Edit tour

Windows Analysis Report
5Q6ffmX9tQ.dll

Overview

General Information

Sample name:	5Q6ffmX9tQ.dll renamed because original name is a hash value
Original sample name:	5a9e809ef287470a50cef41df8897b62.dll
Analysis ID:	1591281
MD5:	5a9e809ef287470a50cef41df8897b62
SHA1:	ee0f5c896b5a2469f8776b78b173ab32a7f77c80
SHA256:	b7d8c3c4d8fa50ea3eb0ffac24904616e3b29659a56cb7f4835bf3348883db4f
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 180 cmdline: loaddll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 764 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 2316 cmdline: rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 3276 cmdline: C:\WINDOWS\mssecsvc.exe MD5: C4AA4F0EB44ED580E3C8833F8B2392A7)

tasksche.exe (PID: 6592 cmdline: C:\WINDOWS\tasksche.exe /i MD5: AE66AA60B12FE89C181AEBC71AE5BAE7)

rundll32.exe (PID: 5592 cmdline: rundll32.exe C:\Users\user\Desktop\5Q6ffmX9tQ.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1020 cmdline: rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 4164 cmdline: C:\WINDOWS\mssecsvc.exe MD5: C4AA4F0EB44ED580E3C8833F8B2392A7)

tasksche.exe (PID: 5368 cmdline: C:\WINDOWS\tasksche.exe /i MD5: AE66AA60B12FE89C181AEBC71AE5BAE7)

mssecsvc.exe (PID: 6148 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: C4AA4F0EB44ED580E3C8833F8B2392A7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
5Q6ffmX9tQ.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5Q6ffmX9tQ.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
5Q6ffmX9tQ.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000000.2122255206.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.2122667211.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.2084742323.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2114371294.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2123187182.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.2100089102.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2741160787.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2741160787.00000000023A9000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.2084834876.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.2084834876.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000000.2091672430.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2123356120.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2123356120.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000000.2114509003.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2114509003.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000000.2091759260.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2091759260.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2740890323.0000000001E79000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2740890323.0000000001E79000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 3276	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 6148	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 4164	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mssecsvc.exe.239a8c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
5.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e9c128.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e9c128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1e9c128.3.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1e9c128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e6a084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23cc96c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23cc96c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23cc96c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23cc96c.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
10.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e9c128.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e9c128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1e9c128.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1e9c128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e79104.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e79104.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1e79104.5.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.1e79104.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23a9948.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23a9948.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23a9948.6.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.23a9948.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.239a8c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.239a8c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.239a8c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e6a084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e6a084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x293de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x283bb0:$x3: tasksche.exe 0x293dc0:$x3: tasksche.exe 0x293d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x293e14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x283c1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x24e26c:$x7: mssecsvc.exe 0x269b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x283b88:$x8: C:\%s\qeriuwjhrf 0x293de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x24e254:$s1: C:\%s\%s 0x269b7c:$s1: C:\%s\%s 0x283b9c:$s1: C:\%s\%s 0x293d14:$s3: cmd.exe /c "%s" 0x2c6268:$s4: msg/m_portuguese.wnry
7.2.mssecsvc.exe.1e6a084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.1e6a084.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x293dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x293de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1e6a084.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2868fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x25a8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x25c25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x28c0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23cc96c.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23cc96c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23cc96c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23cc96c.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23a9948.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23a9948.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23a9948.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e750a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e750a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1e750a4.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1e79104.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e79104.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1e79104.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23a58e8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23a58e8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23a58e8.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 135 entries

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:00.379606+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.5	49704	TCP
2025-01-14T21:10:00.997609+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.5	49705	TCP
2025-01-14T21:10:03.320213+0100	2031515	3	Misc activity	104.16.166.228	80	192.168.2.5	49728	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:09:59.869576+0100	2024291	1	A Network Trojan was detected	192.168.2.5	52693	1.1.1.1	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:00.378623+0100	2024298	1	A Network Trojan was detected	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024298	1	A Network Trojan was detected	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024298	1	A Network Trojan was detected	192.168.2.5	49728	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:00.378623+0100	2024299	1	A Network Trojan was detected	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024299	1	A Network Trojan was detected	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024299	1	A Network Trojan was detected	192.168.2.5	49728	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:00.378623+0100	2024301	1	A Network Trojan was detected	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024301	1	A Network Trojan was detected	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024301	1	A Network Trojan was detected	192.168.2.5	49728	104.16.166.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:00.378623+0100	2024302	1	A Network Trojan was detected	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024302	1	A Network Trojan was detected	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024302	1	A Network Trojan was detected	192.168.2.5	49728	104.16.166.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T21:10:00.378623+0100	2803304	3	Unknown Traffic	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2803304	3	Unknown Traffic	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2803304	3	Unknown Traffic	192.168.2.5	49728	104.16.166.228	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5Q6ffmX9tQ.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 100%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: 5Q6ffmX9tQ.dll	Virustotal: Detection: 94%			Perma Link
Source: 5Q6ffmX9tQ.dll	ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 5Q6ffmX9tQ.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 8_2_004018B9 CryptReleaseContext,

8_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: 5Q6ffmX9tQ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49705 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49705 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49705 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49705 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.5:49728 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.5:49728 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.5:49728 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.5:49728 -> 104.16.166.228:80

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 20:10:00 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90204457fdce188d-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 20:10:00 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9020445b9c830f80-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Jan 2025 20:10:03 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9020446a18a67d11-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: global traffic

TCP traffic: 192.168.2.5:62839 -> 162.159.36.2:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.5:52693 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49705 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.5:49705
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49728 -> 104.16.166.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.166.228:80 -> 192.168.2.5:49728

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.157
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.157
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.157
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.157
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 119.249.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.86
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.86
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.86
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.1
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.1
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.86
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.1
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.1
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.1
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.1
Source: unknown	TCP traffic detected without corresponding DNS query: 120.186.225.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.112
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.112
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.112
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.112
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 98.173.38.1
Source: unknown	TCP traffic detected without corresponding DNS query: 222.117.242.11
Source: unknown	TCP traffic detected without corresponding DNS query: 222.117.242.11
Source: unknown	TCP traffic detected without corresponding DNS query: 222.117.242.11
Source: unknown	TCP traffic detected without corresponding DNS query: 222.117.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 222.117.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 222.117.242.1
Source: unknown	TCP traffic detected without corresponding DNS query: 222.117.242.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: 5Q6ffmX9tQ.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 00000005.00000002.2104929585.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com(
Source: mssecsvc.exe, 00000005.00000002.2104929585.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.2123761921.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 00000005.00000002.2104929585.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/#
Source: mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/$
Source: mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/(
Source: mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer
Source: mssecsvc.exe, 00000005.00000002.2104929585.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/8
Source: mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/R
Source: mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/T
Source: mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/e
Source: mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/h
Source: mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/t
Source: mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comD
Source: mssecsvc.exe, 00000007.00000002.2739972556.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comM

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe	Code function: strrchr,CreateFileA,GetFileSizeEx,memcmp,strrchr,GlobalAlloc,_local_unwind2, WANACRY!		8_2_004014A6
Source: C:\Windows\tasksche.exe	Code function: strrchr,CreateFileA,GetFileSizeEx,memcmp,strrchr,GlobalAlloc,_local_unwind2, WANACRY!		8_2_004014B3

Yara detected Wannacry ransomware

Source: Yara match	File source: 5Q6ffmX9tQ.dll, type: SAMPLE
Source: Yara match	File source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e9c128.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23cc96c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e9c128.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e79104.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23a9948.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.239a8c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23cc96c.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23a9948.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e750a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e79104.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23a58e8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2084742323.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2114371294.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2123187182.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2741160787.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2084834876.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2091672430.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2123356120.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.2114509003.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2091759260.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2740890323.0000000001E79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 3276, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 6148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 4164, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 5Q6ffmX9tQ.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5Q6ffmX9tQ.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.239a8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e9c128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e9c128.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1e9c128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e6a084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23cc96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23cc96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23cc96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e9c128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e9c128.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1e9c128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e79104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e79104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.1e79104.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23a9948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23a9948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.23a9948.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.239a8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.239a8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23cc96c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23cc96c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23cc96c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23a9948.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23a9948.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e750a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e750a4.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1e79104.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e79104.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23a58e8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23a58e8.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0000000B.00000000.2122255206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.2122667211.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2100089102.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2741160787.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.2084834876.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.2123356120.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.2114509003.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000000.2091759260.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2740890323.0000000001E79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 8_2_00406C40	8_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 8_2_00402A76	8_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 8_2_00402E7E	8_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 8_2_0040350F	8_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 8_2_00404C19	8_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 8_2_0040541F	8_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 8_2_00403797	8_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 8_2_004043B7	8_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 8_2_004031BC	8_2_004031BC

Source: tasksche.exe.5.dr

Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: 5Q6ffmX9tQ.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: 5Q6ffmX9tQ.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5Q6ffmX9tQ.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.239a8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e9c128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e9c128.3.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1e9c128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e6a084.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23cc96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23cc96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23cc96c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e9c128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e9c128.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1e9c128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e79104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e79104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.1e79104.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23a9948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23a9948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.23a9948.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.239a8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.239a8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1e6a084.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23cc96c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23cc96c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23cc96c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23a9948.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23a9948.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e750a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e750a4.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1e79104.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e79104.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23a58e8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23a58e8.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000B.00000000.2122255206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.2122667211.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2100089102.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2741160787.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.2084834876.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.2123356120.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.2114509003.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000000.2091759260.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2740890323.0000000001E79000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000000.2122255206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, 5Q6ffmX9tQ.dll, tasksche.exe.5.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/2@2/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	5_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	7_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	8_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03

Source: 5Q6ffmX9tQ.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5Q6ffmX9tQ.dll,PlayGame

Source: 5Q6ffmX9tQ.dll	Virustotal: Detection: 94%
Source: 5Q6ffmX9tQ.dll	ReversingLabs: Detection: 94%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5Q6ffmX9tQ.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5Q6ffmX9tQ.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: 5Q6ffmX9tQ.dll

Static file information: File size 5267459 > 1048576

Source: 5Q6ffmX9tQ.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe

Code function: 8_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 8_2_00407710 push eax; ret		8_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 8_2_004076C8 push eax; ret		8_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 4160	Thread sleep count: 90 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 4160	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 5860	Thread sleep count: 123 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 5860	Thread sleep count: 35 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 4160	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 00000005.00000002.2104929585.0000000000D27000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000005.00000002.2104929585.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000007.00000002.2740447587.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvc.exe, 00000007.00000002.2740447587.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'

Source: C:\Windows\tasksche.exe

Code function: 8_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 8_2_004029CC free,GetProcessHeap,HeapFree,

8_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5Q6ffmX9tQ.dll	94%	Virustotal		Browse
5Q6ffmX9tQ.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
5Q6ffmX9tQ.dll	100%	Avira	TR/AD.WannaCry.idavw
5Q6ffmX9tQ.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com(	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comM	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	true	false		high
198.187.3.20.in-addr.arpa	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	5Q6ffmX9tQ.dll	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/R	mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comM	mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/(	mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/h	mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/$	mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/e	mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/#	mssecsvc.exe, 00000005.00000002.2104929585.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/22www.iuqerfsodp9ifjaposdfjhgosurijfaewrwer	mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comD	mssecsvc.exe, 0000000A.00000002.2123761921.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/8	mssecsvc.exe, 00000005.00000002.2104929585.0000000000D0D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com(	mssecsvc.exe, 00000005.00000002.2104929585.0000000000CCE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/T	mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/t	mssecsvc.exe, 00000007.00000002.2740447587.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe, 00000007.00000002.2739972556.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
17.131.14.18	unknown	United States	714	APPLE-ENGINEERINGUS	false
89.164.20.1	unknown	Croatia (LOCAL Name: Hrvatska)	13046	ASN-ISKONHEPHR	false
17.131.14.1	unknown	United States	714	APPLE-ENGINEERINGUS	false
63.35.175.94	unknown	United States	16509	AMAZON-02US	false
181.63.117.1	unknown	Colombia	10620	TelmexColombiaSACO	false
181.63.117.2	unknown	Colombia	10620	TelmexColombiaSACO	false
130.226.248.1	unknown	Denmark	1835	FSKNET-DKForskningsnettet-DanishnetworkforResearchand	false
98.173.38.112	unknown	United States	22773	ASN-CXA-ALL-CCI-22773-RDCUS	false
3.24.35.217	unknown	United States	16509	AMAZON-02US	false
34.35.161.1	unknown	United States	2686	ATGS-MMD-ASUS	false
222.117.242.1	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
68.135.139.1	unknown	United States	701	UUNETUS	false
222.117.242.2	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
68.135.139.2	unknown	United States	701	UUNETUS	false
89.164.20.122	unknown	Croatia (LOCAL Name: Hrvatska)	13046	ASN-ISKONHEPHR	false
48.231.110.1	unknown	United States	2686	ATGS-MMD-ASUS	false
41.127.238.232	unknown	South Africa	16637	MTNNS-ASZA	false
95.28.81.1	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
56.134.30.50	unknown	United States	2686	ATGS-MMD-ASUS	false
95.28.81.2	unknown	Russian Federation	8402	CORBINA-ASOJSCVimpelcomRU	false
150.199.101.1	unknown	United States	2572	MORENETUS	false
150.199.101.2	unknown	United States	2572	MORENETUS	false
49.87.106.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
48.82.13.223	unknown	United States	2686	ATGS-MMD-ASUS	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
10.146.218.173
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591281
Start date and time:	2025-01-14 21:09:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5Q6ffmX9tQ.dll renamed because original name is a hash value
Original Sample Name:	5a9e809ef287470a50cef41df8897b62.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/2@2/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.17.190.73, 13.107.246.45, 20.12.23.50, 20.3.187.198
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 6592 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:10:01	API Interceptor	1x Sleep call for process: loaddll32.exe modified
15:10:34	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	9nNO3SHiV1.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	k6fBkyS1R6.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.166.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.166.228
	http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	Get hash	malicious	Unknown	Browse	104.16.167.228
	LisectAVT_2403002A_26.exe	Get hash	malicious	Wannacry	Browse	104.16.167.228
	zbRmQrzaHY.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	qt680eucI4.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-ISKONHEPHR	res.mpsl.elf	Get hash	malicious	Unknown	Browse	89.164.32.45
	armv4l.elf	Get hash	malicious	Unknown	Browse	89.164.20.67
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	141.139.165.58
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	141.136.148.88
	x86_64.elf	Get hash	malicious	Mirai	Browse	141.136.148.52
	jew.arm6.elf	Get hash	malicious	Unknown	Browse	141.139.16.203
	main_mpsl.elf	Get hash	malicious	Mirai	Browse	141.139.16.226
	mpsl.elf	Get hash	malicious	Mirai	Browse	141.139.64.118
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	89.164.32.38
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	213.202.83.224
TelmexColombiaSACO	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	186.80.227.139
	meth3.elf	Get hash	malicious	Mirai	Browse	181.48.207.245
	arm5.elf	Get hash	malicious	Unknown	Browse	181.54.154.56
	x86_64.elf	Get hash	malicious	Unknown	Browse	181.63.135.144
	res.sh4.elf	Get hash	malicious	Unknown	Browse	190.146.83.210
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	190.143.63.121
	armv7l.elf	Get hash	malicious	Unknown	Browse	190.156.88.88
	Fantazy.m68k.elf	Get hash	malicious	Unknown	Browse	104.92.208.244
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	186.85.150.231
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	181.60.229.207
AMAZON-02US	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	3.157.171.1
	k6fBkyS1R6.dll	Get hash	malicious	Wannacry	Browse	13.249.15.25
	http://titanys.mindsetmatters.buzz	Get hash	malicious	ScreenConnect Tool	Browse	44.230.85.241
	jpXNd6Kt8z.dll	Get hash	malicious	Wannacry	Browse	18.144.38.1
	bot.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	34.249.145.219
	XML-702.msi	Get hash	malicious	AteraAgent	Browse	13.35.58.7
	http://jooracces.com	Get hash	malicious	Unknown	Browse	13.32.99.59
	https://click.e.varietyvibes.buzz/Y3hpZjhhck5JNVlmRWJOUitMVlFVUzdWZlpZQm41V0lZS3E5dlJjWHNLbzhudFR6Qm5uVlZMZ2hqdkVBTmpZZUxFL2tJclNpYnJaTEdFOC9RVU5CZVlkY004d3ZTblF4S0Y5NW82WmdjMFU9	Get hash	malicious	Unknown	Browse	18.245.86.91
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	18.133.166.119
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	18.245.31.23

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.282801240948004
Encrypted:	false
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593:QqPe1Cxcxk3ZAEUadz
MD5:	AE66AA60B12FE89C181AEBC71AE5BAE7
SHA1:	E0681E1A1333954C44B6DA481EFFFB7C2C723DD4
SHA-256:	0514B35217B984200AE41623961ADAB78F2F538BF2614EEA067194D4D281F5FE
SHA-512:	D94E88919DB665291220AE6DD33D2D34BD0C351F19EB25BF2BA722832FDA9D97139E798F7FF77906995EE94D7252754FA1C46BCEF3176D94EBB60C45FCBABF48
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.282801240948004
Encrypted:	false
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593:QqPe1Cxcxk3ZAEUadz
MD5:	AE66AA60B12FE89C181AEBC71AE5BAE7
SHA1:	E0681E1A1333954C44B6DA481EFFFB7C2C723DD4
SHA-256:	0514B35217B984200AE41623961ADAB78F2F538BF2614EEA067194D4D281F5FE
SHA-512:	D94E88919DB665291220AE6DD33D2D34BD0C351F19EB25BF2BA722832FDA9D97139E798F7FF77906995EE94D7252754FA1C46BCEF3176D94EBB60C45FCBABF48
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.6277240528208585
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5Q6ffmX9tQ.dll
File size:	5'267'459 bytes
MD5:	5a9e809ef287470a50cef41df8897b62
SHA1:	ee0f5c896b5a2469f8776b78b173ab32a7f77c80
SHA256:	b7d8c3c4d8fa50ea3eb0ffac24904616e3b29659a56cb7f4835bf3348883db4f
SHA512:	cc418febb4768f43cf693f186d1255ab549ce72f45da5aaee8b871282eb3ad20611ac3e8a76e99ada507bfde430a353cdec6df41e53e9d2c1c92052bbb42a837
SSDEEP:	98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593:+DqPe1Cxcxk3ZAEUadz
TLSH:	983633A8723CE2BCE10519B40463C966A7B73C6556FF5E0F8B9085A61D43B5FBBC0E42
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F2B3937EEFBh
cmp dword ptr [10003140h], 00000000h
jmp 00007F2B3937EF18h
cmp esi, 01h
je 00007F2B3937EEF7h
cmp esi, 02h
jne 00007F2B3937EF14h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F2B3937EEFBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F2B3937EEFEh
push edi
push esi
push ebx
call 00007F2B3937EE0Ah
test eax, eax
jne 00007F2B3937EEF6h
xor eax, eax
jmp 00007F2B3937EF40h
push edi
push esi
push ebx
call 00007F2B3937ECBCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F2B3937EEFEh
test eax, eax
jne 00007F2B3937EF29h
push edi
push eax
push ebx
call 00007F2B3937EDE6h
test esi, esi
je 00007F2B3937EEF7h
cmp esi, 03h
jne 00007F2B3937EF18h
push edi
push esi
push ebx
call 00007F2B3937EDD5h
test eax, eax
jne 00007F2B3937EEF5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F2B3937EF03h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F2B3937EEFAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	d3b8ab1757ccab463743b77bbe3e0c1e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8770942687988281

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T21:09:59.869576+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.5	52693	1.1.1.1	53	UDP
2025-01-14T21:10:00.378623+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.378623+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.378623+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.378623+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.378623+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.5	49704	104.16.166.228	80	TCP
2025-01-14T21:10:00.379606+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.5	49704	TCP
2025-01-14T21:10:00.996812+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:00.996812+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.5	49705	104.16.166.228	80	TCP
2025-01-14T21:10:00.997609+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.5	49705	TCP
2025-01-14T21:10:03.315205+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.5	49728	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.5	49728	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.5	49728	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.5	49728	104.16.166.228	80	TCP
2025-01-14T21:10:03.315205+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.5	49728	104.16.166.228	80	TCP
2025-01-14T21:10:03.320213+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.166.228	80	192.168.2.5	49728	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:09:53.903096914 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 21:09:53.903341055 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 21:09:54.153106928 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 21:09:59.886035919 CET	49704	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:09:59.891068935 CET	80	49704	104.16.166.228	192.168.2.5
Jan 14, 2025 21:09:59.891186953 CET	49704	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:09:59.891365051 CET	49704	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:09:59.896202087 CET	80	49704	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.378529072 CET	80	49704	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.378623009 CET	49704	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.378813982 CET	49704	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.379606009 CET	80	49704	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.379664898 CET	49704	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.383618116 CET	80	49704	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.484497070 CET	49705	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.489619017 CET	80	49705	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.489821911 CET	49705	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.493453026 CET	49705	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.498373032 CET	80	49705	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.996638060 CET	80	49705	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.996812105 CET	49705	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.996965885 CET	49705	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:00.997608900 CET	80	49705	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:00.997689962 CET	49705	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:01.002382040 CET	80	49705	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:01.039241076 CET	49706	445	192.168.2.5	210.250.7.32
Jan 14, 2025 21:10:01.044209003 CET	445	49706	210.250.7.32	192.168.2.5
Jan 14, 2025 21:10:01.044311047 CET	49706	445	192.168.2.5	210.250.7.32
Jan 14, 2025 21:10:01.045175076 CET	49706	445	192.168.2.5	210.250.7.32
Jan 14, 2025 21:10:01.045353889 CET	49707	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:01.050163984 CET	445	49707	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:01.050254107 CET	49707	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:01.050424099 CET	49707	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:01.050637960 CET	445	49706	210.250.7.32	192.168.2.5
Jan 14, 2025 21:10:01.050705910 CET	49706	445	192.168.2.5	210.250.7.32
Jan 14, 2025 21:10:01.055201054 CET	445	49707	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:01.055273056 CET	49707	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:01.055424929 CET	49710	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:01.060280085 CET	445	49710	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:01.060374022 CET	49710	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:01.060647964 CET	49710	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:01.065469980 CET	445	49710	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:02.808235884 CET	49728	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:02.813488960 CET	80	49728	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:02.813591957 CET	49728	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:02.816754103 CET	49728	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:02.821553946 CET	80	49728	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:03.045981884 CET	49732	445	192.168.2.5	119.249.161.157
Jan 14, 2025 21:10:03.052705050 CET	445	49732	119.249.161.157	192.168.2.5
Jan 14, 2025 21:10:03.052798986 CET	49732	445	192.168.2.5	119.249.161.157
Jan 14, 2025 21:10:03.052855968 CET	49732	445	192.168.2.5	119.249.161.157
Jan 14, 2025 21:10:03.053071976 CET	49733	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:03.057929993 CET	445	49732	119.249.161.157	192.168.2.5
Jan 14, 2025 21:10:03.057990074 CET	445	49733	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:03.058002949 CET	49732	445	192.168.2.5	119.249.161.157
Jan 14, 2025 21:10:03.058073044 CET	49733	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:03.058110952 CET	49733	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:03.060595989 CET	49734	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:03.063075066 CET	445	49733	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:03.063143015 CET	49733	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:03.065459013 CET	445	49734	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:03.065555096 CET	49734	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:03.065612078 CET	49734	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:03.070353031 CET	445	49734	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:03.314657927 CET	80	49728	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:03.315057993 CET	80	49728	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:03.315205097 CET	49728	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:03.315301895 CET	49728	80	192.168.2.5	104.16.166.228
Jan 14, 2025 21:10:03.320213079 CET	80	49728	104.16.166.228	192.168.2.5
Jan 14, 2025 21:10:03.512403965 CET	49675	443	192.168.2.5	23.1.237.91
Jan 14, 2025 21:10:03.512406111 CET	49674	443	192.168.2.5	23.1.237.91
Jan 14, 2025 21:10:03.762415886 CET	49673	443	192.168.2.5	23.1.237.91
Jan 14, 2025 21:10:05.061475039 CET	49756	445	192.168.2.5	120.186.225.86
Jan 14, 2025 21:10:05.066751957 CET	445	49756	120.186.225.86	192.168.2.5
Jan 14, 2025 21:10:05.066848993 CET	49756	445	192.168.2.5	120.186.225.86
Jan 14, 2025 21:10:05.067034960 CET	49756	445	192.168.2.5	120.186.225.86
Jan 14, 2025 21:10:05.067100048 CET	49757	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:05.072027922 CET	445	49756	120.186.225.86	192.168.2.5
Jan 14, 2025 21:10:05.072062016 CET	445	49757	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:05.072144032 CET	49757	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:05.072206974 CET	49756	445	192.168.2.5	120.186.225.86
Jan 14, 2025 21:10:05.072216988 CET	49757	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:05.073937893 CET	49758	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:05.077264071 CET	445	49757	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:05.077322960 CET	49757	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:05.079027891 CET	445	49758	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:05.079096079 CET	49758	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:05.079117060 CET	49758	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:05.084177971 CET	445	49758	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:05.427994013 CET	443	49703	23.1.237.91	192.168.2.5
Jan 14, 2025 21:10:05.428092003 CET	49703	443	192.168.2.5	23.1.237.91
Jan 14, 2025 21:10:07.090707064 CET	49780	445	192.168.2.5	98.173.38.112
Jan 14, 2025 21:10:07.096195936 CET	445	49780	98.173.38.112	192.168.2.5
Jan 14, 2025 21:10:07.096273899 CET	49780	445	192.168.2.5	98.173.38.112
Jan 14, 2025 21:10:07.096322060 CET	49780	445	192.168.2.5	98.173.38.112
Jan 14, 2025 21:10:07.096508026 CET	49782	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:07.101433039 CET	445	49782	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:07.101510048 CET	49782	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:07.101536036 CET	49782	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:07.101571083 CET	445	49780	98.173.38.112	192.168.2.5
Jan 14, 2025 21:10:07.101634979 CET	49780	445	192.168.2.5	98.173.38.112
Jan 14, 2025 21:10:07.102559090 CET	49783	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:07.106667995 CET	445	49782	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:07.106725931 CET	49782	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:07.107564926 CET	445	49783	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:07.107645988 CET	49783	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:07.119837046 CET	49783	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:07.124818087 CET	445	49783	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:08.733357906 CET	445	49783	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:08.733551979 CET	49783	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:08.733609915 CET	49783	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:08.733676910 CET	49783	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:08.738534927 CET	445	49783	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:08.738549948 CET	445	49783	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:09.092166901 CET	49805	445	192.168.2.5	222.117.242.11
Jan 14, 2025 21:10:09.097316980 CET	445	49805	222.117.242.11	192.168.2.5
Jan 14, 2025 21:10:09.097512007 CET	49805	445	192.168.2.5	222.117.242.11
Jan 14, 2025 21:10:09.097605944 CET	49805	445	192.168.2.5	222.117.242.11
Jan 14, 2025 21:10:09.097898960 CET	49806	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:09.102782011 CET	445	49806	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:09.102914095 CET	49806	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:09.102957010 CET	49806	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:09.104163885 CET	49807	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:09.104312897 CET	445	49805	222.117.242.11	192.168.2.5
Jan 14, 2025 21:10:09.104398966 CET	445	49805	222.117.242.11	192.168.2.5
Jan 14, 2025 21:10:09.104445934 CET	49805	445	192.168.2.5	222.117.242.11
Jan 14, 2025 21:10:09.108000040 CET	445	49806	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:09.108095884 CET	49806	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:09.109117985 CET	445	49807	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:09.109220028 CET	49807	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:09.109306097 CET	49807	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:09.114130974 CET	445	49807	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:11.107376099 CET	49827	445	192.168.2.5	95.28.81.230
Jan 14, 2025 21:10:11.112459898 CET	445	49827	95.28.81.230	192.168.2.5
Jan 14, 2025 21:10:11.112560034 CET	49827	445	192.168.2.5	95.28.81.230
Jan 14, 2025 21:10:11.112617016 CET	49827	445	192.168.2.5	95.28.81.230
Jan 14, 2025 21:10:11.112945080 CET	49828	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:11.117548943 CET	445	49827	95.28.81.230	192.168.2.5
Jan 14, 2025 21:10:11.117638111 CET	49827	445	192.168.2.5	95.28.81.230
Jan 14, 2025 21:10:11.117707968 CET	445	49828	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:11.117764950 CET	49828	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:11.117810011 CET	49828	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:11.118742943 CET	49829	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:11.122742891 CET	445	49828	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:11.122805119 CET	49828	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:11.123620033 CET	445	49829	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:11.123702049 CET	49829	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:11.123748064 CET	49829	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:11.128609896 CET	445	49829	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:11.747092962 CET	49838	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:11.752681017 CET	445	49838	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:11.752907038 CET	49838	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:11.752947092 CET	49838	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:11.757765055 CET	445	49838	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:13.132661104 CET	49853	445	192.168.2.5	68.135.139.229
Jan 14, 2025 21:10:13.137725115 CET	445	49853	68.135.139.229	192.168.2.5
Jan 14, 2025 21:10:13.137821913 CET	49853	445	192.168.2.5	68.135.139.229
Jan 14, 2025 21:10:13.137970924 CET	49853	445	192.168.2.5	68.135.139.229
Jan 14, 2025 21:10:13.138169050 CET	49854	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:13.143078089 CET	445	49854	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:13.143153906 CET	49854	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:13.143233061 CET	445	49853	68.135.139.229	192.168.2.5
Jan 14, 2025 21:10:13.143301010 CET	49853	445	192.168.2.5	68.135.139.229
Jan 14, 2025 21:10:13.144407988 CET	49854	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:13.149336100 CET	445	49854	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:13.149399042 CET	49854	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:13.158147097 CET	49855	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:13.163125992 CET	445	49855	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:13.163206100 CET	49855	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:13.163252115 CET	49855	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:13.168003082 CET	445	49855	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:13.346946001 CET	445	49838	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:13.347043037 CET	49838	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:13.347413063 CET	49838	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:13.347457886 CET	49838	445	192.168.2.5	98.173.38.1
Jan 14, 2025 21:10:13.352404118 CET	445	49838	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:13.352435112 CET	445	49838	98.173.38.1	192.168.2.5
Jan 14, 2025 21:10:13.403625965 CET	49860	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:13.408524990 CET	445	49860	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:13.408602953 CET	49860	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:13.408679962 CET	49860	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:13.409041882 CET	49861	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:13.413647890 CET	445	49860	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:13.413707972 CET	49860	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:13.413904905 CET	445	49861	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:13.413990974 CET	49861	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:13.414028883 CET	49861	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:13.418900013 CET	445	49861	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:15.138071060 CET	49895	445	192.168.2.5	150.199.101.147
Jan 14, 2025 21:10:15.142935038 CET	445	49895	150.199.101.147	192.168.2.5
Jan 14, 2025 21:10:15.142997026 CET	49895	445	192.168.2.5	150.199.101.147
Jan 14, 2025 21:10:15.143085957 CET	49895	445	192.168.2.5	150.199.101.147
Jan 14, 2025 21:10:15.143203020 CET	49896	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:15.148009062 CET	445	49896	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:15.148106098 CET	445	49895	150.199.101.147	192.168.2.5
Jan 14, 2025 21:10:15.148118019 CET	49896	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:15.148118019 CET	49896	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:15.148302078 CET	49895	445	192.168.2.5	150.199.101.147
Jan 14, 2025 21:10:15.148402929 CET	49898	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:15.153124094 CET	445	49896	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:15.153166056 CET	445	49898	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:15.153192043 CET	49896	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:15.153264999 CET	49898	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:15.153372049 CET	49898	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:15.158158064 CET	445	49898	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:16.644639015 CET	445	49898	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:16.644696951 CET	49898	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:16.644742966 CET	49898	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:16.644881010 CET	49898	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:16.649564981 CET	445	49898	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:16.649677992 CET	445	49898	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:17.153634071 CET	49934	445	192.168.2.5	193.216.0.6
Jan 14, 2025 21:10:17.159574986 CET	445	49934	193.216.0.6	192.168.2.5
Jan 14, 2025 21:10:17.159679890 CET	49934	445	192.168.2.5	193.216.0.6
Jan 14, 2025 21:10:17.159733057 CET	49934	445	192.168.2.5	193.216.0.6
Jan 14, 2025 21:10:17.159982920 CET	49935	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:17.165038109 CET	445	49935	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:17.165121078 CET	49935	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:17.165193081 CET	49935	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:17.165327072 CET	445	49934	193.216.0.6	192.168.2.5
Jan 14, 2025 21:10:17.165405989 CET	49934	445	192.168.2.5	193.216.0.6
Jan 14, 2025 21:10:17.165463924 CET	49936	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:17.170861006 CET	445	49936	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:17.170953989 CET	49936	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:17.170953989 CET	49936	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:17.171194077 CET	445	49935	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:17.171439886 CET	49935	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:17.175795078 CET	445	49936	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:19.169800043 CET	49974	445	192.168.2.5	181.63.117.45
Jan 14, 2025 21:10:19.174683094 CET	445	49974	181.63.117.45	192.168.2.5
Jan 14, 2025 21:10:19.174808025 CET	49974	445	192.168.2.5	181.63.117.45
Jan 14, 2025 21:10:19.174911022 CET	49974	445	192.168.2.5	181.63.117.45
Jan 14, 2025 21:10:19.175427914 CET	49975	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:19.180300951 CET	445	49975	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:19.180311918 CET	445	49974	181.63.117.45	192.168.2.5
Jan 14, 2025 21:10:19.180409908 CET	49975	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:19.180452108 CET	445	49974	181.63.117.45	192.168.2.5
Jan 14, 2025 21:10:19.180517912 CET	49975	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:19.180598021 CET	49974	445	192.168.2.5	181.63.117.45
Jan 14, 2025 21:10:19.180974007 CET	49976	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:19.185498953 CET	445	49975	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:19.185678005 CET	49975	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:19.185800076 CET	445	49976	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:19.185941935 CET	49976	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:19.185941935 CET	49976	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:19.190789938 CET	445	49976	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:19.653254032 CET	49983	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:19.658315897 CET	445	49983	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:19.658505917 CET	49983	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:19.658505917 CET	49983	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:19.663502932 CET	445	49983	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:21.162188053 CET	445	49983	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:21.162262917 CET	49983	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:21.162305117 CET	49983	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:21.162348986 CET	49983	445	192.168.2.5	150.199.101.1
Jan 14, 2025 21:10:21.167932987 CET	445	49983	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:21.167967081 CET	445	49983	150.199.101.1	192.168.2.5
Jan 14, 2025 21:10:21.184640884 CET	50011	445	192.168.2.5	17.131.14.18
Jan 14, 2025 21:10:21.189507961 CET	445	50011	17.131.14.18	192.168.2.5
Jan 14, 2025 21:10:21.189568996 CET	50011	445	192.168.2.5	17.131.14.18
Jan 14, 2025 21:10:21.189647913 CET	50011	445	192.168.2.5	17.131.14.18
Jan 14, 2025 21:10:21.189827919 CET	50012	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:21.194628000 CET	445	50012	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:21.194684029 CET	50012	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:21.194746017 CET	50012	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:21.195031881 CET	50013	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:21.196274042 CET	445	50011	17.131.14.18	192.168.2.5
Jan 14, 2025 21:10:21.196434975 CET	445	50011	17.131.14.18	192.168.2.5
Jan 14, 2025 21:10:21.196471930 CET	50011	445	192.168.2.5	17.131.14.18
Jan 14, 2025 21:10:21.199618101 CET	445	50012	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:21.199661970 CET	50012	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:21.199856997 CET	445	50013	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:21.199924946 CET	50013	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:21.199994087 CET	50013	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:21.204754114 CET	445	50013	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:21.216217041 CET	50014	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:21.221035004 CET	445	50014	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:21.221107960 CET	50014	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:21.221225977 CET	50014	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:21.222444057 CET	50015	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:21.227341890 CET	445	50015	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:21.227442980 CET	50015	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:21.227442980 CET	50015	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:21.228333950 CET	445	50014	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:21.232212067 CET	445	50015	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:21.262037039 CET	445	50014	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:21.262136936 CET	50014	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:22.432394981 CET	445	49710	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:22.432686090 CET	49710	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:22.432749987 CET	49710	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:22.432816029 CET	49710	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:22.437556982 CET	445	49710	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:22.437606096 CET	445	49710	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:23.200273037 CET	50049	445	192.168.2.5	143.92.5.216
Jan 14, 2025 21:10:23.205163956 CET	445	50049	143.92.5.216	192.168.2.5
Jan 14, 2025 21:10:23.205291986 CET	50049	445	192.168.2.5	143.92.5.216
Jan 14, 2025 21:10:23.205312967 CET	50049	445	192.168.2.5	143.92.5.216
Jan 14, 2025 21:10:23.205470085 CET	50050	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:23.210405111 CET	445	50050	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:23.210437059 CET	445	50049	143.92.5.216	192.168.2.5
Jan 14, 2025 21:10:23.210505009 CET	50050	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:23.210505009 CET	50050	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:23.210777998 CET	50051	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:23.210777998 CET	50049	445	192.168.2.5	143.92.5.216
Jan 14, 2025 21:10:23.215749979 CET	445	50051	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:23.215785027 CET	445	50050	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:23.215831995 CET	50051	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:23.215862036 CET	50051	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:23.215883017 CET	50050	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:23.220693111 CET	445	50051	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:24.469319105 CET	445	49734	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:24.469424963 CET	49734	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:24.469470024 CET	49734	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:24.469533920 CET	49734	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:24.474323988 CET	445	49734	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:24.474355936 CET	445	49734	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:25.216093063 CET	50087	445	192.168.2.5	10.146.218.173
Jan 14, 2025 21:10:25.221060991 CET	445	50087	10.146.218.173	192.168.2.5
Jan 14, 2025 21:10:25.221143007 CET	50087	445	192.168.2.5	10.146.218.173
Jan 14, 2025 21:10:25.221214056 CET	50087	445	192.168.2.5	10.146.218.173
Jan 14, 2025 21:10:25.221376896 CET	50088	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:25.226229906 CET	445	50088	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:25.226298094 CET	50088	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:25.226315975 CET	50088	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:25.226502895 CET	50089	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:25.228317022 CET	445	50087	10.146.218.173	192.168.2.5
Jan 14, 2025 21:10:25.231353045 CET	445	50089	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:25.231420994 CET	50089	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:25.231457949 CET	50089	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:25.232266903 CET	445	50088	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:25.236294985 CET	445	50089	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:25.249080896 CET	445	50087	10.146.218.173	192.168.2.5
Jan 14, 2025 21:10:25.249165058 CET	50087	445	192.168.2.5	10.146.218.173
Jan 14, 2025 21:10:25.249728918 CET	445	50088	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:25.249783039 CET	50088	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:25.434669971 CET	50091	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:25.439647913 CET	445	50091	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:25.439750910 CET	50091	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:25.439837933 CET	50091	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:25.444669008 CET	445	50091	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:26.479270935 CET	445	49758	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:26.481246948 CET	49758	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:26.481246948 CET	49758	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:26.481292963 CET	49758	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:26.486047029 CET	445	49758	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:26.486066103 CET	445	49758	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:27.231730938 CET	50103	445	192.168.2.5	74.20.185.91
Jan 14, 2025 21:10:27.481498957 CET	50104	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:28.231132984 CET	50103	445	192.168.2.5	74.20.185.91
Jan 14, 2025 21:10:28.285280943 CET	445	50103	74.20.185.91	192.168.2.5
Jan 14, 2025 21:10:28.285304070 CET	445	50104	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:28.285351038 CET	50103	445	192.168.2.5	74.20.185.91
Jan 14, 2025 21:10:28.285471916 CET	50104	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:28.285516977 CET	50104	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:28.286134005 CET	445	50103	74.20.185.91	192.168.2.5
Jan 14, 2025 21:10:28.286181927 CET	50103	445	192.168.2.5	74.20.185.91
Jan 14, 2025 21:10:28.290307999 CET	445	50104	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:28.356566906 CET	50106	445	192.168.2.5	41.127.238.232
Jan 14, 2025 21:10:28.361498117 CET	445	50106	41.127.238.232	192.168.2.5
Jan 14, 2025 21:10:28.361709118 CET	50106	445	192.168.2.5	41.127.238.232
Jan 14, 2025 21:10:28.361709118 CET	50106	445	192.168.2.5	41.127.238.232
Jan 14, 2025 21:10:28.361717939 CET	50107	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:28.366548061 CET	445	50107	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:28.366605997 CET	50107	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:28.366625071 CET	50107	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:28.366735935 CET	445	50106	41.127.238.232	192.168.2.5
Jan 14, 2025 21:10:28.366889954 CET	50106	445	192.168.2.5	41.127.238.232
Jan 14, 2025 21:10:28.366990089 CET	50108	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:28.371661901 CET	445	50107	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:28.371706963 CET	50107	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:28.371742010 CET	445	50108	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:28.371831894 CET	50108	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:28.371831894 CET	50108	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:28.376657963 CET	445	50108	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:28.707271099 CET	62839	53	192.168.2.5	162.159.36.2
Jan 14, 2025 21:10:28.712109089 CET	53	62839	162.159.36.2	192.168.2.5
Jan 14, 2025 21:10:28.712201118 CET	62839	53	192.168.2.5	162.159.36.2
Jan 14, 2025 21:10:28.717241049 CET	53	62839	162.159.36.2	192.168.2.5
Jan 14, 2025 21:10:29.180788040 CET	62839	53	192.168.2.5	162.159.36.2
Jan 14, 2025 21:10:29.185858965 CET	53	62839	162.159.36.2	192.168.2.5
Jan 14, 2025 21:10:29.186003923 CET	62839	53	192.168.2.5	162.159.36.2
Jan 14, 2025 21:10:29.247155905 CET	62844	445	192.168.2.5	79.252.213.231
Jan 14, 2025 21:10:29.251914024 CET	445	62844	79.252.213.231	192.168.2.5
Jan 14, 2025 21:10:29.251995087 CET	62844	445	192.168.2.5	79.252.213.231
Jan 14, 2025 21:10:29.252147913 CET	62845	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:29.252311945 CET	62844	445	192.168.2.5	79.252.213.231
Jan 14, 2025 21:10:29.256908894 CET	445	62845	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:29.256968021 CET	62845	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:29.257006884 CET	62845	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:29.257086992 CET	445	62844	79.252.213.231	192.168.2.5
Jan 14, 2025 21:10:29.257129908 CET	62844	445	192.168.2.5	79.252.213.231
Jan 14, 2025 21:10:29.257343054 CET	62846	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:29.261962891 CET	445	62845	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:29.262015104 CET	62845	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:29.262079954 CET	445	62846	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:29.262131929 CET	62846	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:29.262167931 CET	62846	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:29.266931057 CET	445	62846	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:29.497376919 CET	62849	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:29.502432108 CET	445	62849	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:29.502538919 CET	62849	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:29.502584934 CET	62849	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:29.507417917 CET	445	62849	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:30.463933945 CET	445	49807	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:30.464126110 CET	49807	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:30.464126110 CET	49807	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:30.464221001 CET	49807	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:30.469011068 CET	445	49807	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:30.469021082 CET	445	49807	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:31.262797117 CET	62858	445	192.168.2.5	130.226.248.245
Jan 14, 2025 21:10:31.267664909 CET	445	62858	130.226.248.245	192.168.2.5
Jan 14, 2025 21:10:31.267769098 CET	62858	445	192.168.2.5	130.226.248.245
Jan 14, 2025 21:10:31.267832041 CET	62858	445	192.168.2.5	130.226.248.245
Jan 14, 2025 21:10:31.267960072 CET	62859	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:31.272840977 CET	445	62859	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:31.273179054 CET	445	62858	130.226.248.245	192.168.2.5
Jan 14, 2025 21:10:31.273250103 CET	62859	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:31.273251057 CET	62858	445	192.168.2.5	130.226.248.245
Jan 14, 2025 21:10:31.273351908 CET	62859	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:31.273586988 CET	62861	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:31.278487921 CET	445	62859	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:31.278520107 CET	445	62861	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:31.278578043 CET	62859	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:31.278609037 CET	62861	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:31.278636932 CET	62861	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:31.283582926 CET	445	62861	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:32.514513016 CET	445	49829	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:32.517642021 CET	49829	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:32.517695904 CET	49829	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:32.517771006 CET	49829	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:32.522550106 CET	445	49829	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:32.522582054 CET	445	49829	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:33.278578997 CET	62877	445	192.168.2.5	3.24.35.217
Jan 14, 2025 21:10:33.283467054 CET	445	62877	3.24.35.217	192.168.2.5
Jan 14, 2025 21:10:33.283580065 CET	62877	445	192.168.2.5	3.24.35.217
Jan 14, 2025 21:10:33.287659883 CET	62877	445	192.168.2.5	3.24.35.217
Jan 14, 2025 21:10:33.287867069 CET	62878	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:33.292659998 CET	445	62877	3.24.35.217	192.168.2.5
Jan 14, 2025 21:10:33.292819023 CET	62877	445	192.168.2.5	3.24.35.217
Jan 14, 2025 21:10:33.292968035 CET	445	62878	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:33.293037891 CET	62878	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:33.293196917 CET	62878	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:33.293628931 CET	62879	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:33.298100948 CET	445	62878	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:33.298160076 CET	62878	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:33.298603058 CET	445	62879	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:33.298671961 CET	62879	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:33.298719883 CET	62879	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:33.303802967 CET	445	62879	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:33.465991020 CET	62881	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:33.470793009 CET	445	62881	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:33.471015930 CET	62881	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:33.471117020 CET	62881	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:33.475961924 CET	445	62881	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:34.541377068 CET	445	49855	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:34.541438103 CET	49855	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:34.541470051 CET	49855	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:34.541522980 CET	49855	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:34.546881914 CET	445	49855	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:34.546890020 CET	445	49855	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:34.776546955 CET	445	49861	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:34.776738882 CET	49861	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:34.776738882 CET	49861	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:34.776738882 CET	49861	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:34.781656027 CET	445	49861	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:34.781708956 CET	445	49861	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:35.294120073 CET	62894	445	192.168.2.5	49.87.106.170
Jan 14, 2025 21:10:35.299084902 CET	445	62894	49.87.106.170	192.168.2.5
Jan 14, 2025 21:10:35.299180031 CET	62894	445	192.168.2.5	49.87.106.170
Jan 14, 2025 21:10:35.299199104 CET	62894	445	192.168.2.5	49.87.106.170
Jan 14, 2025 21:10:35.299496889 CET	62895	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:35.304279089 CET	445	62894	49.87.106.170	192.168.2.5
Jan 14, 2025 21:10:35.304332018 CET	445	62894	49.87.106.170	192.168.2.5
Jan 14, 2025 21:10:35.304367065 CET	445	62895	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:35.304440975 CET	62895	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:35.304483891 CET	62894	445	192.168.2.5	49.87.106.170
Jan 14, 2025 21:10:35.304538965 CET	62895	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:35.304769039 CET	62896	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:35.309443951 CET	445	62895	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:35.309535980 CET	62895	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:35.309632063 CET	445	62896	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:35.309753895 CET	62896	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:35.309773922 CET	62896	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:35.314604998 CET	445	62896	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:35.528666973 CET	62897	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:35.533581972 CET	445	62897	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:35.533696890 CET	62897	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:35.533754110 CET	62897	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:35.538655043 CET	445	62897	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:37.172226906 CET	62909	445	192.168.2.5	172.245.140.120
Jan 14, 2025 21:10:37.178225994 CET	445	62909	172.245.140.120	192.168.2.5
Jan 14, 2025 21:10:37.178317070 CET	62909	445	192.168.2.5	172.245.140.120
Jan 14, 2025 21:10:37.178385973 CET	62909	445	192.168.2.5	172.245.140.120
Jan 14, 2025 21:10:37.178628922 CET	62910	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:37.185269117 CET	445	62910	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:37.185286045 CET	445	62909	172.245.140.120	192.168.2.5
Jan 14, 2025 21:10:37.185333967 CET	62910	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:37.185368061 CET	62909	445	192.168.2.5	172.245.140.120
Jan 14, 2025 21:10:37.185477018 CET	62910	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:37.185780048 CET	62911	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:37.191310883 CET	445	62910	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:37.191380024 CET	62910	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:37.192127943 CET	445	62911	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:37.192193985 CET	62911	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:37.192231894 CET	62911	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:37.197765112 CET	445	62911	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:37.543942928 CET	62913	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:37.549812078 CET	445	62913	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:37.549902916 CET	62913	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:37.549938917 CET	62913	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:37.554707050 CET	445	62913	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:37.778212070 CET	62917	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:37.783503056 CET	445	62917	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:37.785033941 CET	62917	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:37.785064936 CET	62917	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:37.790546894 CET	445	62917	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:38.526607990 CET	445	49936	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:38.529654026 CET	49936	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:38.529654026 CET	49936	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:38.529654026 CET	49936	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:38.534599066 CET	445	49936	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:38.534629107 CET	445	49936	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:38.647464037 CET	445	62911	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:38.648207903 CET	62911	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:38.648236990 CET	62911	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:38.648293972 CET	62911	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:38.653117895 CET	445	62911	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:38.653150082 CET	445	62911	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:38.919261932 CET	62924	445	192.168.2.5	124.213.37.3
Jan 14, 2025 21:10:38.924103975 CET	445	62924	124.213.37.3	192.168.2.5
Jan 14, 2025 21:10:38.924191952 CET	62924	445	192.168.2.5	124.213.37.3
Jan 14, 2025 21:10:38.924232960 CET	62924	445	192.168.2.5	124.213.37.3
Jan 14, 2025 21:10:38.924401999 CET	62925	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:10:38.929181099 CET	445	62925	124.213.37.1	192.168.2.5
Jan 14, 2025 21:10:38.929258108 CET	62925	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:10:38.929321051 CET	62925	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:10:38.929541111 CET	445	62924	124.213.37.3	192.168.2.5
Jan 14, 2025 21:10:38.929578066 CET	62926	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:10:38.929604053 CET	62924	445	192.168.2.5	124.213.37.3
Jan 14, 2025 21:10:38.934410095 CET	445	62926	124.213.37.1	192.168.2.5
Jan 14, 2025 21:10:38.934426069 CET	445	62925	124.213.37.1	192.168.2.5
Jan 14, 2025 21:10:38.934501886 CET	62926	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:10:38.934501886 CET	62925	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:10:38.934720039 CET	62926	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:10:38.939467907 CET	445	62926	124.213.37.1	192.168.2.5
Jan 14, 2025 21:10:40.542113066 CET	445	49976	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:40.542205095 CET	49976	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:40.542205095 CET	49976	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:40.542246103 CET	49976	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:40.547019005 CET	445	49976	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:40.547032118 CET	445	49976	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:40.559727907 CET	62937	445	192.168.2.5	55.154.222.193
Jan 14, 2025 21:10:40.564526081 CET	445	62937	55.154.222.193	192.168.2.5
Jan 14, 2025 21:10:40.564594984 CET	62937	445	192.168.2.5	55.154.222.193
Jan 14, 2025 21:10:40.564656973 CET	62937	445	192.168.2.5	55.154.222.193
Jan 14, 2025 21:10:40.564824104 CET	62938	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:10:40.569708109 CET	445	62938	55.154.222.1	192.168.2.5
Jan 14, 2025 21:10:40.569772959 CET	62938	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:10:40.569813013 CET	62938	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:10:40.570095062 CET	62939	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:10:40.570235014 CET	445	62937	55.154.222.193	192.168.2.5
Jan 14, 2025 21:10:40.570297003 CET	62937	445	192.168.2.5	55.154.222.193
Jan 14, 2025 21:10:40.574860096 CET	445	62939	55.154.222.1	192.168.2.5
Jan 14, 2025 21:10:40.574920893 CET	62939	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:10:40.574970007 CET	445	62938	55.154.222.1	192.168.2.5
Jan 14, 2025 21:10:40.575022936 CET	62938	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:10:40.575129032 CET	62939	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:10:40.579926014 CET	445	62939	55.154.222.1	192.168.2.5
Jan 14, 2025 21:10:41.546777964 CET	62948	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:41.552058935 CET	445	62948	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:41.552294970 CET	62948	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:41.552294970 CET	62948	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:10:41.557666063 CET	445	62948	193.216.0.1	192.168.2.5
Jan 14, 2025 21:10:41.653187037 CET	62949	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:41.657948017 CET	445	62949	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:41.658075094 CET	62949	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:41.658099890 CET	62949	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:41.662849903 CET	445	62949	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:42.091434002 CET	62952	445	192.168.2.5	89.164.20.122
Jan 14, 2025 21:10:42.096992970 CET	445	62952	89.164.20.122	192.168.2.5
Jan 14, 2025 21:10:42.097071886 CET	62952	445	192.168.2.5	89.164.20.122
Jan 14, 2025 21:10:42.097235918 CET	62952	445	192.168.2.5	89.164.20.122
Jan 14, 2025 21:10:42.097362995 CET	62953	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:10:42.102250099 CET	445	62953	89.164.20.1	192.168.2.5
Jan 14, 2025 21:10:42.102292061 CET	445	62952	89.164.20.122	192.168.2.5
Jan 14, 2025 21:10:42.102418900 CET	62953	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:10:42.102418900 CET	62952	445	192.168.2.5	89.164.20.122
Jan 14, 2025 21:10:42.102525949 CET	62953	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:10:42.103363037 CET	62954	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:10:42.107429028 CET	445	62953	89.164.20.1	192.168.2.5
Jan 14, 2025 21:10:42.107563019 CET	62953	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:10:42.108171940 CET	445	62954	89.164.20.1	192.168.2.5
Jan 14, 2025 21:10:42.108263016 CET	62954	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:10:42.108314991 CET	62954	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:10:42.113137960 CET	445	62954	89.164.20.1	192.168.2.5
Jan 14, 2025 21:10:42.592813969 CET	445	50013	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:42.597744942 CET	50013	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:42.597857952 CET	50013	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:42.597857952 CET	50013	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:42.602699995 CET	445	50013	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:42.602714062 CET	445	50013	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:42.619631052 CET	445	50015	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:42.619882107 CET	50015	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:42.620098114 CET	50015	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:42.620202065 CET	50015	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:42.624907970 CET	445	50015	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:42.624952078 CET	445	50015	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:43.221451044 CET	445	62949	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:43.221565008 CET	62949	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:43.221599102 CET	62949	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:43.221684933 CET	62949	445	192.168.2.5	172.245.140.1
Jan 14, 2025 21:10:43.226494074 CET	445	62949	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:43.226730108 CET	445	62949	172.245.140.1	192.168.2.5
Jan 14, 2025 21:10:43.278557062 CET	62963	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:43.283452988 CET	445	62963	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:43.283577919 CET	62963	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:43.283577919 CET	62963	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:43.283946037 CET	62964	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:43.288536072 CET	445	62963	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:43.288618088 CET	62963	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:43.288800001 CET	445	62964	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:43.288981915 CET	62964	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:43.289016008 CET	62964	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:43.293773890 CET	445	62964	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:43.513103962 CET	62966	445	192.168.2.5	48.231.110.131
Jan 14, 2025 21:10:43.517944098 CET	445	62966	48.231.110.131	192.168.2.5
Jan 14, 2025 21:10:43.518018007 CET	62966	445	192.168.2.5	48.231.110.131
Jan 14, 2025 21:10:43.518202066 CET	62966	445	192.168.2.5	48.231.110.131
Jan 14, 2025 21:10:43.518209934 CET	62967	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:10:43.523094893 CET	445	62966	48.231.110.131	192.168.2.5
Jan 14, 2025 21:10:43.523116112 CET	445	62967	48.231.110.1	192.168.2.5
Jan 14, 2025 21:10:43.523152113 CET	62966	445	192.168.2.5	48.231.110.131
Jan 14, 2025 21:10:43.523190975 CET	62967	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:10:43.523266077 CET	62967	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:10:43.523542881 CET	62968	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:10:43.528266907 CET	445	62967	48.231.110.1	192.168.2.5
Jan 14, 2025 21:10:43.528351068 CET	445	62967	48.231.110.1	192.168.2.5
Jan 14, 2025 21:10:43.528366089 CET	445	62968	48.231.110.1	192.168.2.5
Jan 14, 2025 21:10:43.528398037 CET	62967	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:10:43.528434992 CET	62968	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:10:43.528459072 CET	62968	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:10:43.533265114 CET	445	62968	48.231.110.1	192.168.2.5
Jan 14, 2025 21:10:43.543797016 CET	62970	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:43.548589945 CET	445	62970	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:43.548741102 CET	62970	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:43.548741102 CET	62970	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:10:43.553551912 CET	445	62970	181.63.117.1	192.168.2.5
Jan 14, 2025 21:10:44.575306892 CET	445	50051	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:44.575423956 CET	50051	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:44.575520992 CET	50051	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:44.575520992 CET	50051	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:44.580708027 CET	445	50051	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:44.580729961 CET	445	50051	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:44.742188931 CET	445	62964	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:44.742361069 CET	62964	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:44.742361069 CET	62964	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:44.742361069 CET	62964	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:44.747390032 CET	445	62964	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:44.747404099 CET	445	62964	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:44.841034889 CET	62979	445	192.168.2.5	121.199.27.218
Jan 14, 2025 21:10:44.845793962 CET	445	62979	121.199.27.218	192.168.2.5
Jan 14, 2025 21:10:44.845874071 CET	62979	445	192.168.2.5	121.199.27.218
Jan 14, 2025 21:10:44.845910072 CET	62979	445	192.168.2.5	121.199.27.218
Jan 14, 2025 21:10:44.846025944 CET	62980	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:10:44.850749016 CET	445	62979	121.199.27.218	192.168.2.5
Jan 14, 2025 21:10:44.850805998 CET	62979	445	192.168.2.5	121.199.27.218
Jan 14, 2025 21:10:44.850848913 CET	445	62980	121.199.27.1	192.168.2.5
Jan 14, 2025 21:10:44.850913048 CET	62980	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:10:44.850961924 CET	62980	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:10:44.851499081 CET	62981	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:10:44.855849981 CET	445	62980	121.199.27.1	192.168.2.5
Jan 14, 2025 21:10:44.855911970 CET	62980	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:10:44.856405973 CET	445	62981	121.199.27.1	192.168.2.5
Jan 14, 2025 21:10:44.856471062 CET	62981	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:10:44.856514931 CET	62981	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:10:44.861299992 CET	445	62981	121.199.27.1	192.168.2.5
Jan 14, 2025 21:10:45.606440067 CET	62987	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:45.611378908 CET	445	62987	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:45.611452103 CET	62987	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:45.611488104 CET	62987	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:10:45.616245985 CET	445	62987	17.131.14.1	192.168.2.5
Jan 14, 2025 21:10:45.622129917 CET	62988	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:45.626954079 CET	445	62988	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:45.627044916 CET	62988	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:45.627044916 CET	62988	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:10:45.631814003 CET	445	62988	150.199.101.2	192.168.2.5
Jan 14, 2025 21:10:46.076936007 CET	62992	445	192.168.2.5	25.191.218.207
Jan 14, 2025 21:10:46.081722021 CET	445	62992	25.191.218.207	192.168.2.5
Jan 14, 2025 21:10:46.083941936 CET	62992	445	192.168.2.5	25.191.218.207
Jan 14, 2025 21:10:46.084074974 CET	62992	445	192.168.2.5	25.191.218.207
Jan 14, 2025 21:10:46.084268093 CET	62994	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:10:46.089023113 CET	445	62992	25.191.218.207	192.168.2.5
Jan 14, 2025 21:10:46.089118004 CET	445	62994	25.191.218.1	192.168.2.5
Jan 14, 2025 21:10:46.089200974 CET	62992	445	192.168.2.5	25.191.218.207
Jan 14, 2025 21:10:46.089227915 CET	62994	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:10:46.089334011 CET	62994	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:10:46.089803934 CET	62995	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:10:46.094290972 CET	445	62994	25.191.218.1	192.168.2.5
Jan 14, 2025 21:10:46.094670057 CET	445	62995	25.191.218.1	192.168.2.5
Jan 14, 2025 21:10:46.094753981 CET	62994	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:10:46.094784021 CET	62995	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:10:46.095319986 CET	62995	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:10:46.100106001 CET	445	62995	25.191.218.1	192.168.2.5
Jan 14, 2025 21:10:46.604732037 CET	445	50089	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:46.604830027 CET	50089	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:46.604863882 CET	50089	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:46.604919910 CET	50089	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:46.609713078 CET	445	50089	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:46.609726906 CET	445	50089	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:46.793961048 CET	445	50091	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:46.794027090 CET	50091	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:46.794075012 CET	50091	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:46.794135094 CET	50091	445	192.168.2.5	210.250.7.1
Jan 14, 2025 21:10:46.798877001 CET	445	50091	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:46.798930883 CET	445	50091	210.250.7.1	192.168.2.5
Jan 14, 2025 21:10:46.856488943 CET	63000	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:10:46.861321926 CET	445	63000	210.250.7.2	192.168.2.5
Jan 14, 2025 21:10:46.861393929 CET	63000	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:10:46.861452103 CET	63000	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:10:46.861999035 CET	63001	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:10:46.866532087 CET	445	63000	210.250.7.2	192.168.2.5
Jan 14, 2025 21:10:46.866601944 CET	63000	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:10:46.866791964 CET	445	63001	210.250.7.2	192.168.2.5
Jan 14, 2025 21:10:46.866925001 CET	63001	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:10:46.866978884 CET	63001	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:10:46.871745110 CET	445	63001	210.250.7.2	192.168.2.5
Jan 14, 2025 21:10:47.231945038 CET	63004	445	192.168.2.5	63.35.175.94
Jan 14, 2025 21:10:47.236929893 CET	445	63004	63.35.175.94	192.168.2.5
Jan 14, 2025 21:10:47.237072945 CET	63004	445	192.168.2.5	63.35.175.94
Jan 14, 2025 21:10:47.237202883 CET	63004	445	192.168.2.5	63.35.175.94
Jan 14, 2025 21:10:47.237404108 CET	63005	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:10:47.242254972 CET	445	63005	63.35.175.1	192.168.2.5
Jan 14, 2025 21:10:47.242363930 CET	63005	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:10:47.242687941 CET	63005	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:10:47.242692947 CET	63006	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:10:47.247509956 CET	445	63006	63.35.175.1	192.168.2.5
Jan 14, 2025 21:10:47.247613907 CET	63006	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:10:47.247642040 CET	63006	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:10:47.248281002 CET	445	63004	63.35.175.94	192.168.2.5
Jan 14, 2025 21:10:47.248296976 CET	445	63005	63.35.175.1	192.168.2.5
Jan 14, 2025 21:10:47.249660969 CET	445	63004	63.35.175.94	192.168.2.5
Jan 14, 2025 21:10:47.249741077 CET	63004	445	192.168.2.5	63.35.175.94
Jan 14, 2025 21:10:47.250471115 CET	445	63005	63.35.175.1	192.168.2.5
Jan 14, 2025 21:10:47.250538111 CET	63005	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:10:47.252489090 CET	445	63006	63.35.175.1	192.168.2.5
Jan 14, 2025 21:10:47.590692997 CET	63010	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:47.595535040 CET	445	63010	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:47.595613956 CET	63010	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:47.595642090 CET	63010	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:10:47.600434065 CET	445	63010	143.92.5.1	192.168.2.5
Jan 14, 2025 21:10:47.747062922 CET	63012	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:47.751996994 CET	445	63012	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:47.752099037 CET	63012	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:47.752146006 CET	63012	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:47.756951094 CET	445	63012	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:48.309797049 CET	63016	445	192.168.2.5	34.35.161.186
Jan 14, 2025 21:10:48.314609051 CET	445	63016	34.35.161.186	192.168.2.5
Jan 14, 2025 21:10:48.314810038 CET	63016	445	192.168.2.5	34.35.161.186
Jan 14, 2025 21:10:48.314832926 CET	63016	445	192.168.2.5	34.35.161.186
Jan 14, 2025 21:10:48.315007925 CET	63017	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:10:48.319813013 CET	445	63016	34.35.161.186	192.168.2.5
Jan 14, 2025 21:10:48.319829941 CET	445	63017	34.35.161.1	192.168.2.5
Jan 14, 2025 21:10:48.319878101 CET	63016	445	192.168.2.5	34.35.161.186
Jan 14, 2025 21:10:48.319931030 CET	63017	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:10:48.320003986 CET	63017	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:10:48.320347071 CET	63018	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:10:48.325182915 CET	445	63018	34.35.161.1	192.168.2.5
Jan 14, 2025 21:10:48.325258017 CET	63018	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:10:48.325295925 CET	63018	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:10:48.325475931 CET	445	63017	34.35.161.1	192.168.2.5
Jan 14, 2025 21:10:48.325542927 CET	63017	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:10:48.330151081 CET	445	63018	34.35.161.1	192.168.2.5
Jan 14, 2025 21:10:49.212502956 CET	445	63012	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:49.212707043 CET	63012	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:49.212707043 CET	63012	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:49.212707043 CET	63012	445	192.168.2.5	172.245.140.2
Jan 14, 2025 21:10:49.217683077 CET	445	63012	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:49.217699051 CET	445	63012	172.245.140.2	192.168.2.5
Jan 14, 2025 21:10:49.278512001 CET	63025	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:49.283982038 CET	445	63025	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:49.284178972 CET	63025	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:49.284264088 CET	63025	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:49.284599066 CET	63026	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:49.289482117 CET	445	63026	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:49.289575100 CET	63026	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:49.289614916 CET	63026	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:49.289751053 CET	445	63025	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:49.289818048 CET	63025	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:49.294470072 CET	445	63026	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:49.325398922 CET	63029	445	192.168.2.5	28.91.98.139
Jan 14, 2025 21:10:49.330370903 CET	445	63029	28.91.98.139	192.168.2.5
Jan 14, 2025 21:10:49.330521107 CET	63029	445	192.168.2.5	28.91.98.139
Jan 14, 2025 21:10:49.330677986 CET	63029	445	192.168.2.5	28.91.98.139
Jan 14, 2025 21:10:49.331012964 CET	63030	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:10:49.335900068 CET	445	63029	28.91.98.139	192.168.2.5
Jan 14, 2025 21:10:49.335978985 CET	445	63030	28.91.98.1	192.168.2.5
Jan 14, 2025 21:10:49.335982084 CET	63029	445	192.168.2.5	28.91.98.139
Jan 14, 2025 21:10:49.336052895 CET	63030	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:10:49.336137056 CET	63030	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:10:49.336461067 CET	63031	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:10:49.341648102 CET	445	63031	28.91.98.1	192.168.2.5
Jan 14, 2025 21:10:49.341732025 CET	63031	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:10:49.341773033 CET	63031	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:10:49.343796015 CET	445	63030	28.91.98.1	192.168.2.5
Jan 14, 2025 21:10:49.343943119 CET	63030	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:10:49.346683979 CET	445	63031	28.91.98.1	192.168.2.5
Jan 14, 2025 21:10:49.606578112 CET	63032	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:49.611481905 CET	445	63032	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:49.611608982 CET	63032	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:49.611653090 CET	63032	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:10:49.616621971 CET	445	63032	10.146.218.1	192.168.2.5
Jan 14, 2025 21:10:49.672902107 CET	445	50104	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:49.673018932 CET	50104	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:49.673072100 CET	50104	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:49.673161983 CET	50104	445	192.168.2.5	119.249.161.1
Jan 14, 2025 21:10:49.677894115 CET	445	50104	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:49.677949905 CET	445	50104	119.249.161.1	192.168.2.5
Jan 14, 2025 21:10:49.730671883 CET	445	50108	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:49.730880022 CET	50108	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:49.730880022 CET	50108	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:49.730880022 CET	50108	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:49.731612921 CET	63034	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:10:49.736179113 CET	445	50108	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:49.736222982 CET	445	50108	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:49.736509085 CET	445	63034	119.249.161.2	192.168.2.5
Jan 14, 2025 21:10:49.736655951 CET	63034	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:10:49.736655951 CET	63034	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:10:49.737004042 CET	63035	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:10:49.742094040 CET	445	63034	119.249.161.2	192.168.2.5
Jan 14, 2025 21:10:49.742146969 CET	445	63035	119.249.161.2	192.168.2.5
Jan 14, 2025 21:10:49.742175102 CET	63034	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:10:49.742218018 CET	63035	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:10:49.742247105 CET	63035	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:10:49.747308969 CET	445	63035	119.249.161.2	192.168.2.5
Jan 14, 2025 21:10:50.262950897 CET	63040	445	192.168.2.5	48.82.13.223
Jan 14, 2025 21:10:50.267908096 CET	445	63040	48.82.13.223	192.168.2.5
Jan 14, 2025 21:10:50.268018961 CET	63040	445	192.168.2.5	48.82.13.223
Jan 14, 2025 21:10:50.268079042 CET	63040	445	192.168.2.5	48.82.13.223
Jan 14, 2025 21:10:50.268269062 CET	63041	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:10:50.273143053 CET	445	63041	48.82.13.1	192.168.2.5
Jan 14, 2025 21:10:50.273220062 CET	63041	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:10:50.273236990 CET	63041	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:10:50.273250103 CET	445	63040	48.82.13.223	192.168.2.5
Jan 14, 2025 21:10:50.273303032 CET	63040	445	192.168.2.5	48.82.13.223
Jan 14, 2025 21:10:50.273536921 CET	63042	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:10:50.278244972 CET	445	63041	48.82.13.1	192.168.2.5
Jan 14, 2025 21:10:50.278312922 CET	63041	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:10:50.278367043 CET	445	63042	48.82.13.1	192.168.2.5
Jan 14, 2025 21:10:50.278431892 CET	63042	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:10:50.278480053 CET	63042	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:10:50.283346891 CET	445	63042	48.82.13.1	192.168.2.5
Jan 14, 2025 21:10:50.604837894 CET	445	62846	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:50.604933023 CET	62846	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:50.604979038 CET	62846	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:50.604986906 CET	62846	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:50.609954119 CET	445	62846	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:50.609985113 CET	445	62846	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:50.741590977 CET	445	63026	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:50.741699934 CET	63026	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:50.741699934 CET	63026	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:50.741832018 CET	63026	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:50.746608973 CET	445	63026	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:50.746644020 CET	445	63026	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:50.886646032 CET	445	62849	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:50.887285948 CET	62849	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:50.887331963 CET	62849	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:50.887538910 CET	62849	445	192.168.2.5	120.186.225.1
Jan 14, 2025 21:10:50.892465115 CET	445	62849	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:50.892496109 CET	445	62849	120.186.225.1	192.168.2.5
Jan 14, 2025 21:10:50.950175047 CET	63048	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:10:50.955071926 CET	445	63048	120.186.225.2	192.168.2.5
Jan 14, 2025 21:10:50.955147028 CET	63048	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:10:50.955188990 CET	63048	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:10:50.955519915 CET	63049	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:10:50.960242033 CET	445	63048	120.186.225.2	192.168.2.5
Jan 14, 2025 21:10:50.960408926 CET	445	63049	120.186.225.2	192.168.2.5
Jan 14, 2025 21:10:50.960464954 CET	63048	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:10:50.960489035 CET	63049	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:10:50.960539103 CET	63049	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:10:50.965387106 CET	445	63049	120.186.225.2	192.168.2.5
Jan 14, 2025 21:10:51.138201952 CET	63050	445	192.168.2.5	21.94.228.40
Jan 14, 2025 21:10:51.143227100 CET	445	63050	21.94.228.40	192.168.2.5
Jan 14, 2025 21:10:51.143331051 CET	63050	445	192.168.2.5	21.94.228.40
Jan 14, 2025 21:10:51.143439054 CET	63050	445	192.168.2.5	21.94.228.40
Jan 14, 2025 21:10:51.143553019 CET	63052	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:10:51.148314953 CET	445	63050	21.94.228.40	192.168.2.5
Jan 14, 2025 21:10:51.148428917 CET	445	63052	21.94.228.1	192.168.2.5
Jan 14, 2025 21:10:51.148485899 CET	63052	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:10:51.148515940 CET	63052	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:10:51.148521900 CET	445	63050	21.94.228.40	192.168.2.5
Jan 14, 2025 21:10:51.148802042 CET	63053	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:10:51.148927927 CET	63050	445	192.168.2.5	21.94.228.40
Jan 14, 2025 21:10:51.153579950 CET	445	63052	21.94.228.1	192.168.2.5
Jan 14, 2025 21:10:51.153633118 CET	445	63053	21.94.228.1	192.168.2.5
Jan 14, 2025 21:10:51.153636932 CET	63052	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:10:51.153698921 CET	63053	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:10:51.153723001 CET	63053	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:10:51.158596039 CET	445	63053	21.94.228.1	192.168.2.5
Jan 14, 2025 21:10:52.226022959 CET	63058	445	192.168.2.5	56.134.30.50
Jan 14, 2025 21:10:52.231276035 CET	445	63058	56.134.30.50	192.168.2.5
Jan 14, 2025 21:10:52.232204914 CET	63058	445	192.168.2.5	56.134.30.50
Jan 14, 2025 21:10:52.235498905 CET	63058	445	192.168.2.5	56.134.30.50
Jan 14, 2025 21:10:52.235707998 CET	63059	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:10:52.240921021 CET	445	63059	56.134.30.1	192.168.2.5
Jan 14, 2025 21:10:52.241144896 CET	63059	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:10:52.244338989 CET	445	63058	56.134.30.50	192.168.2.5
Jan 14, 2025 21:10:52.244718075 CET	63059	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:10:52.256323099 CET	445	63059	56.134.30.1	192.168.2.5
Jan 14, 2025 21:10:52.258749008 CET	445	63058	56.134.30.50	192.168.2.5
Jan 14, 2025 21:10:52.258832932 CET	63058	445	192.168.2.5	56.134.30.50
Jan 14, 2025 21:10:52.259438992 CET	445	63059	56.134.30.1	192.168.2.5
Jan 14, 2025 21:10:52.259526014 CET	63059	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:10:52.325320959 CET	63061	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:10:52.330285072 CET	445	63061	56.134.30.1	192.168.2.5
Jan 14, 2025 21:10:52.330372095 CET	63061	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:10:52.330523014 CET	63061	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:10:52.335376024 CET	445	63061	56.134.30.1	192.168.2.5
Jan 14, 2025 21:10:52.638024092 CET	445	62861	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:52.638097048 CET	62861	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:52.638144970 CET	62861	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:52.638384104 CET	62861	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:52.643054008 CET	445	62861	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:52.643176079 CET	445	62861	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:52.731586933 CET	63066	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:52.736490965 CET	445	63066	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:52.736587048 CET	63066	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:52.736620903 CET	63066	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:10:52.741518974 CET	445	63066	41.127.238.1	192.168.2.5
Jan 14, 2025 21:10:52.856554985 CET	63067	445	192.168.2.5	148.234.66.127
Jan 14, 2025 21:10:52.861399889 CET	445	63067	148.234.66.127	192.168.2.5
Jan 14, 2025 21:10:52.861463070 CET	63067	445	192.168.2.5	148.234.66.127
Jan 14, 2025 21:10:52.861505032 CET	63067	445	192.168.2.5	148.234.66.127
Jan 14, 2025 21:10:52.861659050 CET	63068	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:10:52.866381884 CET	445	63067	148.234.66.127	192.168.2.5
Jan 14, 2025 21:10:52.866429090 CET	445	63068	148.234.66.1	192.168.2.5
Jan 14, 2025 21:10:52.866430998 CET	63067	445	192.168.2.5	148.234.66.127
Jan 14, 2025 21:10:52.866472960 CET	63068	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:10:52.866555929 CET	63068	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:10:52.866820097 CET	63069	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:10:52.871436119 CET	445	63068	148.234.66.1	192.168.2.5
Jan 14, 2025 21:10:52.871479988 CET	63068	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:10:52.871565104 CET	445	63069	148.234.66.1	192.168.2.5
Jan 14, 2025 21:10:52.871685982 CET	63069	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:10:52.871702909 CET	63069	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:10:52.876544952 CET	445	63069	148.234.66.1	192.168.2.5
Jan 14, 2025 21:10:53.606559992 CET	63076	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:53.611366034 CET	445	63076	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:53.613620043 CET	63076	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:53.613640070 CET	63076	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:10:53.618515968 CET	445	63076	79.252.213.1	192.168.2.5
Jan 14, 2025 21:10:53.747056007 CET	63077	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:53.751908064 CET	445	63077	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:53.752002954 CET	63077	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:53.752070904 CET	63077	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:53.756875992 CET	445	63077	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:54.667404890 CET	445	62879	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:54.667473078 CET	62879	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:54.667506933 CET	62879	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:54.667531013 CET	62879	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:54.672389984 CET	445	62879	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:54.672418118 CET	445	62879	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:54.855859041 CET	445	62881	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:54.856277943 CET	62881	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:54.867093086 CET	62881	445	192.168.2.5	222.117.242.1
Jan 14, 2025 21:10:54.872095108 CET	445	62881	222.117.242.1	192.168.2.5
Jan 14, 2025 21:10:54.963854074 CET	63091	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:10:54.968849897 CET	445	63091	222.117.242.2	192.168.2.5
Jan 14, 2025 21:10:54.969573021 CET	63091	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:10:54.973206043 CET	63091	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:10:54.978122950 CET	63092	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:10:54.979290962 CET	445	63091	222.117.242.2	192.168.2.5
Jan 14, 2025 21:10:54.979361057 CET	63091	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:10:54.983025074 CET	445	63092	222.117.242.2	192.168.2.5
Jan 14, 2025 21:10:54.985593081 CET	63092	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:10:54.987329960 CET	63092	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:10:54.992141962 CET	445	63092	222.117.242.2	192.168.2.5
Jan 14, 2025 21:10:55.214205980 CET	445	63077	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:55.214565992 CET	63077	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:55.222182989 CET	63077	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:55.222212076 CET	63077	445	192.168.2.5	172.245.140.3
Jan 14, 2025 21:10:55.226977110 CET	445	63077	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:55.226996899 CET	445	63077	172.245.140.3	192.168.2.5
Jan 14, 2025 21:10:55.281550884 CET	63093	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:55.286505938 CET	445	63093	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:55.286752939 CET	63093	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:55.296103954 CET	63093	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:55.297533035 CET	63094	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:55.301958084 CET	445	63093	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:55.302033901 CET	63093	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:55.302306890 CET	445	63094	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:55.302365065 CET	63094	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:55.302432060 CET	63094	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:55.307270050 CET	445	63094	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:55.653403997 CET	63102	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:55.658380032 CET	445	63102	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:55.658505917 CET	63102	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:55.658539057 CET	63102	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:10:55.663397074 CET	445	63102	130.226.248.1	192.168.2.5
Jan 14, 2025 21:10:56.686758041 CET	445	62896	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:56.689611912 CET	62896	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:56.689688921 CET	62896	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:56.689726114 CET	62896	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:56.694500923 CET	445	62896	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:56.694516897 CET	445	62896	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:56.762099981 CET	445	63094	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:56.762330055 CET	63094	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:56.762331009 CET	63094	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:56.762331009 CET	63094	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:56.767276049 CET	445	63094	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:56.767293930 CET	445	63094	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:56.886414051 CET	445	62897	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:56.886533022 CET	62897	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:56.886848927 CET	62897	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:56.886848927 CET	62897	445	192.168.2.5	95.28.81.1
Jan 14, 2025 21:10:56.891784906 CET	445	62897	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:56.891802073 CET	445	62897	95.28.81.1	192.168.2.5
Jan 14, 2025 21:10:56.950206041 CET	63116	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:10:56.955131054 CET	445	63116	95.28.81.2	192.168.2.5
Jan 14, 2025 21:10:56.955236912 CET	63116	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:10:56.955290079 CET	63116	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:10:56.955652952 CET	63117	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:10:56.960345984 CET	445	63116	95.28.81.2	192.168.2.5
Jan 14, 2025 21:10:56.960421085 CET	63116	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:10:56.960556030 CET	445	63117	95.28.81.2	192.168.2.5
Jan 14, 2025 21:10:56.960702896 CET	63117	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:10:56.960704088 CET	63117	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:10:56.965810061 CET	445	63117	95.28.81.2	192.168.2.5
Jan 14, 2025 21:10:57.668916941 CET	63124	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:57.673804998 CET	445	63124	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:57.673909903 CET	63124	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:57.674102068 CET	63124	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:10:57.678811073 CET	445	63124	3.24.35.1	192.168.2.5
Jan 14, 2025 21:10:58.923391104 CET	445	62913	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:58.923657894 CET	62913	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:58.923715115 CET	62913	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:58.923743010 CET	62913	445	192.168.2.5	68.135.139.1
Jan 14, 2025 21:10:58.928617001 CET	445	62913	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:58.928648949 CET	445	62913	68.135.139.1	192.168.2.5
Jan 14, 2025 21:10:58.981739998 CET	63137	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:10:58.986812115 CET	445	63137	68.135.139.2	192.168.2.5
Jan 14, 2025 21:10:58.989625931 CET	63137	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:10:58.991303921 CET	63137	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:10:58.991959095 CET	63138	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:10:58.996265888 CET	445	63137	68.135.139.2	192.168.2.5
Jan 14, 2025 21:10:58.996790886 CET	445	63138	68.135.139.2	192.168.2.5
Jan 14, 2025 21:10:58.996932983 CET	63138	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:10:58.996964931 CET	63138	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:10:58.998903036 CET	445	63137	68.135.139.2	192.168.2.5
Jan 14, 2025 21:10:59.001482964 CET	63137	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:10:59.002312899 CET	445	63138	68.135.139.2	192.168.2.5
Jan 14, 2025 21:10:59.169205904 CET	445	62917	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:59.169325113 CET	62917	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:59.169373035 CET	62917	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:59.169404984 CET	62917	445	192.168.2.5	98.173.38.2
Jan 14, 2025 21:10:59.174319029 CET	445	62917	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:59.174350023 CET	445	62917	98.173.38.2	192.168.2.5
Jan 14, 2025 21:10:59.231659889 CET	63142	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:10:59.236707926 CET	445	63142	98.173.38.3	192.168.2.5
Jan 14, 2025 21:10:59.236839056 CET	63142	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:10:59.236926079 CET	63142	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:10:59.237319946 CET	63143	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:10:59.242316008 CET	445	63143	98.173.38.3	192.168.2.5
Jan 14, 2025 21:10:59.242413044 CET	63143	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:10:59.242448092 CET	63143	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:10:59.244322062 CET	445	63142	98.173.38.3	192.168.2.5
Jan 14, 2025 21:10:59.247330904 CET	445	63143	98.173.38.3	192.168.2.5
Jan 14, 2025 21:10:59.251869917 CET	445	63142	98.173.38.3	192.168.2.5
Jan 14, 2025 21:10:59.251969099 CET	63142	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:10:59.700253963 CET	63150	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:59.705312014 CET	445	63150	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:59.705477953 CET	63150	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:59.705513000 CET	63150	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:10:59.710233927 CET	445	63150	49.87.106.1	192.168.2.5
Jan 14, 2025 21:10:59.762991905 CET	63152	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:59.767846107 CET	445	63152	172.245.140.4	192.168.2.5
Jan 14, 2025 21:10:59.768083096 CET	63152	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:59.768129110 CET	63152	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:10:59.772872925 CET	445	63152	172.245.140.4	192.168.2.5
Jan 14, 2025 21:11:00.308307886 CET	445	62926	124.213.37.1	192.168.2.5
Jan 14, 2025 21:11:00.308458090 CET	62926	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:11:00.308494091 CET	62926	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:11:00.308532000 CET	62926	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:11:00.313318968 CET	445	62926	124.213.37.1	192.168.2.5
Jan 14, 2025 21:11:00.313330889 CET	445	62926	124.213.37.1	192.168.2.5
Jan 14, 2025 21:11:01.210437059 CET	445	63152	172.245.140.4	192.168.2.5
Jan 14, 2025 21:11:01.210505962 CET	63152	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:11:01.210550070 CET	63152	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:11:01.210550070 CET	63152	445	192.168.2.5	172.245.140.4
Jan 14, 2025 21:11:01.215384960 CET	445	63152	172.245.140.4	192.168.2.5
Jan 14, 2025 21:11:01.215399981 CET	445	63152	172.245.140.4	192.168.2.5
Jan 14, 2025 21:11:01.262669086 CET	63179	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:01.267738104 CET	445	63179	172.245.140.5	192.168.2.5
Jan 14, 2025 21:11:01.267821074 CET	63179	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:01.267898083 CET	63179	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:01.268317938 CET	63180	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:01.273021936 CET	445	63179	172.245.140.5	192.168.2.5
Jan 14, 2025 21:11:01.273085117 CET	63179	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:01.273236036 CET	445	63180	172.245.140.5	192.168.2.5
Jan 14, 2025 21:11:01.273313046 CET	63180	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:01.273355007 CET	63180	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:01.278172970 CET	445	63180	172.245.140.5	192.168.2.5
Jan 14, 2025 21:11:01.934969902 CET	445	62939	55.154.222.1	192.168.2.5
Jan 14, 2025 21:11:01.935127020 CET	62939	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:11:01.935173988 CET	62939	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:11:01.935205936 CET	62939	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:11:01.940107107 CET	445	62939	55.154.222.1	192.168.2.5
Jan 14, 2025 21:11:01.940123081 CET	445	62939	55.154.222.1	192.168.2.5
Jan 14, 2025 21:11:02.726593018 CET	445	63180	172.245.140.5	192.168.2.5
Jan 14, 2025 21:11:02.726710081 CET	63180	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:02.726710081 CET	63180	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:02.726768970 CET	63180	445	192.168.2.5	172.245.140.5
Jan 14, 2025 21:11:02.731643915 CET	445	63180	172.245.140.5	192.168.2.5
Jan 14, 2025 21:11:02.731659889 CET	445	63180	172.245.140.5	192.168.2.5
Jan 14, 2025 21:11:02.918278933 CET	445	62948	193.216.0.1	192.168.2.5
Jan 14, 2025 21:11:02.918375969 CET	62948	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:11:02.918469906 CET	62948	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:11:02.918469906 CET	62948	445	192.168.2.5	193.216.0.1
Jan 14, 2025 21:11:02.923365116 CET	445	62948	193.216.0.1	192.168.2.5
Jan 14, 2025 21:11:02.923387051 CET	445	62948	193.216.0.1	192.168.2.5
Jan 14, 2025 21:11:02.986618042 CET	63226	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:02.991671085 CET	445	63226	193.216.0.2	192.168.2.5
Jan 14, 2025 21:11:02.991765976 CET	63226	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:02.991908073 CET	63226	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:02.993285894 CET	63227	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:02.996794939 CET	445	63226	193.216.0.2	192.168.2.5
Jan 14, 2025 21:11:02.996860027 CET	63226	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:02.998080015 CET	445	63227	193.216.0.2	192.168.2.5
Jan 14, 2025 21:11:02.998156071 CET	63227	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:02.998202085 CET	63227	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:03.003406048 CET	445	63227	193.216.0.2	192.168.2.5
Jan 14, 2025 21:11:03.313097000 CET	63240	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:11:03.318032980 CET	445	63240	124.213.37.1	192.168.2.5
Jan 14, 2025 21:11:03.318146944 CET	63240	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:11:03.321608067 CET	63240	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:11:03.326474905 CET	445	63240	124.213.37.1	192.168.2.5
Jan 14, 2025 21:11:03.497718096 CET	445	62954	89.164.20.1	192.168.2.5
Jan 14, 2025 21:11:03.497792006 CET	62954	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:11:03.500905991 CET	62954	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:11:03.500941992 CET	62954	445	192.168.2.5	89.164.20.1
Jan 14, 2025 21:11:03.505918026 CET	445	62954	89.164.20.1	192.168.2.5
Jan 14, 2025 21:11:03.505964041 CET	445	62954	89.164.20.1	192.168.2.5
Jan 14, 2025 21:11:04.903856039 CET	445	62970	181.63.117.1	192.168.2.5
Jan 14, 2025 21:11:04.903960943 CET	62970	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:11:04.903960943 CET	62970	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:11:04.904057026 CET	62970	445	192.168.2.5	181.63.117.1
Jan 14, 2025 21:11:04.908880949 CET	445	62970	181.63.117.1	192.168.2.5
Jan 14, 2025 21:11:04.908901930 CET	445	62970	181.63.117.1	192.168.2.5
Jan 14, 2025 21:11:04.918895960 CET	445	62968	48.231.110.1	192.168.2.5
Jan 14, 2025 21:11:04.918961048 CET	62968	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:11:04.919027090 CET	62968	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:11:04.919027090 CET	62968	445	192.168.2.5	48.231.110.1
Jan 14, 2025 21:11:04.923909903 CET	445	62968	48.231.110.1	192.168.2.5
Jan 14, 2025 21:11:04.923943043 CET	445	62968	48.231.110.1	192.168.2.5
Jan 14, 2025 21:11:04.950313091 CET	63344	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:11:04.955172062 CET	445	63344	55.154.222.1	192.168.2.5
Jan 14, 2025 21:11:04.955287933 CET	63344	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:11:04.957568884 CET	63344	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:11:04.962454081 CET	445	63344	55.154.222.1	192.168.2.5
Jan 14, 2025 21:11:04.965851068 CET	63346	445	192.168.2.5	181.63.117.2
Jan 14, 2025 21:11:04.970791101 CET	445	63346	181.63.117.2	192.168.2.5
Jan 14, 2025 21:11:04.970868111 CET	63346	445	192.168.2.5	181.63.117.2
Jan 14, 2025 21:11:04.970894098 CET	63346	445	192.168.2.5	181.63.117.2
Jan 14, 2025 21:11:04.971138000 CET	63348	445	192.168.2.5	181.63.117.2
Jan 14, 2025 21:11:04.975960016 CET	445	63348	181.63.117.2	192.168.2.5
Jan 14, 2025 21:11:04.976031065 CET	63348	445	192.168.2.5	181.63.117.2
Jan 14, 2025 21:11:04.976058960 CET	63348	445	192.168.2.5	181.63.117.2
Jan 14, 2025 21:11:04.976325035 CET	445	63346	181.63.117.2	192.168.2.5
Jan 14, 2025 21:11:04.977274895 CET	445	63346	181.63.117.2	192.168.2.5
Jan 14, 2025 21:11:04.977319956 CET	63346	445	192.168.2.5	181.63.117.2
Jan 14, 2025 21:11:04.980873108 CET	445	63348	181.63.117.2	192.168.2.5
Jan 14, 2025 21:11:06.101031065 CET	63053	445	192.168.2.5	21.94.228.1
Jan 14, 2025 21:11:06.101083994 CET	63001	445	192.168.2.5	210.250.7.2
Jan 14, 2025 21:11:06.101130009 CET	63117	445	192.168.2.5	95.28.81.2
Jan 14, 2025 21:11:06.101205111 CET	63066	445	192.168.2.5	41.127.238.1
Jan 14, 2025 21:11:06.101231098 CET	63035	445	192.168.2.5	119.249.161.2
Jan 14, 2025 21:11:06.101279020 CET	63138	445	192.168.2.5	68.135.139.2
Jan 14, 2025 21:11:06.101309061 CET	63143	445	192.168.2.5	98.173.38.3
Jan 14, 2025 21:11:06.101340055 CET	63010	445	192.168.2.5	143.92.5.1
Jan 14, 2025 21:11:06.101361036 CET	62981	445	192.168.2.5	121.199.27.1
Jan 14, 2025 21:11:06.101387024 CET	62987	445	192.168.2.5	17.131.14.1
Jan 14, 2025 21:11:06.101408958 CET	62988	445	192.168.2.5	150.199.101.2
Jan 14, 2025 21:11:06.101429939 CET	62995	445	192.168.2.5	25.191.218.1
Jan 14, 2025 21:11:06.101449013 CET	63006	445	192.168.2.5	63.35.175.1
Jan 14, 2025 21:11:06.101470947 CET	63124	445	192.168.2.5	3.24.35.1
Jan 14, 2025 21:11:06.101502895 CET	63018	445	192.168.2.5	34.35.161.1
Jan 14, 2025 21:11:06.101520061 CET	63031	445	192.168.2.5	28.91.98.1
Jan 14, 2025 21:11:06.101546049 CET	63032	445	192.168.2.5	10.146.218.1
Jan 14, 2025 21:11:06.101557970 CET	63042	445	192.168.2.5	48.82.13.1
Jan 14, 2025 21:11:06.101576090 CET	63049	445	192.168.2.5	120.186.225.2
Jan 14, 2025 21:11:06.101627111 CET	63061	445	192.168.2.5	56.134.30.1
Jan 14, 2025 21:11:06.101658106 CET	63069	445	192.168.2.5	148.234.66.1
Jan 14, 2025 21:11:06.101677895 CET	63076	445	192.168.2.5	79.252.213.1
Jan 14, 2025 21:11:06.101691008 CET	63092	445	192.168.2.5	222.117.242.2
Jan 14, 2025 21:11:06.101728916 CET	63102	445	192.168.2.5	130.226.248.1
Jan 14, 2025 21:11:06.101744890 CET	63150	445	192.168.2.5	49.87.106.1
Jan 14, 2025 21:11:06.101851940 CET	63227	445	192.168.2.5	193.216.0.2
Jan 14, 2025 21:11:06.101895094 CET	63240	445	192.168.2.5	124.213.37.1
Jan 14, 2025 21:11:06.101998091 CET	63344	445	192.168.2.5	55.154.222.1
Jan 14, 2025 21:11:06.102518082 CET	63348	445	192.168.2.5	181.63.117.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 21:09:59.869575977 CET	52693	53	192.168.2.5	1.1.1.1
Jan 14, 2025 21:09:59.880666018 CET	53	52693	1.1.1.1	192.168.2.5
Jan 14, 2025 21:10:28.706718922 CET	53	57234	162.159.36.2	192.168.2.5
Jan 14, 2025 21:10:29.187612057 CET	53517	53	192.168.2.5	1.1.1.1
Jan 14, 2025 21:10:29.195190907 CET	53	53517	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 21:09:59.869575977 CET	192.168.2.5	1.1.1.1	0x410b	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:10:29.187612057 CET	192.168.2.5	1.1.1.1	0x43ad	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 21:09:59.880666018 CET	1.1.1.1	192.168.2.5	0x410b	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.166.228	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:09:59.880666018 CET	1.1.1.1	192.168.2.5	0x410b	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com		104.16.167.228	A (IP address)	IN (0x0001)	false
Jan 14, 2025 21:10:29.195190907 CET	1.1.1.1	192.168.2.5	0x43ad	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.16.166.228	80	3276	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:09:59.891365051 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 14, 2025 21:10:00.378529072 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 20:10:00 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 90204457fdce188d-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	104.16.166.228	80	6148	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:00.493453026 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 14, 2025 21:10:00.996638060 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 20:10:00 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 9020445b9c830f80-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49728	104.16.166.228	80	4164	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 14, 2025 21:10:02.816754103 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 14, 2025 21:10:03.314657927 CET	778	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 20:10:03 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 9020446a18a67d11-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Target ID:	0
Start time:	15:09:58
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll"
Imagebase:	0xf60000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:09:58
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:09:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:09:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\5Q6ffmX9tQ.dll,PlayGame
Imagebase:	0x4f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:09:58
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",#1
Imagebase:	0x4f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:09:59
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	C4AA4F0EB44ED580E3C8833F8B2392A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2084742323.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2084834876.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2084834876.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:09:59
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	C4AA4F0EB44ED580E3C8833F8B2392A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2741160787.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2741160787.00000000023A9000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2091672430.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2091759260.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000000.2091759260.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2740890323.0000000001E79000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2740890323.0000000001E79000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:10:00
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	AE66AA60B12FE89C181AEBC71AE5BAE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2100089102.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:10:01
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\5Q6ffmX9tQ.dll",PlayGame
Imagebase:	0x4f0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:10:02
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	C4AA4F0EB44ED580E3C8833F8B2392A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2114371294.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2123187182.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000002.2123356120.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.2123356120.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000A.00000000.2114509003.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.2114509003.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:10:02
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	AE66AA60B12FE89C181AEBC71AE5BAE7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.2122255206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.2122667211.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
WINDOWS, xrefs: 00407DF2, 00407E0D
C:\%s\%s, xrefs: 00407DFB
/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000005.00000002.2104242693.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2104223452.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104262791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104339716.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.2104242693.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2104223452.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104262791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104339716.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000005.00000002.2104242693.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2104223452.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104262791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104339716.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000005.00000002.2104242693.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2104223452.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104262791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104339716.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.2104242693.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2104223452.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104262791.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104285547.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104339716.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2104474540.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 6148, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2740038136.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2740022811.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740054643.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740121463.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740136734.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000007.00000002.2740038136.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2740022811.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740054643.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740121463.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740136734.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000007.00000002.2740038136.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2740022811.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740054643.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740121463.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740136734.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

WINDOWS, xrefs: 00407DF2, 00407E0D
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateProcessA, xrefs: 00407D07
WriteFile, xrefs: 00407D1C
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB

Memory Dump Source

Source File: 00000007.00000002.2740038136.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2740022811.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740054643.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740121463.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740136734.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2740038136.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2740022811.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740054643.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740069916.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740107429.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740121463.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740136734.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2740223796.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 6592, Parent PID: 3276COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(000000FF,?,0000012C,?,00000000), ref: 00406C91

Strings

\..\, xrefs: 00406DD9
/../, xrefs: 00406DF5
/..\, xrefs: 00406E03
\../, xrefs: 00406DE7

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 00491be41aa5427f31b8b9a32a9b57da7e2e6dff5cb5143b376a5dd6570fe62a
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 00491be41aa5427f31b8b9a32a9b57da7e2e6dff5cb5143b376a5dd6570fe62a
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

advapi32.dll, xrefs: 00401A55
CryptGenKey, xrefs: 00401AAD
CryptDecrypt, xrefs: 00401AA0
CryptDestroyKey, xrefs: 00401A86
CryptAcquireContextA, xrefs: 00401A71
CryptEncrypt, xrefs: 00401A93
CryptImportKey, xrefs: 00401A79

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 5e29447d29244d2d39637b6b268b84fba844d2984039595502739967419f177d
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 5e29447d29244d2d39637b6b268b84fba844d2984039595502739967419f177d
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566
2!@, xrefs: 004016C5

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: 2!@$WANACRY!
API String ID: 283026544-2846199637
Opcode ID: 132a2296b2ff258622cfdc5610791c464188c2d7d3f69318739cc377377d902c
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 132a2296b2ff258622cfdc5610791c464188c2d7d3f69318739cc377377d902c
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 004014B3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566
2!@, xrefs: 004016C5

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: 2!@$WANACRY!
API String ID: 283026544-2846199637
Opcode ID: d9b1b6046084e2d9d8768fc4d8ac5865fa55d0fd0db9d64480dfd0594076ccd5
Instruction ID: 4f5db7b03fbae4bd1a74ba09c9783dfc14942441ffc150fb06ee42d3f2d97cbc
Opcode Fuzzy Hash: d9b1b6046084e2d9d8768fc4d8ac5865fa55d0fd0db9d64480dfd0594076ccd5
Instruction Fuzzy Hash: EF511C71901219AFDB219F95CD88BEEB7BCEB08380F1444BAF515F61A0D7399A45CF28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

Q;@, xrefs: 004036E2, 004035FD
, xrefs: 004036AE

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 9d88d7451ce12b7c3a5d5664735e91029da3423811efce9d06213ba3f138044b
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 9d88d7451ce12b7c3a5d5664735e91029da3423811efce9d06213ba3f138044b
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: 42e34b84d78c9f38c94d52d8705d7c54678ed6dfd70add5debdb3b39e4a64336
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: 42e34b84d78c9f38c94d52d8705d7c54678ed6dfd70add5debdb3b39e4a64336
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,?,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 71b96a770fe0ecad1357f1a23098f25de26b1f41743f28900a51c64cf9a44166
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: 71b96a770fe0ecad1357f1a23098f25de26b1f41743f28900a51c64cf9a44166
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

kernel32.dll, xrefs: 00401727
CloseHandle, xrefs: 0040178C
MoveFileExW, xrefs: 00401772
DeleteFileW, xrefs: 0040177F
WriteFile, xrefs: 0040174B
CreateFileW, xrefs: 00401743
MoveFileW, xrefs: 00401765
ReadFile, xrefs: 00401758

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00401FE7 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 132stringfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000208), ref: 0040201F

Part of subcall function 00401225: GetComputerNameW.KERNEL32(?,0000018F), ref: 0040125F
Part of subcall function 00401225: wcslen.MSVCRT(?), ref: 00401279
Part of subcall function 00401225: wcslen.MSVCRT(?), ref: 00401298
Part of subcall function 00401225: srand.MSVCRT(00000001), ref: 004012A1
Part of subcall function 00401225: rand.MSVCRT ref: 004012AE
Part of subcall function 00401225: rand.MSVCRT ref: 004012C0
Part of subcall function 00401225: rand.MSVCRT ref: 004012DD

__p___argc.MSVCRT ref: 00402030
__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

CopyFileA.KERNEL32(?,tasksche.exe,00000000), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?), ref: 004020BB

Strings

TaskStart, xrefs: 00402145
tasksche.exe, xrefs: 00402061, 0040206D, 00402075
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
t.wnry, xrefs: 00402125
attrib +h ., xrefs: 004020DC

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Namerand$AttributesDirectorystrrchrwcslen$ByteCharComputerCopyCurrentFullModuleMultiPathWideWindows__p___argc__p___argvsrandstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1102508541-2844324180
Opcode ID: fa07170e1e4a4f1b7f83228e29d312703e7eca5b79990a058ae1880847bcfca1
Instruction ID: 97633fc0405850e3ba211803acf8e340ff081048f6dba40907e2b9e4b27fb4f3
Opcode Fuzzy Hash: fa07170e1e4a4f1b7f83228e29d312703e7eca5b79990a058ae1880847bcfca1
Instruction Fuzzy Hash: 3741B472500359AEDB20A7B1DE49E9F376C9F10314F2005BFF645F61E2DE788D488A28

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

:, xrefs: 0040736E
\, xrefs: 00407358
%s%s%s, xrefs: 004072F6
%s%s, xrefs: 00407389

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: 4cc63effac65e5938d24d15cc637f4576a4bae754db62ced997f6066a9556017
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: 4cc63effac65e5938d24d15cc637f4576a4bae754db62ced997f6066a9556017
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

Software\, xrefs: 0040110A
WanaCrypt0r, xrefs: 00401145
0@, xrefs: 00401157

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004077C7 Relevance: 16.6, APIs: 11, Instructions: 108COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
__setusermatherr.MSVCRT(0040793C), ref: 00407836
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000), ref: 004078F2
_XcptFilter.MSVCRT(?,?), ref: 00407904

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 0e2500766ef754de96a0bec646d21198ba904cb2609c2db2b7504f8e1e7d9631
Instruction ID: b6807de3fe1c3e28ab0f2b8c021909998ac3013dced3884fb388c7f537fcd598
Opcode Fuzzy Hash: 0e2500766ef754de96a0bec646d21198ba904cb2609c2db2b7504f8e1e7d9631
Instruction Fuzzy Hash: A34173B1C04344AFDB20AFA4DE49AA97BB8BF05310F20417FE581B72E1D7786845CB59

Function 004021E9 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?,00000040,?,0000DDB6,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C), ref: 00402313
HeapAlloc.KERNEL32(00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,?), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?,?,00000000,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

kernel32.dll, xrefs: 0040228C
GetNativeSystemInfo, xrefs: 004022A1

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-192647395
Opcode ID: 3b06903ad61f6388da72c89ae901831d64978f6829295481817f3ae41c17b4c7
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 3b06903ad61f6388da72c89ae901831d64978f6829295481817f3ae41c17b4c7
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401DAB Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,0000080A,XIA), ref: 00401DC3
LoadResource.KERNEL32(?,00000000), ref: 00401DD3
LockResource.KERNEL32(00000000), ref: 00401DDE
SizeofResource.KERNEL32(?,00000000,?), ref: 00401DF1
strcmp.MSVCRT(?,c.wnry,00000000,00000000,00000000), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

XIA, xrefs: 00401DB6
c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Resource$AttributesFileFindLoadLockSizeofstrcmp
String ID: XIA$c.wnry
API String ID: 1616299030-2505933848
Opcode ID: fa50258f105623fefeb72ee45be684de9f148c77f4537fdf01ad18e8f360a7dc
Instruction ID: c6e87d2598776ad3e20a4276f2cf7508875c12884426eb96d7428c940f8e6225
Opcode Fuzzy Hash: fa50258f105623fefeb72ee45be684de9f148c77f4537fdf01ad18e8f360a7dc
Instruction Fuzzy Hash: 93210332D001147ADB216631DC45FEF3A6C9F45360F1001B6FE48F21D1DB38DA998AE9

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F), ref: 0040125F
wcslen.MSVCRT(?), ref: 00401279
wcslen.MSVCRT(?), ref: 00401298
srand.MSVCRT(00000001), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407083
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00407091
memcpy.MSVCRT(?,004073A3,004073A3,?,00000000,00000000), ref: 004070CA
strcpy.MSVCRT(00000000,00000000,00000000,00000000), ref: 004070FB
strcat.MSVCRT(00000000,004073A3,00000000,00000000), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,00000000,00000000), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: c1a765a30f049a6e983e84c7fcdc04c319bd997b8f8109f685edbec73173bf57
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: c1a765a30f049a6e983e84c7fcdc04c319bd997b8f8109f685edbec73173bf57
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08
%s%d, xrefs: 00401F10

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 7d0f093dcb85c1b01e904b58e66d92adf2767ba9b2af66087918d42cfe2af866
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 7d0f093dcb85c1b01e904b58e66d92adf2767ba9b2af66087918d42cfe2af866
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004027DF Relevance: 7.6, APIs: 5, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0,00000000), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID:
API String ID: 1241503663-0
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401906 Relevance: 7.6, APIs: 5, Instructions: 76filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF), ref: 004019A6

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 3fa06aadd2471a705e8128430a745042bdb722af5d61b5b79dd264e81bcff4b6
Instruction ID: 6e643f249040116b9fc09fba66d69f614d66e1f70caffd77d95453aa30823522
Opcode Fuzzy Hash: 3fa06aadd2471a705e8128430a745042bdb722af5d61b5b79dd264e81bcff4b6
Instruction Fuzzy Hash: B1216DB1905224AFCB219BA59D48BDF7E78EB097A0F14422BF415B22E0D7384845C7AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,00000140,?,00406C12,?,00000000,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA,?), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA,?,?,?), ref: 00405C38
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00406B8E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,00000000,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003), ref: 00406BB5
strlen.MSVCRT(00000140,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 00406BBC
strcat.MSVCRT(00000140,0040F818,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000), ref: 00406BD7
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE), ref: 00406BEE

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryFilePointerstrcatstrlen
String ID:
API String ID: 1952800545-0
Opcode ID: f23f8598dec8bbb4ac10b6a236faff338d1a89892e54ee5ab5b1cbc5c19062ee
Instruction ID: 093f70e5e45cef0a0e83344fd40667ee43cd8b667dee5f3d4d1a5a93074d9648
Opcode Fuzzy Hash: f23f8598dec8bbb4ac10b6a236faff338d1a89892e54ee5ab5b1cbc5c19062ee
Instruction Fuzzy Hash: 06112372004218AAFB305B28DD01BAB3368EB21720F21013FF592B91D0E778A9A2975D

Function 004074A4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004074A9
??2@YAPAXI@Z.MSVCRT(00000244,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 004074B5
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 004074FF

Part of subcall function 00407527: strlen.MSVCRT(00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 0040754F
Part of subcall function 00407527: ??2@YAPAXI@Z.MSVCRT(00000001,00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 00407556
Part of subcall function 00407527: strcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE), ref: 00407563

??2@YAPAXI@Z.MSVCRT(00000008,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 0040750B

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??2@$??3@H_prologstrcpystrlen
String ID:
API String ID: 1367312548-0
Opcode ID: a4ccc6bdab315bb6810547fd1e784a1e5bd6969783f5aead57b9b326a8da6d2d
Instruction ID: 24e2e141a7415e54cfde60e06bc6f84240982ef19f6b767edb42695c1fbc6ce5
Opcode Fuzzy Hash: a4ccc6bdab315bb6810547fd1e784a1e5bd6969783f5aead57b9b326a8da6d2d
Instruction Fuzzy Hash: C101D431D09111BBDB166F659C02B9E3EA0AF04764F10853FF806B76D1DB78AD00C69E

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 695026124e8f63dae5928df1cfc53220c2aa5689ade8ebf819959d8fbb63d2b2
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 695026124e8f63dae5928df1cfc53220c2aa5689ade8ebf819959d8fbb63d2b2
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000008.00000002.2103633594.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2103609083.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103662431.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103683700.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000008.00000002.2103706260.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: 94e8d9869d495fd689c19527cd0e18adf9874140e5f97769a3eef967b1068a4f
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: 94e8d9869d495fd689c19527cd0e18adf9874140e5f97769a3eef967b1068a4f
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5Q6ffmX9tQ.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
5Q6ffmX9tQ.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON