693035 CET	445	50621	153.10.92.1	192.168.2.6
Jan 14, 2025 21:05:43.925712109 CET	445	50620	153.10.92.189	192.168.2.6
Jan 14, 2025 21:05:43.925771952 CET	50621	445	192.168.2.6	153.10.92.1
Jan 14, 2025 21:05:43.925771952 CET	50621	445	192.168.2.6	153.10.92.1
Jan 14, 2025 21:05:43.925771952 CET	50620	445	192.168.2.6	153.10.92.189
Jan 14, 2025 21:05:43.926430941 CET	50624	445	192.168.2.6	153.10.92.1
Jan 14, 2025 21:05:43.931030989 CET	445	50621	153.10.92.1	192.168.2.6
Jan 14, 2025 21:05:43.931088924 CET	50621	445	192.168.2.6	153.10.92.1
Jan 14, 2025 21:05:43.931174040 CET	445	50624	153.10.92.1	192.168.2.6
Jan 14, 2025 21:05:43.931241989 CET	50624	445	192.168.2.6	153.10.92.1
Jan 14, 2025 21:05:43.931334972 CET	50624	445	192.168.2.6	153.10.92.1
Jan 14, 2025 21:05:43.936079979 CET	445	50624	153.10.92.1	192.168.2.6

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:03:34 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 32 68 4a 45 30 53 6c 70 51 55 79 37 34 79 59 79 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 36 39 33 61 37 30 66 66 65 34 63 31 35 33 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 2hJE0SlpQUy74yYy.1Context: 3693a70ffe4c153c
2025-01-14 20:03:34 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:03:34 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 32 68 4a 45 30 53 6c 70 51 55 79 37 34 79 59 79 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 36 39 33 61 37 30 66 66 65 34 63 31 35 33 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 67 4e 2b 59 35 44 42 31 70 57 72 51 63 56 58 6d 45 71 43 41 45 76 69 49 42 45 79 6e 4f 30 4a 36 65 71 77 76 77 67 51 35 48 49 52 71 4e 68 35 43 79 6d 43 69 56 77 65 6e 64 76 4b 4b 38 61 42 62 4a 48 4d 48 4c 49 6b 4b 34 4d 32 43 37 65 54 61 53 30 78 49 2b 62 4e 4b 64 36 6d 79 70 67 65 2f 34 44 33 6c 53 65 4f 6f 32 55 38 6e Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 2hJE0SlpQUy74yYy.2Context: 3693a70ffe4c153c<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXgN+Y5DB1pWrQcVXmEqCAEviIBEynO0J6eqwvwgQ5HIRqNh5CymCiVwendvKK8aBbJHMHLIkK4M2C7eTaS0xI+bNKd6mypge/4D3lSeOo2U8n
2025-01-14 20:03:34 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 32 68 4a 45 30 53 6c 70 51 55 79 37 34 79 59 79 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 36 39 33 61 37 30 66 66 65 34 63 31 35 33 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 2hJE0SlpQUy74yYy.3Context: 3693a70ffe4c153c<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:03:34 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:03:34 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 64 54 67 36 35 35 65 6d 37 45 36 58 65 5a 6c 6d 68 33 38 54 52 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: dTg655em7E6XeZlmh38TRA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49767	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:03:42 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 36 34 32 45 4d 41 36 44 71 6b 65 54 62 43 58 6e 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 33 38 31 38 61 63 66 64 38 37 33 34 36 38 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 642EMA6DqkeTbCXn.1Context: 73818acfd8734688
2025-01-14 20:03:42 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:03:42 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 36 34 32 45 4d 41 36 44 71 6b 65 54 62 43 58 6e 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 33 38 31 38 61 63 66 64 38 37 33 34 36 38 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 67 4e 2b 59 35 44 42 31 70 57 72 51 63 56 58 6d 45 71 43 41 45 76 69 49 42 45 79 6e 4f 30 4a 36 65 71 77 76 77 67 51 35 48 49 52 71 4e 68 35 43 79 6d 43 69 56 77 65 6e 64 76 4b 4b 38 61 42 62 4a 48 4d 48 4c 49 6b 4b 34 4d 32 43 37 65 54 61 53 30 78 49 2b 62 4e 4b 64 36 6d 79 70 67 65 2f 34 44 33 6c 53 65 4f 6f 32 55 38 6e Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 642EMA6DqkeTbCXn.2Context: 73818acfd8734688<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXgN+Y5DB1pWrQcVXmEqCAEviIBEynO0J6eqwvwgQ5HIRqNh5CymCiVwendvKK8aBbJHMHLIkK4M2C7eTaS0xI+bNKd6mypge/4D3lSeOo2U8n
2025-01-14 20:03:42 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 36 34 32 45 4d 41 36 44 71 6b 65 54 62 43 58 6e 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 33 38 31 38 61 63 66 64 38 37 33 34 36 38 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 642EMA6DqkeTbCXn.3Context: 73818acfd8734688<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:03:43 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:03:43 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 49 4d 58 67 4a 36 56 43 55 45 36 72 58 4c 73 6d 31 34 55 43 52 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: IMXgJ6VCUE6rXLsm14UCRQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	50014	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:03:56 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4c 74 4c 37 47 58 41 32 57 45 79 59 78 70 4e 45 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 36 35 64 33 62 31 32 34 64 63 61 33 63 32 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: LtL7GXA2WEyYxpNE.1Context: 565d3b124dca3c2e
2025-01-14 20:03:56 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:03:56 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4c 74 4c 37 47 58 41 32 57 45 79 59 78 70 4e 45 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 36 35 64 33 62 31 32 34 64 63 61 33 63 32 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 67 4e 2b 59 35 44 42 31 70 57 72 51 63 56 58 6d 45 71 43 41 45 76 69 49 42 45 79 6e 4f 30 4a 36 65 71 77 76 77 67 51 35 48 49 52 71 4e 68 35 43 79 6d 43 69 56 77 65 6e 64 76 4b 4b 38 61 42 62 4a 48 4d 48 4c 49 6b 4b 34 4d 32 43 37 65 54 61 53 30 78 49 2b 62 4e 4b 64 36 6d 79 70 67 65 2f 34 44 33 6c 53 65 4f 6f 32 55 38 6e Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: LtL7GXA2WEyYxpNE.2Context: 565d3b124dca3c2e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXgN+Y5DB1pWrQcVXmEqCAEviIBEynO0J6eqwvwgQ5HIRqNh5CymCiVwendvKK8aBbJHMHLIkK4M2C7eTaS0xI+bNKd6mypge/4D3lSeOo2U8n
2025-01-14 20:03:56 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4c 74 4c 37 47 58 41 32 57 45 79 59 78 70 4e 45 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 36 35 64 33 62 31 32 34 64 63 61 33 63 32 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: LtL7GXA2WEyYxpNE.3Context: 565d3b124dca3c2e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:03:56 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:03:56 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 6f 4e 51 79 74 31 4f 58 30 45 4b 59 78 37 65 75 75 44 2b 61 63 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: oNQyt1OX0EKYx7euuD+acA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	50271	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:04:18 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 49 32 2b 68 4a 48 79 59 2f 30 47 65 56 4c 74 77 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 30 39 35 66 39 33 38 31 33 61 36 66 37 36 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: I2+hJHyY/0GeVLtw.1Context: 2095f93813a6f765
2025-01-14 20:04:18 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:04:18 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 49 32 2b 68 4a 48 79 59 2f 30 47 65 56 4c 74 77 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 30 39 35 66 39 33 38 31 33 61 36 66 37 36 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 67 4e 2b 59 35 44 42 31 70 57 72 51 63 56 58 6d 45 71 43 41 45 76 69 49 42 45 79 6e 4f 30 4a 36 65 71 77 76 77 67 51 35 48 49 52 71 4e 68 35 43 79 6d 43 69 56 77 65 6e 64 76 4b 4b 38 61 42 62 4a 48 4d 48 4c 49 6b 4b 34 4d 32 43 37 65 54 61 53 30 78 49 2b 62 4e 4b 64 36 6d 79 70 67 65 2f 34 44 33 6c 53 65 4f 6f 32 55 38 6e Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: I2+hJHyY/0GeVLtw.2Context: 2095f93813a6f765<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXgN+Y5DB1pWrQcVXmEqCAEviIBEynO0J6eqwvwgQ5HIRqNh5CymCiVwendvKK8aBbJHMHLIkK4M2C7eTaS0xI+bNKd6mypge/4D3lSeOo2U8n
2025-01-14 20:04:18 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 49 32 2b 68 4a 48 79 59 2f 30 47 65 56 4c 74 77 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 30 39 35 66 39 33 38 31 33 61 36 66 37 36 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: I2+hJHyY/0GeVLtw.3Context: 2095f93813a6f765<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:04:18 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:04:18 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 53 2f 34 34 6b 55 51 44 5a 6b 75 7a 2f 41 32 6b 37 4d 30 4c 70 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: S/44kUQDZkuz/A2k7M0LpA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	50435	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:04:39 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4a 73 49 6f 6f 69 75 62 38 6b 32 38 56 59 54 50 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 31 33 34 33 66 34 63 61 33 35 38 66 30 39 65 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: JsIooiub8k28VYTP.1Context: e1343f4ca358f09e
2025-01-14 20:04:39 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:04:39 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4a 73 49 6f 6f 69 75 62 38 6b 32 38 56 59 54 50 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 31 33 34 33 66 34 63 61 33 35 38 66 30 39 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 67 4e 2b 59 35 44 42 31 70 57 72 51 63 56 58 6d 45 71 43 41 45 76 69 49 42 45 79 6e 4f 30 4a 36 65 71 77 76 77 67 51 35 48 49 52 71 4e 68 35 43 79 6d 43 69 56 77 65 6e 64 76 4b 4b 38 61 42 62 4a 48 4d 48 4c 49 6b 4b 34 4d 32 43 37 65 54 61 53 30 78 49 2b 62 4e 4b 64 36 6d 79 70 67 65 2f 34 44 33 6c 53 65 4f 6f 32 55 38 6e Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: JsIooiub8k28VYTP.2Context: e1343f4ca358f09e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXgN+Y5DB1pWrQcVXmEqCAEviIBEynO0J6eqwvwgQ5HIRqNh5CymCiVwendvKK8aBbJHMHLIkK4M2C7eTaS0xI+bNKd6mypge/4D3lSeOo2U8n
2025-01-14 20:04:39 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4a 73 49 6f 6f 69 75 62 38 6b 32 38 56 59 54 50 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 65 31 33 34 33 66 34 63 61 33 35 38 66 30 39 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: JsIooiub8k28VYTP.3Context: e1343f4ca358f09e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:04:41 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:04:41 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 38 37 44 61 4e 6d 65 62 6c 30 79 5a 69 4b 48 30 59 51 42 6d 65 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 87DaNmebl0yZiKH0YQBmeQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
5	192.168.2.6	50618	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:05:05 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 48 73 73 35 74 4b 55 70 4e 6b 57 39 4a 50 50 47 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 36 36 63 37 66 31 31 66 30 35 37 37 30 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: Hss5tKUpNkW9JPPG.1Context: 5d66c7f11f057706
2025-01-14 20:05:05 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:05:05 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 48 73 73 35 74 4b 55 70 4e 6b 57 39 4a 50 50 47 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 36 36 63 37 66 31 31 66 30 35 37 37 30 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 67 4e 2b 59 35 44 42 31 70 57 72 51 63 56 58 6d 45 71 43 41 45 76 69 49 42 45 79 6e 4f 30 4a 36 65 71 77 76 77 67 51 35 48 49 52 71 4e 68 35 43 79 6d 43 69 56 77 65 6e 64 76 4b 4b 38 61 42 62 4a 48 4d 48 4c 49 6b 4b 34 4d 32 43 37 65 54 61 53 30 78 49 2b 62 4e 4b 64 36 6d 79 70 67 65 2f 34 44 33 6c 53 65 4f 6f 32 55 38 6e Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: Hss5tKUpNkW9JPPG.2Context: 5d66c7f11f057706<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXgN+Y5DB1pWrQcVXmEqCAEviIBEynO0J6eqwvwgQ5HIRqNh5CymCiVwendvKK8aBbJHMHLIkK4M2C7eTaS0xI+bNKd6mypge/4D3lSeOo2U8n
2025-01-14 20:05:05 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 48 73 73 35 74 4b 55 70 4e 6b 57 39 4a 50 50 47 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 64 36 36 63 37 66 31 31 66 30 35 37 37 30 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: Hss5tKUpNkW9JPPG.3Context: 5d66c7f11f057706<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:05:06 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:05:06 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 5a 59 76 4f 33 46 5a 64 45 75 64 43 70 2b 32 46 74 4d 6d 2f 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: fZYvO3FZdEudCp+2FtMm/g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
6	192.168.2.6	50619	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-14 20:05:38 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 62 68 58 52 73 4e 59 71 6c 55 36 6e 75 2b 39 52 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 39 65 35 39 66 63 30 36 63 37 61 65 32 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: bhXRsNYqlU6nu+9R.1Context: b99e59fc06c7ae25
2025-01-14 20:05:38 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-14 20:05:38 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 62 68 58 52 73 4e 59 71 6c 55 36 6e 75 2b 39 52 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 39 65 35 39 66 63 30 36 63 37 61 65 32 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 58 67 4e 2b 59 35 44 42 31 70 57 72 51 63 56 58 6d 45 71 43 41 45 76 69 49 42 45 79 6e 4f 30 4a 36 65 71 77 76 77 67 51 35 48 49 52 71 4e 68 35 43 79 6d 43 69 56 77 65 6e 64 76 4b 4b 38 61 42 62 4a 48 4d 48 4c 49 6b 4b 34 4d 32 43 37 65 54 61 53 30 78 49 2b 62 4e 4b 64 36 6d 79 70 67 65 2f 34 44 33 6c 53 65 4f 6f 32 55 38 6e Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: bhXRsNYqlU6nu+9R.2Context: b99e59fc06c7ae25<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAXgN+Y5DB1pWrQcVXmEqCAEviIBEynO0J6eqwvwgQ5HIRqNh5CymCiVwendvKK8aBbJHMHLIkK4M2C7eTaS0xI+bNKd6mypge/4D3lSeOo2U8n
2025-01-14 20:05:38 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 62 68 58 52 73 4e 59 71 6c 55 36 6e 75 2b 39 52 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 39 39 65 35 39 66 63 30 36 63 37 61 65 32 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: bhXRsNYqlU6nu+9R.3Context: b99e59fc06c7ae25<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-14 20:05:39 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-14 20:05:39 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 5a 55 30 36 56 4f 58 5a 30 6b 4b 66 53 2b 34 72 59 57 50 4c 58 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: ZU06VOXZ0kKfS+4rYWPLXg.0Payload parsing failed.

Target ID:	0
Start time:	15:03:36
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll"
Imagebase:	0xc50000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:03:36
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:03:36
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:03:36
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\MK9UBUl8t7.dll,PlayGame
Imagebase:	0xc0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:03:36
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",#1
Imagebase:	0xc0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:03:37
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	B6B99570116F243C44FDBE0BA9F28457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.2205429511.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.2204915938.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs Detection: 92%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:03:37
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	B6B99570116F243C44FDBE0BA9F28457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.2212673700.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2212865403.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2851934760.000000000215A000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2851637970.0000000001C34000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:03:38
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	A789C1E681FAEDB49BB1AA2019E860F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.2220780305.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs Detection: 89%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:03:39
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\MK9UBUl8t7.dll",PlayGame
Imagebase:	0xc0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:03:39
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	B6B99570116F243C44FDBE0BA9F28457
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.2232690744.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.2236660623.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.2236444659.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.2232351876.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:03:40
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	A789C1E681FAEDB49BB1AA2019E860F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.2235508681.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.2234860689.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	81.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

WINDOWS, xrefs: 00407DF2, 00407E0D
tasksche.exe, xrefs: 00407DEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3
CreateFileA, xrefs: 00407D0F
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C
CreateProcessA, xrefs: 00407D07
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D

Memory Dump Source

Source File: 00000006.00000002.2222016208.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2221986842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222058344.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222204414.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.2222016208.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2221986842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222058344.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222204414.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2222016208.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2221986842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222058344.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222204414.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000006.00000002.2222016208.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2221986842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222058344.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222204414.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2222016208.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2221986842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222058344.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222087930.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222204414.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2222482399.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 5140, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	42.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.SECHOST(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F7F0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2850684520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2850669577.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850699877.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850762950.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850777004.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000008.00000002.2850684520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2850669577.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850699877.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850762950.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850777004.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Function 00407FA0 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ChangeServiceConfig2A.ADVAPI32(?,00000002,00000000), ref: 00407FF4

Memory Dump Source

Source File: 00000008.00000002.2850684520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2850669577.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850699877.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850762950.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850777004.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: ChangeConfig2Service
String ID:
API String ID: 1962769296-0
Opcode ID: a1706dab7835f780b1f03d5e43ba888edd622bed0e7aea3d8f8afd3c7268ca94
Instruction ID: c2b924885af9df938a717b1cd4bd3eb9c67265a323fa27ec6fd0ec1784e35867
Opcode Fuzzy Hash: a1706dab7835f780b1f03d5e43ba888edd622bed0e7aea3d8f8afd3c7268ca94
Instruction Fuzzy Hash: C7F012704083019FD318DF19C594A9ABBE0FF88708F90CA6DF4AA872D1E774DA59CB42

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F7F0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000008.00000002.2850684520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2850669577.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850699877.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850762950.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850777004.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F7F0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\%s, xrefs: 00407DFB
/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
kernel32.dll, xrefs: 00407CEA
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07
CreateFileA, xrefs: 00407D0F

Memory Dump Source

Source File: 00000008.00000002.2850684520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2850669577.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850699877.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850762950.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850777004.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2850684520.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2850669577.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850699877.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850714534.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850748862.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850762950.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850777004.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000835000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.0000000000860000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2850861704.000000000087C000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 2104, Parent PID: 4364COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/..\, xrefs: 00406E03
\../, xrefs: 00406DE7
\..\, xrefs: 00406DD9
/../, xrefs: 00406DF5

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptAcquireContextA, xrefs: 00401A71
CryptEncrypt, xrefs: 00401A93
advapi32.dll, xrefs: 00401A55
CryptDecrypt, xrefs: 00401AA0
CryptGenKey, xrefs: 00401AAD
CryptDestroyKey, xrefs: 00401A86
CryptImportKey, xrefs: 00401A79

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

Q;@, xrefs: 004036E2, 004035FD
, xrefs: 004036AE

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

ReadFile, xrefs: 00401758
MoveFileW, xrefs: 00401765
CloseHandle, xrefs: 0040178C
kernel32.dll, xrefs: 00401727
DeleteFileW, xrefs: 0040177F
WriteFile, xrefs: 0040174B
CreateFileW, xrefs: 00401743
MoveFileExW, xrefs: 00401772

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

\, xrefs: 00407358
:, xrefs: 0040736E
%s%s, xrefs: 00407389
%s%s%s, xrefs: 004072F6

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON

Download Yara Rule

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

t.wnry, xrefs: 00402125
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
TaskStart, xrefs: 00402145
attrib +h ., xrefs: 004020DC
tasksche.exe, xrefs: 00402061, 0040206D, 00402075

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

Software\, xrefs: 0040110A
WanaCrypt0r, xrefs: 00401145
0@, xrefs: 00401157

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

GetNativeSystemInfo, xrefs: 004022A1
?!@, xrefs: 004021F8
kernel32.dll, xrefs: 0040228C

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08
%s%d, xrefs: 00401F10

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000009.00000002.2221318319.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.2221302301.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221354401.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221385815.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000525000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.0000000000550000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.2221410751.000000000056C000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MK9UBUl8t7.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvc.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
MK9UBUl8t7.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON