Edit tour

Windows Analysis Report
YZJG8NuHEP.dll

Overview

General Information

Sample name:	YZJG8NuHEP.dll renamed because original name is a hash value
Original sample name:	250ae430b49bdd1562898d702c452af3.dll
Analysis ID:	1591358
MD5:	250ae430b49bdd1562898d702c452af3
SHA1:	174f8cdb720423b02b6ccf5b31c98298f03b691d
SHA256:	b4dd6f60a6849d8be3154de26e48482b8b0d4e5c22033783954126e4b4fdf874
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many IPs within the same subnet mask (likely port scanning)

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Connects to several IPs in different countries

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7484 cmdline: loaddll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7532 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7560 cmdline: rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7544 cmdline: rundll32.exe C:\Users\user\Desktop\YZJG8NuHEP.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7584 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 36A6816280FA05CCF0410403B43F7091)

tasksche.exe (PID: 7688 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 72F53F9BE5E49E89CAED84A61110BF04)

WerFault.exe (PID: 7780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 228 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7952 cmdline: rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7968 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 36A6816280FA05CCF0410403B43F7091)

tasksche.exe (PID: 8028 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 72F53F9BE5E49E89CAED84A61110BF04)

WerFault.exe (PID: 8068 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 196 MD5: C31336C1EFC2CCB44B4326EA793040F2)

mssecsvc.exe (PID: 7628 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 36A6816280FA05CCF0410403B43F7091)

svchost.exe (PID: 7704 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 7748 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7688 -ip 7688 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 8040 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8028 -ip 8028 MD5: C31336C1EFC2CCB44B4326EA793040F2)

mssecsvc.exe (PID: 7408 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 36A6816280FA05CCF0410403B43F7091)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
YZJG8NuHEP.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
YZJG8NuHEP.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x387e4:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x383d0:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000014.00000002.2955717981.000000000228B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.1697675504.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1699473537.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000014.00000002.2955258904.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000014.00000000.2950059693.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000C.00000002.1729378890.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2343027170.000000000212C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.2342710873.0000000001C12000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000C.00000000.1726689356.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7584	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7628	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7968	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7408	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.227c8c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
20.2.mssecsvc.exe.227c8c8.9.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
12.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.1d5c084.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
20.2.mssecsvc.exe.1d5c084.2.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.1d6b104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.1d6b104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.1d6b104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.1d8e128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.1d8e128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.212c948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.212c948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.212c948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
20.2.mssecsvc.exe.22ae96c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.22ae96c.6.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.214f96c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.214f96c.7.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.1c03084.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.1c03084.5.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
20.2.mssecsvc.exe.228b948.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.228b948.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.228b948.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.211d8c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.211d8c8.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
5.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.1c35128.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.1c35128.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.1c12104.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1c12104.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.1c12104.2.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.22ae96c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.22ae96c.6.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.1d5c084.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.1d5c084.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x273bb0:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x23e26c:$x7: mssecsvc.exe 0x259b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x273b88:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x23e254:$s1: C:\%s\%s 0x259b7c:$s1: C:\%s\%s 0x273b9c:$s1: C:\%s\%s 0x2b6268:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x270ed0:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x25e2c5:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x24b975:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x2460ba:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
20.2.mssecsvc.exe.1d5c084.2.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
20.2.mssecsvc.exe.1d5c084.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2768fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x24a984:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x24a8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24c25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x27c0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
20.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
20.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.214f96c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.214f96c.7.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.1c35128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.1c35128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
12.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
12.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.212c948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.212c948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.1d670a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.1d670a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.1c12104.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1c12104.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x76d0:$x7: mssecsvc.exe 0x5029ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5029d4:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50a83a:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5083a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.1d8e128.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
20.2.mssecsvc.exe.1d8e128.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.227c8c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.227c8c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
20.2.mssecsvc.exe.227c8c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
20.2.mssecsvc.exe.227c8c8.9.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
6.2.mssecsvc.exe.21288e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.21288e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.1c03084.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1c03084.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x26dbb0:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x23826c:$x7: mssecsvc.exe 0x253b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x26db88:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x238254:$s1: C:\%s\%s 0x253b7c:$s1: C:\%s\%s 0x26db9c:$s1: C:\%s\%s 0x2b0268:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x26aed0:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x2582c5:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x245975:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x2400ba:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
6.2.mssecsvc.exe.1c03084.5.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.1c03084.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2708fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x244984:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2448d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24625a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2760a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.1c0e0a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.1c0e0a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.211d8c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.211d8c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.211d8c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.211d8c8.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
20.2.mssecsvc.exe.1d6b104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.1d6b104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x76d0:$x7: mssecsvc.exe 0x5089ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5089d4:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50d5a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
13.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
13.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
13.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
13.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.228b948.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.228b948.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
20.2.mssecsvc.exe.22878e8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
20.2.mssecsvc.exe.22878e8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
Click to see the 135 entries

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7704, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: YZJG8NuHEP.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: HEUR/AGEN.1339339

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 100%
Source: C:\WINDOWS\qeriuwjhrf (copy)	Virustotal: Detection: 84%	Perma Link
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 100%
Source: C:\Windows\tasksche.exe	Virustotal: Detection: 84%	Perma Link

Multi AV Scanner detection for submitted file

Source: YZJG8NuHEP.dll	ReversingLabs: Detection: 92%
Source: YZJG8NuHEP.dll	Virustotal: Detection: 94%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: YZJG8NuHEP.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: YZJG8NuHEP.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Connects to many IPs within the same subnet mask (likely port scanning)

Source: global traffic

TCP traffic: Count: 12 IPs: 62.23.223.1,62.23.223.3,62.23.223.10,62.23.223.2,62.23.223.5,62.23.223.4,62.23.223.11,62.23.223.7,62.23.223.6,62.23.223.9,62.23.223.8,62.23.223.121

Source: unknown

Network traffic detected: IP country count 10

Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.121
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.121
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.121
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.121
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.249
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.249
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.249
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.249
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.1
Source: unknown	TCP traffic detected without corresponding DNS query: 154.37.134.1
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.35
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.35
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.35
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.35
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 95.132.23.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 62.23.223.1
Source: unknown	TCP traffic detected without corresponding DNS query: 132.150.152.46
Source: unknown	TCP traffic detected without corresponding DNS query: 132.150.152.46
Source: unknown	TCP traffic detected without corresponding DNS query: 132.150.152.46
Source: unknown	TCP traffic detected without corresponding DNS query: 132.150.152.1
Source: unknown	TCP traffic detected without corresponding DNS query: 132.150.152.46
Source: unknown	TCP traffic detected without corresponding DNS query: 132.150.152.1
Source: unknown	TCP traffic detected without corresponding DNS query: 132.150.152.1

Source: Amcache.hve.10.dr

String found in binary or memory: http://upx.sf.net

Source: unknown

Network traffic detected: HTTP traffic on port 49675 -> 443

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: YZJG8NuHEP.dll, type: SAMPLE
Source: Yara match	File source: 20.2.mssecsvc.exe.1d6b104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.212c948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.228b948.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1c12104.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.1d5c084.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.212c948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.1d670a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1c12104.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.227c8c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.21288e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1c03084.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.1c0e0a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.211d8c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.1d6b104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.228b948.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mssecsvc.exe.22878e8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2955717981.000000000228B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.1697675504.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1699473537.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2955258904.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2950059693.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1729378890.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2343027170.000000000212C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2342710873.0000000001C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1726689356.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7628, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7408, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: YZJG8NuHEP.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.227c8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.227c8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.1d5c084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.1d5c084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.1d6b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.1d6b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.1d8e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.1d8e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.212c948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.212c948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 20.2.mssecsvc.exe.22ae96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.22ae96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.214f96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.214f96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1c03084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1c03084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.228b948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.228b948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.211d8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.211d8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1c35128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1c35128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1c12104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1c12104.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.22ae96c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.22ae96c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.1d5c084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.1d5c084.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 20.2.mssecsvc.exe.1d5c084.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 20.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 20.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.214f96c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.214f96c.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1c35128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1c35128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.212c948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.1d670a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1c12104.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.1d8e128.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.1d8e128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.227c8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 20.2.mssecsvc.exe.227c8c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 20.2.mssecsvc.exe.227c8c8.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.21288e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1c03084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.1c03084.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.1c03084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.1c0e0a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.211d8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.211d8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.211d8c8.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.1d6b104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 13.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 13.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 13.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 13.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.228b948.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 20.2.mssecsvc.exe.22878e8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 7_2_00406C40	7_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 7_2_00402A76	7_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 7_2_00402E7E	7_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 7_2_0040350F	7_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 7_2_00404C19	7_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 7_2_0040541F	7_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 7_2_00403797	7_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 7_2_004043B6	7_2_004043B6
Source: C:\Windows\tasksche.exe	Code function: 7_2_004031BC	7_2_004031BC

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7688 -ip 7688

Source: tasksche.exe.5.dr

Static PE information: No import functions for PE file found

Source: YZJG8NuHEP.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: YZJG8NuHEP.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.227c8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.227c8c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.1d5c084.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.1d5c084.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.1d6b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.1d6b104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.1d8e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.1d8e128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.212c948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.212c948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 20.2.mssecsvc.exe.22ae96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.22ae96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.214f96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.214f96c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1c03084.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1c03084.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.228b948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.228b948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.211d8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.211d8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1c35128.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1c35128.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1c12104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1c12104.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.22ae96c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.22ae96c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.1d5c084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.1d5c084.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 20.2.mssecsvc.exe.1d5c084.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 20.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 20.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.214f96c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.214f96c.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1c35128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1c35128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 12.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 12.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.212c948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.1d670a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1c12104.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.1d8e128.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.1d8e128.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.227c8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 20.2.mssecsvc.exe.227c8c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 20.2.mssecsvc.exe.227c8c8.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.21288e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1c03084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.1c03084.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.1c03084.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.1c0e0a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.211d8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.211d8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.211d8c8.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.1d6b104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 13.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 13.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 13.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.228b948.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 20.2.mssecsvc.exe.22878e8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: classification engine

Classification label: mal100.rans.troj.expl.evad.winDLL@32/15@0/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	5_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	20_2_00407C40

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,	5_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,	6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 20_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,	20_2_00408090

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7748:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:8040:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7688
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8028

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8dd29d91-d552-4aa2-8dd7-52ba3f9a68b2

Jump to behavior

Source: YZJG8NuHEP.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YZJG8NuHEP.dll,PlayGame

Source: YZJG8NuHEP.dll	ReversingLabs: Detection: 92%
Source: YZJG8NuHEP.dll	Virustotal: Detection: 94%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YZJG8NuHEP.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7688 -ip 7688
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 228
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8028 -ip 8028
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 196
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\YZJG8NuHEP.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7688 -ip 7688	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 228	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8028 -ip 8028	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 196	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: YZJG8NuHEP.dll

Static file information: File size 5267459 > 1048576

Source: YZJG8NuHEP.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe	Code function: 7_2_00407710 push eax; ret		7_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 7_2_004076C8 push eax; ret		7_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 7652	Thread sleep count: 90 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7652	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7664	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7664	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7652	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\mssecsvc.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: mssecsvc.exe, 00000005.00000002.1703306317.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.2342255281.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000014.00000002.2954451473.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: mssecsvc.exe, 0000000C.00000002.1731887932.0000000000E24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\tasksche.exe

Code function: 7_2_004077BA EntryPoint,LdrInitializeThunk,

7_2_004077BA

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7688 -ip 7688	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 228	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8028 -ip 8028	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 196	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
YZJG8NuHEP.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
YZJG8NuHEP.dll	94%	Virustotal		Browse
YZJG8NuHEP.dll	100%	Avira	TR/Ransom.Gen
YZJG8NuHEP.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Avira	HEUR/AGEN.1339339
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\WINDOWS\qeriuwjhrf (copy)	85%	Virustotal		Browse
C:\Windows\tasksche.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	85%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.10.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
44.158.242.1	unknown	United States	62383	LDS-ASBE	false
44.158.242.2	unknown	United States	62383	LDS-ASBE	false
220.64.64.1	unknown	Korea Republic of	9457	DREAMX-ASDREAMLINECOKR	false
116.248.34.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
62.23.223.7	unknown	United Kingdom	8220	COLTCOLTTechnologyServicesGroupLimitedGB	true
93.57.185.166	unknown	Italy	12874	FASTWEBIT	false
62.23.223.6	unknown	United Kingdom	8220	COLTCOLTTechnologyServicesGroupLimitedGB	true
62.23.223.9	unknown	United Kingdom	8220	COLTCOLTTechnologyServicesGroupLimitedGB	true
62.23.223.8	unknown	United Kingdom	8220	COLTCOLTTechnologyServicesGroupLimitedGB	true
153.21.9.247	unknown	United States	9877	NGEEANN-POLY-AS-APNgeeAnnPolytechnicComputerCenterSG	false
26.53.204.194	unknown	United States	7922	COMCAST-7922US	false
132.150.152.46	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
94.19.17.1	unknown	Russian Federation	35807	SKYNET-SPB-ASRU	false
153.21.9.1	unknown	United States	9877	NGEEANN-POLY-AS-APNgeeAnnPolytechnicComputerCenterSG	false
132.150.152.2	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
132.150.152.1	unknown	Norway	2119	TELENOR-NEXTELTelenorNorgeASNO	false
126.46.181.1	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
26.53.204.1	unknown	United States	7922	COMCAST-7922US	false
138.57.43.236	unknown	United States	2611	BELNETBE	false
62.23.223.121	unknown	United Kingdom	8220	COLTCOLTTechnologyServicesGroupLimitedGB	true
51.209.245.1	unknown	United States	2686	ATGS-MMD-ASUS	false
29.248.211.36	unknown	United States	7922	COMCAST-7922US	false
44.158.242.97	unknown	United States	62383	LDS-ASBE	false
61.245.141.101	unknown	Australia	4764	WIDEBAND-AS-APAussieBroadbandAU	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591358
Start date and time:	2025-01-14 22:40:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	YZJG8NuHEP.dll renamed because original name is a hash value
Original Sample Name:	250ae430b49bdd1562898d702c452af3.dll
Detection:	MAL
Classification:	mal100.rans.troj.expl.evad.winDLL@32/15@0/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172, 2.17.190.73, 20.189.173.20, 20.42.65.92, 40.126.32.72, 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:41:05	API Interceptor	1x Sleep call for process: loaddll32.exe modified
16:41:20	API Interceptor	2x Sleep call for process: WerFault.exe modified
16:41:37	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DREAMX-ASDREAMLINECOKR	meth9.elf	Get hash	malicious	Mirai	Browse	59.150.221.243
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	61.103.229.178
	miori.spc.elf	Get hash	malicious	Unknown	Browse	211.61.228.185
	3.elf	Get hash	malicious	Unknown	Browse	220.230.200.173
	armv6l.elf	Get hash	malicious	Mirai	Browse	211.249.146.197
	armv4l.elf	Get hash	malicious	Unknown	Browse	211.61.228.158
	arm.elf	Get hash	malicious	Mirai	Browse	220.64.204.182
	nshmips.elf	Get hash	malicious	Mirai	Browse	211.249.143.37
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	61.103.130.200
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	211.175.167.49
CHINANET-BACKBONENo31Jin-rongStreetCN	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	115.209.51.51
	eIZi481eP6.dll	Get hash	malicious	Wannacry	Browse	58.51.75.1
	m9oUIFauYl.dll	Get hash	malicious	Wannacry	Browse	112.117.58.143
	5Q6ffmX9tQ.dll	Get hash	malicious	Wannacry	Browse	49.87.106.1
	sUlHfYQxNw.dll	Get hash	malicious	Wannacry	Browse	116.209.81.1
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	115.153.235.1
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	222.171.201.209
	6KJ3FjgeLv.dll	Get hash	malicious	Wannacry	Browse	182.204.40.1
	Fantazy.arm4.elf	Get hash	malicious	Unknown	Browse	36.50.208.242
	meth10.elf	Get hash	malicious	Mirai	Browse	218.0.197.161
LDS-ASBE	meth8.elf	Get hash	malicious	Mirai	Browse	44.148.110.103
	meth15.elf	Get hash	malicious	Mirai	Browse	44.144.181.7
	sora.mips.elf	Get hash	malicious	Unknown	Browse	44.159.253.120
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	44.150.102.171
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	44.159.165.138
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	44.156.172.122
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	44.154.60.243
	nklarm7.elf	Get hash	malicious	Unknown	Browse	44.146.241.15
	nshppc.elf	Get hash	malicious	Mirai	Browse	44.154.12.42
	arm7.elf	Get hash	malicious	Mirai	Browse	44.151.175.106
LDS-ASBE	meth8.elf	Get hash	malicious	Mirai	Browse	44.148.110.103
	meth15.elf	Get hash	malicious	Mirai	Browse	44.144.181.7
	sora.mips.elf	Get hash	malicious	Unknown	Browse	44.159.253.120
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	44.150.102.171
	Fantazy.mpsl.elf	Get hash	malicious	Unknown	Browse	44.159.165.138
	kwari.arm7.elf	Get hash	malicious	Mirai	Browse	44.156.172.122
	db0fa4b8db0333367e9bda3ab68b8042.spc.elf	Get hash	malicious	Mirai, Gafgyt	Browse	44.154.60.243
	nklarm7.elf	Get hash	malicious	Unknown	Browse	44.146.241.15
	nshppc.elf	Get hash	malicious	Mirai	Browse	44.154.12.42
	arm7.elf	Get hash	malicious	Mirai	Browse	44.151.175.106

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_95c5d52131db7cdcde798bdada93a1a1ba417_34a83304_57113ea3-4897-475b-987e-e697450e5ca3\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6333242484542037
Encrypted:	false
SSDEEP:	96:miF1IPCs1h6oIa7RE6tQXIDcQSDc6SIwcEGcw3lm/+HbHg6ZAX/d5FMT2SlPkpXU:NfqC9j04DmIwsxmkjEzuiFMZ24IO8vw
MD5:	91A721B487BFBFC4717B51BA66AF2C48
SHA1:	879F141E16BBA0594BFB91919ADAADD195A59C95
SHA-256:	1E90C8B3177E3E6A7CBDB53877998E7E887D9D8780C5DE9C4E4AFF6831F1B597
SHA-512:	953789E22890754DB401667465997112A83FE47D914AD6308B79A49CD965D313F17D63A2BA07AD260BE45B7193698E4AC151A670D104B50524EF009040D8B5FC
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.6.4.4.6.3.0.3.2.5.2.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.6.4.4.6.4.6.4.1.9.1.3.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.1.1.3.e.a.3.-.4.8.9.7.-.4.7.5.b.-.9.8.7.e.-.e.6.9.7.4.5.0.e.5.c.a.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.6.a.a.0.9.6.-.9.5.2.1.-.4.b.4.2.-.9.2.5.b.-.b.f.4.1.9.d.3.d.2.4.8.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.a.s.k.s.c.h.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.0.8.-.0.0.0.1.-.0.0.1.4.-.5.a.0.0.-.0.6.0.2.c.d.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.a.f.7.5.0.4.c.e.4.c.c.7.1.0.3.a.c.6.3.0.3.1.1.c.0.1.6.c.2.e.7.0.0.0.0.f.f.f.f.!.0.0.0.0.b.f.1.f.9.7.3.f.8.3.8.4.6.b.e.3.9.d.7.1.f.a.9.6.9.0.6.3.e.e.1.2.7.7.c.1.0.6.3.6.!.t.a.s.k.s.c.h.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.0./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_95c5d52131db7cdcde798bdada93a1a1ba417_34a83304_ebbf6be9-8573-47fc-ae79-7da5b7c9842d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6259732965392993
Encrypted:	false
SSDEEP:	192:vaqNK9j04DmIwsxmkjlzuiFMZ24IO8vw:ioK9Q4Dm9sxmkjlzuiFMY4IO8vw
MD5:	45DD70ADCCA3F65A59EE35E6AA432918
SHA1:	17BEB6245124004C80FF5BF00A954AA4FCFE002D
SHA-256:	AA5DF00CB8E1E7A868E20ECD6842FF0944F4368954C1CEEB734497760A27974E
SHA-512:	035DE50F12023CE414E614BD29A71992A95BA4FF1A0C2EB63302C85BD5B7F6ECEF2BC98D839A11645EA3FC8A949F0EFBBD22716ABB1BD08A0530DBF7534FDCB3
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.3.6.4.4.6.5.6.9.4.2.4.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.3.6.4.4.6.7.4.5.9.8.7.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.b.f.6.b.e.9.-.8.5.7.3.-.4.7.f.c.-.a.e.7.9.-.7.d.a.5.b.7.c.9.8.4.2.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.4.d.3.9.e.5.9.-.8.3.5.a.-.4.f.f.f.-.9.6.3.c.-.0.4.8.8.0.8.9.9.5.b.0.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.a.s.k.s.c.h.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.5.c.-.0.0.0.1.-.0.0.1.4.-.b.0.7.f.-.a.8.0.3.c.d.6.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.a.f.7.5.0.4.c.e.4.c.c.7.1.0.3.a.c.6.3.0.3.1.1.c.0.1.6.c.2.e.7.0.0.0.0.f.f.f.f.!.0.0.0.0.b.f.1.f.9.7.3.f.8.3.8.4.6.b.e.3.9.d.7.1.f.a.9.6.9.0.6.3.e.e.1.2.7.7.c.1.0.6.3.6.!.t.a.s.k.s.c.h.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.0./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF06.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jan 14 21:41:03 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1055652
Entropy (8bit):	0.8454122458025125
Encrypted:	false
SSDEEP:	1536:HtPTNGDtahkFffHeJYjSdrS3MQIpm4d5MVJaUWpgqkGMV:NPTNmlfHeJ6M4Mw4d5MVlWpgqkV
MD5:	542083A9B2D16FDB805EE0166B0AE70F
SHA1:	AE91FB5850ECDFFE773622CF624C0DF5B31A5EBD
SHA-256:	8E20F002F57DC10C65337CCC18151D7D7F5667768421807B30FAD30E22FD559E
SHA-512:	14EB00BF32A783B7665A4E6E72E00B794E24D9CB7D3D0823D8E8C0FBEF642EE666D37A4593C29F2DEC2C5B92F82FA3FCD5290D188B96F9A9248EE79D4653217A
Malicious:	false
Preview:	MDMP..a..... .........g............4...............<.......D...............T.......8...........T...........H...\.......................................................................................................eJ......L.......GenuineIntel............T.............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC485.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6372
Entropy (8bit):	3.7117347254788613
Encrypted:	false
SSDEEP:	192:R6l7wVeJ4y6mbJeYIW6cIimpD089bpLsfmqDm:R6lXJN6NYIW6cCpQf8
MD5:	7C34FF825B9D2E5A6F639B05825066FB
SHA1:	A8E1920175BB602E388C8BE8AEC4364F79683CDB
SHA-256:	EE74F8651B8B8FEAEFFC25797C7019235293AB2E2E09C82371E84A8B648E42DA
SHA-512:	ADB288DC3431FC9C9B555ABF924EBD53583FA8231D476399112CEE34AACC060CD936955EF53F0BB394E7E383A77E534F49BB356698CFE102ED58E776FBEBEDFB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4A5.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.458177782901301
Encrypted:	false
SSDEEP:	48:cvIwWl8zs7Jg77aI9XADXWpW8VYYYm8M4JNOJO3FMR+q8vYOJOGg6aFymd:uIjfVI75ADm7V8JezK9A6aFymd
MD5:	6C67D6678DFFB8A001FC6171D70753A7
SHA1:	4F6329868CF538CC380C2764F6B18FA4C39A4601
SHA-256:	3073A5093B34D8E02FB55CED0987F75929266D9A03EE557B5210F00DE5A5E03B
SHA-512:	9CB6C45EA7171AB8E5832D1B6BA2254EDD5FD1DD37B0EC222AD0395765968A08450A17680AB2FD623AFC5BD4995666D43F902E15D438E52536BF1701191F8962
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="676123" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4B3.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	91092
Entropy (8bit):	3.123153059716025
Encrypted:	false
SSDEEP:	768:yCCe6WJffmhm06BuIp5AQAf8EipUVdo17MZQKQERDb007/QXA:yZe6WJWhm06BuIVC8g3ohMuKQE1b002A
MD5:	D8653B3C3027F9B4A049186FFE22A567
SHA1:	3A558188970F6FBC9F85F008CD16BED6573CB2B2
SHA-256:	C83EB0F417194543EB79915701AE43F2E927350D4963BCF5EBC3E45E683C6791
SHA-512:	F04129AEDBA1A63DB37B4047F5B1BCF92A860245A7EE9E32F06DF8EA6122C39B8937A28123D4D9D8A3865FFC8D1B44DA83F0BADE7737F434EDE540C4A8BF35D1
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC502.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.685000877767686
Encrypted:	false
SSDEEP:	96:TiZYWAk0MwbTY7YhWEUUHgYEZMytEiA4gmnwe+iRU1aL7GMJsxIbk3:2ZDAdTceKzRkaL7GMJsubk3
MD5:	A9278F066CC40D0828A4F37A92BE5E2A
SHA1:	857C0B81FBD6DA02E713BB573AEBCCF0B568BF3A
SHA-256:	922416AAB0504C0E7C4087CC0354790F41241EAE5798BDD1BE4BCE563D8BAC07
SHA-512:	F05E04DD4AD31C556F05B0847413E0D66AEF2413EDACC8D9A119159E0F59DB32187175D375A93CDAD3FBC660E07250FD0DA95F7647D7E482A306105B0C748D2B
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC975.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Jan 14 21:41:05 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1055184
Entropy (8bit):	0.8460974449561991
Encrypted:	false
SSDEEP:	1536:LNzTNiDtmhkRvnHi9obWNbS7MwIpGod5cNVagWpMKAmt:hzTNWBnHi9SAEMgod5cNtWpMKA0
MD5:	7CF0D7CA60753F551D9223B3C82D7F8A
SHA1:	03DB1246EBC180177ADA0280DC70E5B91D88F8DA
SHA-256:	C6FE4245E646EE33BE7B9D60B421D8AF44EB403FE6F3F4EF9D7847DF86B78AA8
SHA-512:	089DA771581DB50C06587CFCD771E9860CA7F04D565E0025470CCFD11AE9FDFC907143DC7EBBDC18BA05B4C5BC53A0BDF406FCDA496BC47539D9196449994D28
Malicious:	false
Preview:	MDMP..a..... .........g............4........... ...<.......D...............T.......8...........T...........................\...........H...............................................................................eJ..............GenuineIntel............T.......\.....g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFB0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6372
Entropy (8bit):	3.713590249931902
Encrypted:	false
SSDEEP:	192:R6l7wVeJbk6+f0sYIW6cIimpDM89bUbjsfFNajm:R6lXJo6U3YIW6caUbIfFE6
MD5:	FA11BD0D8F07DAB8AA9FED34BBD8E096
SHA1:	487D5F22BE68EA08A8393C7D90862CB1E67F445D
SHA-256:	C379CADE54E78DEBBCC572850EA9870A9F288BFD762BC1FBAC4A0AA063AFAC9C
SHA-512:	96E00C3B1722F96C9A825AC6F584E4922F03F9915736BC5867FBA0516899703AA7039F7A044DFE61146265162DEC67793410A8A0B0D1DC96D0CAC3A69EBDA025
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFD0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.4618536944371
Encrypted:	false
SSDEEP:	48:cvIwWl8zs7Jg77aI9XADXWpW8VY6Ym8M4JNOJO3FPt+q8vYOJOJ6aFyJd:uIjfVI75ADm7VaJewK9O6aFyJd
MD5:	67D02E642E7B39ECB5B79D50D4538190
SHA1:	1DC1A50BBF6E61CCACC3851444560B2B64870CF9
SHA-256:	87EC6DC88FB6795CA88ED96D93A49329094528675718FDA3D2342CBF0850741E
SHA-512:	CEE9C88E44148E93380125298B2276CCED1666BA7A1BF6E5259D2AE75CDFA121B46D892B6D849FDEC626E5FBCFC9D3CAF3136F5FE6118169C43F568445BD80B6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="676123" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFE0.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	91072
Entropy (8bit):	3.1225419101004155
Encrypted:	false
SSDEEP:	768:JufrzeE5JzwH/rv1C+cAzX8ciwFVdqT7sZWkQP6Db00oY1ZX:JufeE5Ju/rv1Cg8S3q3s4kQPQb00FDX
MD5:	A6616B7683D5545D199056C9618BDB36
SHA1:	F2235D9345EC5BCAC12AC94DB31D7A17B74EB5D8
SHA-256:	FFB4689028C5354E4A1DF0767CE540132CD9C97629E7A8EF4AB6C05AF83DC962
SHA-512:	C0E0197023902724B9B2DD42A1AF7AFB79FB926F659F8CD8BC9B9FEF459DEC17129A1440091E842099854A6A16C988366CA38A1D50A3EBF36CEBF2EF425D3717
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD02F.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6853808877143233
Encrypted:	false
SSDEEP:	96:TiZYWgC7lcYrYvWbHJYEZVWtEi44MmqwB4sak7RMssdIsk3:2ZDgcTmxak7RMssisk3
MD5:	B263FCF079ECB9FAEF832168B7C3F95A
SHA1:	8ECEC0825B94723273FD5BD95E4C9AECC8D5EF03
SHA-256:	634D515F07373E66D5136867397AE1DA99F6A1316529DD58030ED2AFE5F1E493
SHA-512:	627D009C3FD797A03E2F56DD2190664AB4412E881970AEEC4B5742C7B3879E508022DFD98E904492BA48E6FF7BC81D85ED7B26B1CD9E07A24C0C567A3F5F0D46
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\WINDOWS\qeriuwjhrf (copy)

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.930314772726457
Encrypted:	false
SSDEEP:	98304:QcPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QcPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	72F53F9BE5E49E89CAED84A61110BF04
SHA1:	BF1F973F83846BE39D71FA969063EE1277C10636
SHA-256:	0E0F19EA3F851D5EBF2134ED6DFD9CA50051BB0EB09BCFDFD4E856318FB89CF2
SHA-512:	90B81AB777D1CB33F93005B6123AFC6C0A2A29EEAA6DE89634A6C749974CBAF827E6D24B5DE5B26570D59ACE4A3B68CBD235A6B97E89EE589E5B47C92BB96EA3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100% Antivirus: Virustotal, Detection: 85%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.46534395433196
Encrypted:	false
SSDEEP:	6144:wIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNTdwBCswSbw:VXD94+WlLZMM6YFH5+w
MD5:	8D976F8A856989C76790A0B85DFC8B30
SHA1:	66052285627620B5E1AE5467C481FE999FE73269
SHA-256:	59064E04BA4C196175699509E045C542654C34FD4CA3F99EC15AA65B3730A9C8
SHA-512:	B538D79F13BA3DB29B2332C2E34E542A76B47ABB30F37D74D260D60234A406E523D477626B032A54CCACCD877FDC1D2B33AEB1B1008A9CB9B9F33B613EBA19D6
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..:..f...............................................................................................................................................................................................................................................................................................................................................\|-6........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.930314772726457
Encrypted:	false
SSDEEP:	98304:QcPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QcPe1Cxcxk3ZAEUadzR8yc4Hj
MD5:	72F53F9BE5E49E89CAED84A61110BF04
SHA1:	BF1F973F83846BE39D71FA969063EE1277C10636
SHA-256:	0E0F19EA3F851D5EBF2134ED6DFD9CA50051BB0EB09BCFDFD4E856318FB89CF2
SHA-512:	90B81AB777D1CB33F93005B6123AFC6C0A2A29EEAA6DE89634A6C749974CBAF827E6D24B5DE5B26570D59ACE4A3B68CBD235A6B97E89EE589E5B47C92BB96EA3
Malicious:	true
Yara Hits:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100% Antivirus: Virustotal, Detection: 85%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.289629993867342
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	YZJG8NuHEP.dll
File size:	5'267'459 bytes
MD5:	250ae430b49bdd1562898d702c452af3
SHA1:	174f8cdb720423b02b6ccf5b31c98298f03b691d
SHA256:	b4dd6f60a6849d8be3154de26e48482b8b0d4e5c22033783954126e4b4fdf874
SHA512:	0841cfab944200b64c10bc9948f94c8e5a77dab72bd96a560f1227366fb3c84dd79aa4c3914d348c1aae2a43d90b956a66d03ca778ec5c5324b37c9e0d404328
SSDEEP:	98304:d8cPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:d8cPe1Cxcxk3ZAEUadzR8yc4H
TLSH:	F7363394A56CA0FCE0440EF404778D5AF7B73C296BBB4A1F8BC0866A0D53F5BABD4641
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F248104E82Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F248104E848h
cmp esi, 01h
je 00007F248104E827h
cmp esi, 02h
jne 00007F248104E844h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F248104E82Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F248104E82Eh
push edi
push esi
push ebx
call 00007F248104E73Ah
test eax, eax
jne 00007F248104E826h
xor eax, eax
jmp 00007F248104E870h
push edi
push esi
push ebx
call 00007F248104E5ECh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F248104E82Eh
test eax, eax
jne 00007F248104E859h
push edi
push eax
push ebx
call 00007F248104E716h
test esi, esi
je 00007F248104E827h
cmp esi, 03h
jne 00007F248104E848h
push edi
push esi
push ebx
call 00007F248104E705h
test eax, eax
jne 00007F248104E825h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F248104E833h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F248104E82Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	b2153274b2411da064fffaf0748bd151	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.7920007705688477

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 22:41:03.416212082 CET	49730	445	192.168.2.4	62.23.223.121
Jan 14, 2025 22:41:03.421324968 CET	445	49730	62.23.223.121	192.168.2.4
Jan 14, 2025 22:41:03.421400070 CET	49730	445	192.168.2.4	62.23.223.121
Jan 14, 2025 22:41:03.421437025 CET	49730	445	192.168.2.4	62.23.223.121
Jan 14, 2025 22:41:03.421600103 CET	49731	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:03.426567078 CET	445	49730	62.23.223.121	192.168.2.4
Jan 14, 2025 22:41:03.426599979 CET	445	49731	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:03.426646948 CET	49730	445	192.168.2.4	62.23.223.121
Jan 14, 2025 22:41:03.426680088 CET	49731	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:03.427288055 CET	49731	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:03.429241896 CET	49733	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:03.432204962 CET	445	49731	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:03.432264090 CET	49731	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:03.434091091 CET	445	49733	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:03.434164047 CET	49733	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:03.434221029 CET	49733	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:03.439008951 CET	445	49733	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:05.091293097 CET	445	49733	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:05.091537952 CET	49733	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:05.091537952 CET	49733	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:05.091643095 CET	49733	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:05.096656084 CET	445	49733	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:05.096685886 CET	445	49733	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:05.365062952 CET	49675	443	192.168.2.4	173.222.162.32
Jan 14, 2025 22:41:05.413249969 CET	49755	445	192.168.2.4	154.37.134.249
Jan 14, 2025 22:41:05.418415070 CET	445	49755	154.37.134.249	192.168.2.4
Jan 14, 2025 22:41:05.418633938 CET	49755	445	192.168.2.4	154.37.134.249
Jan 14, 2025 22:41:05.418673038 CET	49755	445	192.168.2.4	154.37.134.249
Jan 14, 2025 22:41:05.419013977 CET	49756	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:05.423764944 CET	445	49755	154.37.134.249	192.168.2.4
Jan 14, 2025 22:41:05.423825026 CET	49755	445	192.168.2.4	154.37.134.249
Jan 14, 2025 22:41:05.423928022 CET	445	49756	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:05.424024105 CET	49756	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:05.424110889 CET	49756	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:05.425118923 CET	49757	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:05.429112911 CET	445	49756	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:05.429208994 CET	49756	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:05.429920912 CET	445	49757	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:05.429996967 CET	49757	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:05.430043936 CET	49757	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:05.434919119 CET	445	49757	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:07.816996098 CET	49780	445	192.168.2.4	95.132.23.35
Jan 14, 2025 22:41:07.822169065 CET	445	49780	95.132.23.35	192.168.2.4
Jan 14, 2025 22:41:07.822243929 CET	49780	445	192.168.2.4	95.132.23.35
Jan 14, 2025 22:41:07.822295904 CET	49780	445	192.168.2.4	95.132.23.35
Jan 14, 2025 22:41:07.823340893 CET	49781	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:07.828226089 CET	445	49780	95.132.23.35	192.168.2.4
Jan 14, 2025 22:41:07.828279972 CET	49780	445	192.168.2.4	95.132.23.35
Jan 14, 2025 22:41:07.829719067 CET	445	49781	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:07.829813004 CET	49781	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:07.829829931 CET	49781	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:07.835038900 CET	445	49781	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:07.835083961 CET	49781	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:07.835290909 CET	49782	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:07.840239048 CET	445	49782	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:07.840467930 CET	49782	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:07.840468884 CET	49782	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:07.845446110 CET	445	49782	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:08.099699974 CET	49788	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:08.104635000 CET	445	49788	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:08.104708910 CET	49788	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:08.104751110 CET	49788	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:08.109662056 CET	445	49788	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:09.766969919 CET	445	49788	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:09.767366886 CET	49788	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:09.767404079 CET	49788	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:09.767473936 CET	49788	445	192.168.2.4	62.23.223.1
Jan 14, 2025 22:41:09.772296906 CET	445	49788	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:09.772311926 CET	445	49788	62.23.223.1	192.168.2.4
Jan 14, 2025 22:41:09.788101912 CET	49807	445	192.168.2.4	132.150.152.46
Jan 14, 2025 22:41:09.793092012 CET	445	49807	132.150.152.46	192.168.2.4
Jan 14, 2025 22:41:09.794853926 CET	49807	445	192.168.2.4	132.150.152.46
Jan 14, 2025 22:41:09.794853926 CET	49807	445	192.168.2.4	132.150.152.46
Jan 14, 2025 22:41:09.794958115 CET	49808	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:09.799873114 CET	445	49808	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:09.799887896 CET	445	49807	132.150.152.46	192.168.2.4
Jan 14, 2025 22:41:09.800060034 CET	49807	445	192.168.2.4	132.150.152.46
Jan 14, 2025 22:41:09.800060034 CET	49808	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:09.800060034 CET	49808	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:09.800812006 CET	49809	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:09.805144072 CET	445	49808	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:09.805625916 CET	445	49809	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:09.805682898 CET	49808	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:09.805694103 CET	49809	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:09.805722952 CET	49809	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:09.810570002 CET	445	49809	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:09.818522930 CET	49810	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:09.823297977 CET	445	49810	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:09.826641083 CET	49810	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:09.826675892 CET	49810	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:09.827507019 CET	49812	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:09.832499981 CET	445	49810	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:09.833055973 CET	445	49812	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:09.833108902 CET	49810	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:09.833125114 CET	49812	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:09.833177090 CET	49812	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:09.838244915 CET	445	49812	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:11.464967012 CET	445	49812	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:11.465178967 CET	49812	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:11.465179920 CET	49812	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:11.465179920 CET	49812	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:11.470148087 CET	445	49812	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:11.470176935 CET	445	49812	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:11.803673983 CET	49835	445	192.168.2.4	44.158.242.97
Jan 14, 2025 22:41:11.808679104 CET	445	49835	44.158.242.97	192.168.2.4
Jan 14, 2025 22:41:11.808923006 CET	49835	445	192.168.2.4	44.158.242.97
Jan 14, 2025 22:41:11.808923006 CET	49835	445	192.168.2.4	44.158.242.97
Jan 14, 2025 22:41:11.808937073 CET	49836	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:11.813827991 CET	445	49836	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:11.813905954 CET	49836	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:11.813920021 CET	49836	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:11.814234972 CET	445	49835	44.158.242.97	192.168.2.4
Jan 14, 2025 22:41:11.814323902 CET	49835	445	192.168.2.4	44.158.242.97
Jan 14, 2025 22:41:11.814909935 CET	49837	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:11.819180965 CET	445	49836	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:11.819245100 CET	49836	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:11.819782972 CET	445	49837	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:11.819880009 CET	49837	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:11.819880009 CET	49837	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:11.824836016 CET	445	49837	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:13.818908930 CET	49859	445	192.168.2.4	93.57.185.166
Jan 14, 2025 22:41:13.823971033 CET	445	49859	93.57.185.166	192.168.2.4
Jan 14, 2025 22:41:13.824057102 CET	49859	445	192.168.2.4	93.57.185.166
Jan 14, 2025 22:41:13.824095011 CET	49859	445	192.168.2.4	93.57.185.166
Jan 14, 2025 22:41:13.824366093 CET	49860	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:13.829289913 CET	445	49860	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:13.829323053 CET	445	49859	93.57.185.166	192.168.2.4
Jan 14, 2025 22:41:13.829370975 CET	49860	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:13.829394102 CET	49859	445	192.168.2.4	93.57.185.166
Jan 14, 2025 22:41:13.829412937 CET	49860	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:13.830313921 CET	49861	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:13.834433079 CET	445	49860	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:13.834497929 CET	49860	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:13.835139036 CET	445	49861	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:13.835206032 CET	49861	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:13.835256100 CET	49861	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:13.840028048 CET	445	49861	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:14.474720955 CET	49870	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:14.479777098 CET	445	49870	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:14.479852915 CET	49870	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:14.479898930 CET	49870	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:14.484762907 CET	445	49870	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:15.834089041 CET	49886	445	192.168.2.4	40.106.189.246
Jan 14, 2025 22:41:15.839056969 CET	445	49886	40.106.189.246	192.168.2.4
Jan 14, 2025 22:41:15.839183092 CET	49886	445	192.168.2.4	40.106.189.246
Jan 14, 2025 22:41:15.839183092 CET	49886	445	192.168.2.4	40.106.189.246
Jan 14, 2025 22:41:15.839286089 CET	49887	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:15.844218969 CET	445	49887	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:15.844332933 CET	445	49886	40.106.189.246	192.168.2.4
Jan 14, 2025 22:41:15.844357014 CET	49887	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:15.844357967 CET	49887	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:15.844405890 CET	49886	445	192.168.2.4	40.106.189.246
Jan 14, 2025 22:41:15.844561100 CET	49888	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:15.849368095 CET	445	49887	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:15.849442959 CET	445	49888	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:15.849476099 CET	49887	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:15.849544048 CET	49888	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:15.849586964 CET	49888	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:15.854418039 CET	445	49888	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:16.125135899 CET	445	49870	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:16.125215054 CET	49870	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:16.125251055 CET	49870	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:16.125332117 CET	49870	445	192.168.2.4	62.23.223.2
Jan 14, 2025 22:41:16.130243063 CET	445	49870	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:16.130273104 CET	445	49870	62.23.223.2	192.168.2.4
Jan 14, 2025 22:41:16.177844048 CET	49893	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:16.182996035 CET	445	49893	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:16.183094978 CET	49893	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:16.183182001 CET	49893	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:16.183419943 CET	49894	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:16.188163042 CET	445	49893	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:16.188227892 CET	49893	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:16.188317060 CET	445	49894	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:16.188370943 CET	49894	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:16.188395023 CET	49894	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:16.193267107 CET	445	49894	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:17.807857037 CET	445	49894	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:17.807924986 CET	49894	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:17.807967901 CET	49894	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:17.807976961 CET	49894	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:17.849611998 CET	49914	445	192.168.2.4	29.248.211.36
Jan 14, 2025 22:41:18.010869980 CET	445	49894	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:18.010910034 CET	445	49894	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:18.010927916 CET	445	49914	29.248.211.36	192.168.2.4
Jan 14, 2025 22:41:18.011126041 CET	49914	445	192.168.2.4	29.248.211.36
Jan 14, 2025 22:41:18.011126041 CET	49914	445	192.168.2.4	29.248.211.36
Jan 14, 2025 22:41:18.011301994 CET	49916	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:18.016216040 CET	445	49916	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:18.016233921 CET	445	49914	29.248.211.36	192.168.2.4
Jan 14, 2025 22:41:18.016284943 CET	49916	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:18.016314983 CET	49914	445	192.168.2.4	29.248.211.36
Jan 14, 2025 22:41:18.016443014 CET	49916	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:18.016681910 CET	49917	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:18.021601915 CET	445	49916	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:18.021620035 CET	445	49917	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:18.021671057 CET	49916	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:18.021691084 CET	49917	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:18.021846056 CET	49917	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:18.026640892 CET	445	49917	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:19.877526045 CET	49941	445	192.168.2.4	186.87.86.115
Jan 14, 2025 22:41:19.882446051 CET	445	49941	186.87.86.115	192.168.2.4
Jan 14, 2025 22:41:19.882529974 CET	49941	445	192.168.2.4	186.87.86.115
Jan 14, 2025 22:41:19.882555962 CET	49941	445	192.168.2.4	186.87.86.115
Jan 14, 2025 22:41:19.882782936 CET	49943	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:19.887623072 CET	445	49941	186.87.86.115	192.168.2.4
Jan 14, 2025 22:41:19.887667894 CET	445	49943	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:19.887689114 CET	49941	445	192.168.2.4	186.87.86.115
Jan 14, 2025 22:41:19.887747049 CET	49943	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:19.887851000 CET	49943	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:19.892790079 CET	445	49943	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:19.892858982 CET	49943	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:19.894861937 CET	49945	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:19.899741888 CET	445	49945	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:19.899820089 CET	49945	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:19.899854898 CET	49945	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:19.904619932 CET	445	49945	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:20.818291903 CET	49956	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:20.823404074 CET	445	49956	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:20.823487997 CET	49956	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:20.823507071 CET	49956	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:20.828293085 CET	445	49956	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:21.881012917 CET	49969	445	192.168.2.4	177.235.101.18
Jan 14, 2025 22:41:21.886001110 CET	445	49969	177.235.101.18	192.168.2.4
Jan 14, 2025 22:41:21.886286020 CET	49969	445	192.168.2.4	177.235.101.18
Jan 14, 2025 22:41:21.886286974 CET	49969	445	192.168.2.4	177.235.101.18
Jan 14, 2025 22:41:21.886370897 CET	49970	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:21.891221046 CET	445	49970	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:21.891290903 CET	49970	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:21.891470909 CET	49970	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:21.891752958 CET	49971	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:21.892843962 CET	445	49969	177.235.101.18	192.168.2.4
Jan 14, 2025 22:41:21.892919064 CET	49969	445	192.168.2.4	177.235.101.18
Jan 14, 2025 22:41:21.896727085 CET	445	49971	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:21.896836042 CET	49971	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:21.897032022 CET	49971	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:21.898272991 CET	445	49970	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:21.898329973 CET	49970	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:21.901890039 CET	445	49971	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:22.448884010 CET	445	49956	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:22.452181101 CET	49956	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:22.452218056 CET	49956	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:22.452260971 CET	49956	445	192.168.2.4	62.23.223.3
Jan 14, 2025 22:41:22.457061052 CET	445	49956	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:22.457084894 CET	445	49956	62.23.223.3	192.168.2.4
Jan 14, 2025 22:41:22.506297112 CET	49979	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:22.511215925 CET	445	49979	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:22.511760950 CET	49979	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:22.511785030 CET	49979	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:22.512213945 CET	49980	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:22.516892910 CET	445	49979	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:22.517000914 CET	445	49980	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:22.517105103 CET	49980	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:22.517154932 CET	49980	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:22.517168045 CET	49979	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:22.521883011 CET	445	49980	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:23.898385048 CET	49996	445	192.168.2.4	61.245.141.101
Jan 14, 2025 22:41:23.903363943 CET	445	49996	61.245.141.101	192.168.2.4
Jan 14, 2025 22:41:23.904586077 CET	49996	445	192.168.2.4	61.245.141.101
Jan 14, 2025 22:41:23.904624939 CET	49996	445	192.168.2.4	61.245.141.101
Jan 14, 2025 22:41:23.904819012 CET	49997	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:23.909699917 CET	445	49997	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:23.909714937 CET	445	49996	61.245.141.101	192.168.2.4
Jan 14, 2025 22:41:23.909842014 CET	49996	445	192.168.2.4	61.245.141.101
Jan 14, 2025 22:41:23.909848928 CET	49997	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:23.910216093 CET	49998	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:23.914875984 CET	445	49997	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:23.915113926 CET	445	49998	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:23.915196896 CET	49997	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:23.915261030 CET	49998	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:23.915261030 CET	49998	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:23.920099974 CET	445	49998	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:24.158020020 CET	445	49980	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:24.158106089 CET	49980	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:24.158155918 CET	49980	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:24.158205032 CET	49980	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:24.163090944 CET	445	49980	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:24.163363934 CET	445	49980	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:25.912466049 CET	50020	445	192.168.2.4	153.21.9.247
Jan 14, 2025 22:41:25.918582916 CET	445	50020	153.21.9.247	192.168.2.4
Jan 14, 2025 22:41:25.918759108 CET	50020	445	192.168.2.4	153.21.9.247
Jan 14, 2025 22:41:25.918759108 CET	50020	445	192.168.2.4	153.21.9.247
Jan 14, 2025 22:41:25.918977976 CET	50021	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:25.924103022 CET	445	50021	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:25.924333096 CET	50021	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:25.924362898 CET	445	50020	153.21.9.247	192.168.2.4
Jan 14, 2025 22:41:25.924423933 CET	50021	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:25.924525023 CET	50020	445	192.168.2.4	153.21.9.247
Jan 14, 2025 22:41:25.924529076 CET	50022	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:25.929876089 CET	445	50022	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:25.929965973 CET	50022	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:25.929982901 CET	445	50021	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:25.929996014 CET	50022	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:25.930160999 CET	50021	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:25.934757948 CET	445	50022	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:26.786519051 CET	445	49757	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:26.786600113 CET	49757	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:26.786684990 CET	49757	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:26.786740065 CET	49757	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:26.791603088 CET	445	49757	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:26.791623116 CET	445	49757	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:27.162151098 CET	50036	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:27.167118073 CET	445	50036	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:27.167215109 CET	50036	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:27.171129942 CET	50036	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:27.176151991 CET	445	50036	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:27.927926064 CET	50046	445	192.168.2.4	36.85.203.128
Jan 14, 2025 22:41:27.932946920 CET	445	50046	36.85.203.128	192.168.2.4
Jan 14, 2025 22:41:27.933152914 CET	50046	445	192.168.2.4	36.85.203.128
Jan 14, 2025 22:41:27.933198929 CET	50046	445	192.168.2.4	36.85.203.128
Jan 14, 2025 22:41:27.933569908 CET	50047	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:27.938479900 CET	445	50047	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:27.938494921 CET	445	50046	36.85.203.128	192.168.2.4
Jan 14, 2025 22:41:27.938610077 CET	50046	445	192.168.2.4	36.85.203.128
Jan 14, 2025 22:41:27.938674927 CET	50047	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:27.938676119 CET	50047	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:27.938908100 CET	50048	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:27.943880081 CET	445	50048	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:27.943892956 CET	445	50047	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:27.943957090 CET	50048	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:27.944025993 CET	50048	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:27.944078922 CET	50047	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:27.948801041 CET	445	50048	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:28.809711933 CET	445	50036	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:28.809813023 CET	50036	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:28.809866905 CET	50036	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:28.809889078 CET	50036	445	192.168.2.4	62.23.223.4
Jan 14, 2025 22:41:28.814810991 CET	445	50036	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:28.814830065 CET	445	50036	62.23.223.4	192.168.2.4
Jan 14, 2025 22:41:28.869704008 CET	50051	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:28.874825001 CET	445	50051	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:28.874999046 CET	50051	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:28.874999046 CET	50051	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:28.875464916 CET	50052	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:28.880131006 CET	445	50051	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:28.880227089 CET	50051	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:28.880345106 CET	445	50052	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:28.880530119 CET	50052	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:28.880530119 CET	50052	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:28.885427952 CET	445	50052	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:29.193542957 CET	445	49782	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:29.193661928 CET	49782	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:29.193717957 CET	49782	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:29.193907022 CET	49782	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:29.199350119 CET	445	49782	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:29.199695110 CET	445	49782	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:29.794167995 CET	50053	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:29.799428940 CET	445	50053	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:29.799561977 CET	50053	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:29.799654961 CET	50053	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:29.804902077 CET	445	50053	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:29.943662882 CET	50054	445	192.168.2.4	74.34.234.71
Jan 14, 2025 22:41:29.948698997 CET	445	50054	74.34.234.71	192.168.2.4
Jan 14, 2025 22:41:29.948894978 CET	50054	445	192.168.2.4	74.34.234.71
Jan 14, 2025 22:41:29.948940039 CET	50054	445	192.168.2.4	74.34.234.71
Jan 14, 2025 22:41:29.949280024 CET	50055	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:29.954148054 CET	445	50055	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:29.954225063 CET	50055	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:29.954255104 CET	50055	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:29.954433918 CET	445	50054	74.34.234.71	192.168.2.4
Jan 14, 2025 22:41:29.954612970 CET	50054	445	192.168.2.4	74.34.234.71
Jan 14, 2025 22:41:29.954638958 CET	50056	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:29.959217072 CET	445	50055	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:29.959289074 CET	50055	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:29.959471941 CET	445	50056	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:29.959585905 CET	50056	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:29.959585905 CET	50056	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:29.964442968 CET	445	50056	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:30.516098022 CET	445	50052	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:30.516345978 CET	50052	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:30.516489029 CET	50052	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:30.516489029 CET	50052	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:30.521522045 CET	445	50052	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:30.521534920 CET	445	50052	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:31.193638086 CET	445	49809	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:31.196563959 CET	49809	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:31.196748018 CET	49809	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:31.196846008 CET	49809	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:31.201730967 CET	445	49809	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:31.201822996 CET	445	49809	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:31.959830046 CET	50057	445	192.168.2.4	92.108.92.19
Jan 14, 2025 22:41:31.964792967 CET	445	50057	92.108.92.19	192.168.2.4
Jan 14, 2025 22:41:31.964926958 CET	50057	445	192.168.2.4	92.108.92.19
Jan 14, 2025 22:41:31.965015888 CET	50057	445	192.168.2.4	92.108.92.19
Jan 14, 2025 22:41:31.965219021 CET	50058	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:31.970041037 CET	445	50057	92.108.92.19	192.168.2.4
Jan 14, 2025 22:41:31.970084906 CET	445	50058	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:31.970271111 CET	50057	445	192.168.2.4	92.108.92.19
Jan 14, 2025 22:41:31.970438004 CET	50058	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:31.970438004 CET	50058	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:31.970648050 CET	50059	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:31.975394011 CET	445	50058	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:31.975517988 CET	445	50059	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:31.975578070 CET	50059	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:31.975605965 CET	50058	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:31.975611925 CET	50059	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:31.980515003 CET	445	50059	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:32.211261988 CET	50060	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:32.216325045 CET	445	50060	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:32.216454029 CET	50060	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:32.240370035 CET	50060	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:32.245440960 CET	445	50060	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:33.179191113 CET	445	49837	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:33.179276943 CET	49837	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:33.179446936 CET	49837	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:33.179495096 CET	49837	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:33.184429884 CET	445	49837	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:33.184444904 CET	445	49837	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:33.524692059 CET	50061	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:33.529617071 CET	445	50061	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:33.529700041 CET	50061	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:33.529731989 CET	50061	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:33.534547091 CET	445	50061	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:33.639832973 CET	445	50059	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:33.643294096 CET	50059	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:33.643389940 CET	50059	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:33.643389940 CET	50059	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:33.648283005 CET	445	50059	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:33.648293972 CET	445	50059	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:33.975033045 CET	50062	445	192.168.2.4	51.209.245.101
Jan 14, 2025 22:41:33.980000019 CET	445	50062	51.209.245.101	192.168.2.4
Jan 14, 2025 22:41:33.982696056 CET	50062	445	192.168.2.4	51.209.245.101
Jan 14, 2025 22:41:33.982789993 CET	50062	445	192.168.2.4	51.209.245.101
Jan 14, 2025 22:41:33.982974052 CET	50063	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:33.987813950 CET	445	50062	51.209.245.101	192.168.2.4
Jan 14, 2025 22:41:33.988280058 CET	445	50063	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:33.988341093 CET	50062	445	192.168.2.4	51.209.245.101
Jan 14, 2025 22:41:33.988372087 CET	50063	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:33.988413095 CET	50063	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:33.988776922 CET	50064	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:33.993484974 CET	445	50063	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:33.993628979 CET	445	50064	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:33.993685007 CET	50063	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:33.993865013 CET	50064	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:33.993865013 CET	50064	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:33.998910904 CET	445	50064	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:34.209114075 CET	50065	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:34.214121103 CET	445	50065	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:34.216582060 CET	50065	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:34.216686964 CET	50065	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:34.221519947 CET	445	50065	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:35.170614004 CET	445	50061	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:35.170674086 CET	50061	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:35.172107935 CET	50061	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:35.172137022 CET	50061	445	192.168.2.4	62.23.223.5
Jan 14, 2025 22:41:35.176966906 CET	445	50061	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:35.176980019 CET	445	50061	62.23.223.5	192.168.2.4
Jan 14, 2025 22:41:35.192840099 CET	445	49861	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:35.192900896 CET	49861	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:35.193133116 CET	49861	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:35.193243980 CET	49861	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:35.197936058 CET	445	49861	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:35.197983980 CET	445	49861	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:35.228420019 CET	50066	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:35.233421087 CET	445	50066	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:35.233514071 CET	50066	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:35.235552073 CET	50066	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:35.236175060 CET	50067	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:35.241436958 CET	445	50066	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:35.241493940 CET	50066	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:35.241893053 CET	445	50067	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:35.241954088 CET	50067	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:35.244321108 CET	50067	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:35.249840021 CET	445	50067	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:35.990648985 CET	50068	445	192.168.2.4	138.57.43.236
Jan 14, 2025 22:41:35.995647907 CET	445	50068	138.57.43.236	192.168.2.4
Jan 14, 2025 22:41:35.995737076 CET	50068	445	192.168.2.4	138.57.43.236
Jan 14, 2025 22:41:35.995758057 CET	50068	445	192.168.2.4	138.57.43.236
Jan 14, 2025 22:41:35.995897055 CET	50069	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:36.000909090 CET	445	50069	138.57.43.1	192.168.2.4
Jan 14, 2025 22:41:36.000926971 CET	445	50068	138.57.43.236	192.168.2.4
Jan 14, 2025 22:41:36.001007080 CET	50068	445	192.168.2.4	138.57.43.236
Jan 14, 2025 22:41:36.001024008 CET	50069	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:36.001343966 CET	50070	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:36.001348019 CET	50069	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:36.006825924 CET	445	50070	138.57.43.1	192.168.2.4
Jan 14, 2025 22:41:36.006844044 CET	445	50069	138.57.43.1	192.168.2.4
Jan 14, 2025 22:41:36.006961107 CET	50069	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:36.006973028 CET	50070	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:36.006973028 CET	50070	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:36.012531996 CET	445	50070	138.57.43.1	192.168.2.4
Jan 14, 2025 22:41:36.193375111 CET	50071	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:36.199373960 CET	445	50071	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:36.199587107 CET	50071	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:36.199799061 CET	50071	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:36.205533028 CET	445	50071	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:36.646871090 CET	50072	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:36.651915073 CET	445	50072	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:36.652029037 CET	50072	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:36.657816887 CET	50072	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:36.662702084 CET	445	50072	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:36.871689081 CET	445	50067	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:36.871814013 CET	50067	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:36.871916056 CET	50067	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:36.871916056 CET	50067	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:36.877804995 CET	445	50067	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:36.877832890 CET	445	50067	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:37.241523027 CET	445	49888	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:37.241697073 CET	49888	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:37.241779089 CET	49888	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:37.241842031 CET	49888	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:37.246602058 CET	445	49888	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:37.246614933 CET	445	49888	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:38.006550074 CET	50073	445	192.168.2.4	116.248.34.204
Jan 14, 2025 22:41:38.013230085 CET	445	50073	116.248.34.204	192.168.2.4
Jan 14, 2025 22:41:38.013297081 CET	50073	445	192.168.2.4	116.248.34.204
Jan 14, 2025 22:41:38.013379097 CET	50073	445	192.168.2.4	116.248.34.204
Jan 14, 2025 22:41:38.013693094 CET	50074	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:38.019407988 CET	445	50073	116.248.34.204	192.168.2.4
Jan 14, 2025 22:41:38.019459009 CET	50073	445	192.168.2.4	116.248.34.204
Jan 14, 2025 22:41:38.019865990 CET	445	50074	116.248.34.1	192.168.2.4
Jan 14, 2025 22:41:38.019942999 CET	50074	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:38.020097971 CET	50074	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:38.020387888 CET	50075	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:38.026153088 CET	445	50074	116.248.34.1	192.168.2.4
Jan 14, 2025 22:41:38.026210070 CET	50074	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:38.026289940 CET	445	50075	116.248.34.1	192.168.2.4
Jan 14, 2025 22:41:38.026344061 CET	50075	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:38.026366949 CET	50075	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:38.031089067 CET	445	50075	116.248.34.1	192.168.2.4
Jan 14, 2025 22:41:38.209186077 CET	50076	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:38.214732885 CET	445	50076	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:38.214832067 CET	50076	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:38.214920044 CET	50076	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:38.219690084 CET	445	50076	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:38.300384998 CET	445	50072	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:38.300497055 CET	50072	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:38.300734997 CET	50072	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:38.300734997 CET	50072	445	192.168.2.4	92.108.92.1
Jan 14, 2025 22:41:38.305635929 CET	445	50072	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:38.305655003 CET	445	50072	92.108.92.1	192.168.2.4
Jan 14, 2025 22:41:38.365267038 CET	50077	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:38.370435953 CET	445	50077	92.108.92.2	192.168.2.4
Jan 14, 2025 22:41:38.370579958 CET	50077	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:38.373667955 CET	50077	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:38.374123096 CET	50078	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:38.378607988 CET	445	50077	92.108.92.2	192.168.2.4
Jan 14, 2025 22:41:38.378690004 CET	50077	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:38.378926039 CET	445	50078	92.108.92.2	192.168.2.4
Jan 14, 2025 22:41:38.379111052 CET	50078	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:38.379138947 CET	50078	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:38.383946896 CET	445	50078	92.108.92.2	192.168.2.4
Jan 14, 2025 22:41:39.396248102 CET	445	49917	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:39.396456003 CET	49917	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:39.396615028 CET	49917	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:39.396656990 CET	49917	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:39.401457071 CET	445	49917	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:39.401475906 CET	445	49917	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:39.880852938 CET	50079	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:39.881153107 CET	50080	445	192.168.2.4	164.124.34.107
Jan 14, 2025 22:41:39.885802031 CET	445	50079	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:39.885893106 CET	50079	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:39.885927916 CET	50079	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:39.886029005 CET	445	50080	164.124.34.107	192.168.2.4
Jan 14, 2025 22:41:39.886084080 CET	50080	445	192.168.2.4	164.124.34.107
Jan 14, 2025 22:41:39.886276960 CET	50080	445	192.168.2.4	164.124.34.107
Jan 14, 2025 22:41:39.886496067 CET	50081	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:41:39.890757084 CET	445	50079	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:39.891196966 CET	445	50080	164.124.34.107	192.168.2.4
Jan 14, 2025 22:41:39.891247988 CET	50080	445	192.168.2.4	164.124.34.107
Jan 14, 2025 22:41:39.891340971 CET	445	50081	164.124.34.1	192.168.2.4
Jan 14, 2025 22:41:39.891411066 CET	50081	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:41:39.891438961 CET	50081	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:41:39.891730070 CET	50082	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:41:39.896447897 CET	445	50081	164.124.34.1	192.168.2.4
Jan 14, 2025 22:41:39.896486044 CET	445	50082	164.124.34.1	192.168.2.4
Jan 14, 2025 22:41:39.896497965 CET	50081	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:41:39.896534920 CET	50082	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:41:39.896557093 CET	50082	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:41:39.901312113 CET	445	50082	164.124.34.1	192.168.2.4
Jan 14, 2025 22:41:40.255939960 CET	50083	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:40.261389017 CET	445	50083	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:40.261594057 CET	50083	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:40.261677980 CET	50083	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:41:40.267385960 CET	445	50083	40.106.189.1	192.168.2.4
Jan 14, 2025 22:41:41.304013014 CET	445	49945	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:41.304090977 CET	49945	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:41.304136038 CET	49945	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:41.304197073 CET	49945	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:41.309005976 CET	445	49945	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:41.309020042 CET	445	49945	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:41.531423092 CET	445	50079	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:41.531524897 CET	50079	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:41.531562090 CET	50079	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:41.531611919 CET	50079	445	192.168.2.4	62.23.223.6
Jan 14, 2025 22:41:41.536504030 CET	445	50079	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:41.536521912 CET	445	50079	62.23.223.6	192.168.2.4
Jan 14, 2025 22:41:41.584142923 CET	50084	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:41.589068890 CET	445	50084	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:41.589178085 CET	50084	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:41.589230061 CET	50084	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:41.589656115 CET	50085	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:41.594459057 CET	445	50085	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:41.594535112 CET	50085	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:41.594563961 CET	50085	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:41.594585896 CET	445	50084	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:41.594691992 CET	445	50084	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:41.594741106 CET	50084	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:41.599478006 CET	445	50085	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:41.631014109 CET	50086	445	192.168.2.4	155.93.3.137
Jan 14, 2025 22:41:41.635979891 CET	445	50086	155.93.3.137	192.168.2.4
Jan 14, 2025 22:41:41.636082888 CET	50086	445	192.168.2.4	155.93.3.137
Jan 14, 2025 22:41:41.636225939 CET	50086	445	192.168.2.4	155.93.3.137
Jan 14, 2025 22:41:41.636234045 CET	50087	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:41:41.641218901 CET	445	50087	155.93.3.1	192.168.2.4
Jan 14, 2025 22:41:41.641235113 CET	445	50086	155.93.3.137	192.168.2.4
Jan 14, 2025 22:41:41.641309023 CET	50086	445	192.168.2.4	155.93.3.137
Jan 14, 2025 22:41:41.641314030 CET	50087	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:41:41.641608000 CET	50088	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:41:41.646362066 CET	445	50087	155.93.3.1	192.168.2.4
Jan 14, 2025 22:41:41.646461964 CET	50087	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:41:41.646467924 CET	445	50088	155.93.3.1	192.168.2.4
Jan 14, 2025 22:41:41.646529913 CET	50088	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:41:41.646570921 CET	50088	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:41:41.651402950 CET	445	50088	155.93.3.1	192.168.2.4
Jan 14, 2025 22:41:42.412074089 CET	50089	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:42.417067051 CET	445	50089	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:42.417196035 CET	50089	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:42.417231083 CET	50089	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:41:42.422063112 CET	445	50089	29.248.211.1	192.168.2.4
Jan 14, 2025 22:41:43.250983953 CET	445	50085	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:43.251183987 CET	50085	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:43.251254082 CET	50085	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:43.251321077 CET	50085	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:43.256264925 CET	445	50085	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:43.256279945 CET	445	50085	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:43.270965099 CET	445	49971	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:43.271325111 CET	49971	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:43.271325111 CET	49971	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:43.271424055 CET	49971	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:43.271912098 CET	50090	445	192.168.2.4	98.156.92.103
Jan 14, 2025 22:41:43.276180029 CET	445	49971	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:43.276205063 CET	445	49971	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:43.276699066 CET	445	50090	98.156.92.103	192.168.2.4
Jan 14, 2025 22:41:43.276796103 CET	50090	445	192.168.2.4	98.156.92.103
Jan 14, 2025 22:41:43.276825905 CET	50090	445	192.168.2.4	98.156.92.103
Jan 14, 2025 22:41:43.276983023 CET	50091	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:41:43.281863928 CET	445	50091	98.156.92.1	192.168.2.4
Jan 14, 2025 22:41:43.281877041 CET	445	50090	98.156.92.103	192.168.2.4
Jan 14, 2025 22:41:43.281986952 CET	50090	445	192.168.2.4	98.156.92.103
Jan 14, 2025 22:41:43.281996965 CET	50091	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:41:43.282021999 CET	50091	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:41:43.282656908 CET	50092	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:41:43.287193060 CET	445	50091	98.156.92.1	192.168.2.4
Jan 14, 2025 22:41:43.287267923 CET	50091	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:41:43.287462950 CET	445	50092	98.156.92.1	192.168.2.4
Jan 14, 2025 22:41:43.287607908 CET	50092	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:41:43.287607908 CET	50092	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:41:43.292727947 CET	445	50092	98.156.92.1	192.168.2.4
Jan 14, 2025 22:41:44.318320990 CET	50093	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:44.323416948 CET	445	50093	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:44.323544979 CET	50093	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:44.323591948 CET	50093	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:41:44.328468084 CET	445	50093	186.87.86.1	192.168.2.4
Jan 14, 2025 22:41:44.802990913 CET	50094	445	192.168.2.4	88.243.135.164
Jan 14, 2025 22:41:44.808065891 CET	445	50094	88.243.135.164	192.168.2.4
Jan 14, 2025 22:41:44.808182955 CET	50094	445	192.168.2.4	88.243.135.164
Jan 14, 2025 22:41:44.808269978 CET	50094	445	192.168.2.4	88.243.135.164
Jan 14, 2025 22:41:44.808397055 CET	50095	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:41:44.813186884 CET	445	50094	88.243.135.164	192.168.2.4
Jan 14, 2025 22:41:44.813297987 CET	445	50095	88.243.135.1	192.168.2.4
Jan 14, 2025 22:41:44.813345909 CET	50094	445	192.168.2.4	88.243.135.164
Jan 14, 2025 22:41:44.813436031 CET	50095	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:41:44.813535929 CET	50095	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:41:44.813954115 CET	50096	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:41:44.818367958 CET	445	50095	88.243.135.1	192.168.2.4
Jan 14, 2025 22:41:44.818434000 CET	50095	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:41:44.818746090 CET	445	50096	88.243.135.1	192.168.2.4
Jan 14, 2025 22:41:44.818810940 CET	50096	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:41:44.818837881 CET	50096	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:41:44.823576927 CET	445	50096	88.243.135.1	192.168.2.4
Jan 14, 2025 22:41:45.304440975 CET	445	49998	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:45.304542065 CET	49998	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:45.304621935 CET	49998	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:45.304621935 CET	49998	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:45.309519053 CET	445	49998	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:45.309531927 CET	445	49998	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:46.225111961 CET	50097	445	192.168.2.4	26.53.204.194
Jan 14, 2025 22:41:46.230206013 CET	445	50097	26.53.204.194	192.168.2.4
Jan 14, 2025 22:41:46.230314016 CET	50097	445	192.168.2.4	26.53.204.194
Jan 14, 2025 22:41:46.230428934 CET	50097	445	192.168.2.4	26.53.204.194
Jan 14, 2025 22:41:46.230629921 CET	50098	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:41:46.235359907 CET	445	50097	26.53.204.194	192.168.2.4
Jan 14, 2025 22:41:46.235439062 CET	50097	445	192.168.2.4	26.53.204.194
Jan 14, 2025 22:41:46.235450983 CET	445	50098	26.53.204.1	192.168.2.4
Jan 14, 2025 22:41:46.235513926 CET	50098	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:41:46.235577106 CET	50098	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:41:46.235819101 CET	50099	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:41:46.240540028 CET	445	50098	26.53.204.1	192.168.2.4
Jan 14, 2025 22:41:46.240603924 CET	50098	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:41:46.240690947 CET	445	50099	26.53.204.1	192.168.2.4
Jan 14, 2025 22:41:46.240772009 CET	50099	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:41:46.241837978 CET	50099	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:41:46.246625900 CET	445	50099	26.53.204.1	192.168.2.4
Jan 14, 2025 22:41:46.255805016 CET	50100	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:46.260783911 CET	445	50100	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:46.260890961 CET	50100	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:46.260890961 CET	50100	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:46.265640974 CET	445	50100	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:46.287564993 CET	50101	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:46.292388916 CET	445	50101	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:46.292506933 CET	50101	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:46.294178963 CET	50101	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:41:46.299025059 CET	445	50101	177.235.101.1	192.168.2.4
Jan 14, 2025 22:41:47.457010984 CET	445	50022	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:47.457115889 CET	50022	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:47.457217932 CET	50022	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:47.457292080 CET	50022	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:47.462090969 CET	445	50022	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:47.462102890 CET	445	50022	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:47.553195953 CET	50102	445	192.168.2.4	94.19.17.124
Jan 14, 2025 22:41:47.558269978 CET	445	50102	94.19.17.124	192.168.2.4
Jan 14, 2025 22:41:47.558537006 CET	50102	445	192.168.2.4	94.19.17.124
Jan 14, 2025 22:41:47.558537006 CET	50102	445	192.168.2.4	94.19.17.124
Jan 14, 2025 22:41:47.558562040 CET	50103	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:41:47.563410997 CET	445	50103	94.19.17.1	192.168.2.4
Jan 14, 2025 22:41:47.563488007 CET	50103	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:41:47.563503027 CET	50103	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:41:47.563536882 CET	445	50102	94.19.17.124	192.168.2.4
Jan 14, 2025 22:41:47.563935995 CET	50104	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:41:47.563965082 CET	50102	445	192.168.2.4	94.19.17.124
Jan 14, 2025 22:41:47.568464994 CET	445	50103	94.19.17.1	192.168.2.4
Jan 14, 2025 22:41:47.568521023 CET	50103	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:41:47.568732977 CET	445	50104	94.19.17.1	192.168.2.4
Jan 14, 2025 22:41:47.568793058 CET	50104	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:41:47.568823099 CET	50104	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:41:47.573683977 CET	445	50104	94.19.17.1	192.168.2.4
Jan 14, 2025 22:41:47.921845913 CET	445	50100	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:47.923934937 CET	50100	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:47.923979044 CET	50100	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:47.924022913 CET	50100	445	192.168.2.4	62.23.223.7
Jan 14, 2025 22:41:47.929160118 CET	445	50100	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:47.929172993 CET	445	50100	62.23.223.7	192.168.2.4
Jan 14, 2025 22:41:47.976094007 CET	50105	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:47.981045961 CET	445	50105	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:47.984586954 CET	50105	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:47.984720945 CET	50105	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:47.985162020 CET	50106	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:47.989996910 CET	445	50106	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:47.990039110 CET	445	50105	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:47.990135908 CET	50105	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:47.990139008 CET	50106	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:47.990227938 CET	50106	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:47.995032072 CET	445	50106	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:48.318365097 CET	50107	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:48.323251963 CET	445	50107	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:48.326581001 CET	50107	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:48.326692104 CET	50107	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:41:48.331537962 CET	445	50107	61.245.141.1	192.168.2.4
Jan 14, 2025 22:41:48.787405968 CET	50108	445	192.168.2.4	83.62.182.223
Jan 14, 2025 22:41:48.792314053 CET	445	50108	83.62.182.223	192.168.2.4
Jan 14, 2025 22:41:48.792397976 CET	50108	445	192.168.2.4	83.62.182.223
Jan 14, 2025 22:41:48.792443037 CET	50108	445	192.168.2.4	83.62.182.223
Jan 14, 2025 22:41:48.792565107 CET	50109	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:41:48.797435999 CET	445	50109	83.62.182.1	192.168.2.4
Jan 14, 2025 22:41:48.797456026 CET	445	50108	83.62.182.223	192.168.2.4
Jan 14, 2025 22:41:48.797493935 CET	50109	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:41:48.797519922 CET	50108	445	192.168.2.4	83.62.182.223
Jan 14, 2025 22:41:48.797626019 CET	50109	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:41:48.798008919 CET	50110	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:41:48.802500010 CET	445	50109	83.62.182.1	192.168.2.4
Jan 14, 2025 22:41:48.802556038 CET	50109	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:41:48.802810907 CET	445	50110	83.62.182.1	192.168.2.4
Jan 14, 2025 22:41:48.802875042 CET	50110	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:41:48.802905083 CET	50110	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:41:48.807663918 CET	445	50110	83.62.182.1	192.168.2.4
Jan 14, 2025 22:41:49.318139076 CET	445	50048	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:49.318202972 CET	50048	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:49.318243027 CET	50048	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:49.318264008 CET	50048	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:49.323088884 CET	445	50048	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:49.323098898 CET	445	50048	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:49.648340940 CET	445	50106	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:49.648474932 CET	50106	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:49.648542881 CET	50106	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:49.648641109 CET	50106	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:49.653275013 CET	445	50106	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:49.653399944 CET	445	50106	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:49.943634987 CET	50111	445	192.168.2.4	220.64.64.244
Jan 14, 2025 22:41:49.948522091 CET	445	50111	220.64.64.244	192.168.2.4
Jan 14, 2025 22:41:49.948600054 CET	50111	445	192.168.2.4	220.64.64.244
Jan 14, 2025 22:41:49.948626995 CET	50111	445	192.168.2.4	220.64.64.244
Jan 14, 2025 22:41:49.948785067 CET	50112	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:41:49.953660965 CET	445	50111	220.64.64.244	192.168.2.4
Jan 14, 2025 22:41:49.953679085 CET	445	50112	220.64.64.1	192.168.2.4
Jan 14, 2025 22:41:49.953710079 CET	50111	445	192.168.2.4	220.64.64.244
Jan 14, 2025 22:41:49.953752041 CET	50112	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:41:49.953825951 CET	50112	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:41:49.954071999 CET	50113	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:41:49.958705902 CET	445	50112	220.64.64.1	192.168.2.4
Jan 14, 2025 22:41:49.958754063 CET	50112	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:41:49.958878994 CET	445	50113	220.64.64.1	192.168.2.4
Jan 14, 2025 22:41:49.958939075 CET	50113	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:41:49.958975077 CET	50113	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:41:49.963773966 CET	445	50113	220.64.64.1	192.168.2.4
Jan 14, 2025 22:41:50.458972931 CET	50114	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:50.463931084 CET	445	50114	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:50.464013100 CET	50114	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:50.464040041 CET	50114	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:41:50.468767881 CET	445	50114	153.21.9.1	192.168.2.4
Jan 14, 2025 22:41:51.021821976 CET	50115	445	192.168.2.4	126.46.181.23
Jan 14, 2025 22:41:51.026951075 CET	445	50115	126.46.181.23	192.168.2.4
Jan 14, 2025 22:41:51.027025938 CET	50115	445	192.168.2.4	126.46.181.23
Jan 14, 2025 22:41:51.027079105 CET	50115	445	192.168.2.4	126.46.181.23
Jan 14, 2025 22:41:51.027261972 CET	50116	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:41:51.032210112 CET	445	50116	126.46.181.1	192.168.2.4
Jan 14, 2025 22:41:51.032294989 CET	50116	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:41:51.032309055 CET	50116	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:41:51.032427073 CET	445	50115	126.46.181.23	192.168.2.4
Jan 14, 2025 22:41:51.032470942 CET	50115	445	192.168.2.4	126.46.181.23
Jan 14, 2025 22:41:51.032618046 CET	50117	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:41:51.037297964 CET	445	50116	126.46.181.1	192.168.2.4
Jan 14, 2025 22:41:51.037345886 CET	50116	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:41:51.037400961 CET	445	50117	126.46.181.1	192.168.2.4
Jan 14, 2025 22:41:51.037466049 CET	50117	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:41:51.037535906 CET	50117	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:41:51.042324066 CET	445	50117	126.46.181.1	192.168.2.4
Jan 14, 2025 22:41:51.317692995 CET	445	50053	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:51.317809105 CET	50053	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:51.317871094 CET	50053	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:51.317940950 CET	50053	445	192.168.2.4	154.37.134.1
Jan 14, 2025 22:41:51.320441008 CET	445	50056	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:51.320521116 CET	50056	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:51.320522070 CET	50056	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:51.320615053 CET	50056	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:51.322688103 CET	445	50053	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:51.322787046 CET	445	50053	154.37.134.1	192.168.2.4
Jan 14, 2025 22:41:51.325457096 CET	445	50056	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:51.325469971 CET	445	50056	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:51.380875111 CET	50118	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:41:51.385727882 CET	445	50118	154.37.134.2	192.168.2.4
Jan 14, 2025 22:41:51.385802031 CET	50118	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:41:51.385838985 CET	50118	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:41:51.386189938 CET	50119	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:41:51.390734911 CET	445	50118	154.37.134.2	192.168.2.4
Jan 14, 2025 22:41:51.390783072 CET	50118	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:41:51.391067982 CET	445	50119	154.37.134.2	192.168.2.4
Jan 14, 2025 22:41:51.391139984 CET	50119	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:41:51.391195059 CET	50119	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:41:51.395972013 CET	445	50119	154.37.134.2	192.168.2.4
Jan 14, 2025 22:41:52.037338018 CET	50120	445	192.168.2.4	159.230.126.176
Jan 14, 2025 22:41:52.042284012 CET	445	50120	159.230.126.176	192.168.2.4
Jan 14, 2025 22:41:52.042370081 CET	50120	445	192.168.2.4	159.230.126.176
Jan 14, 2025 22:41:52.042553902 CET	50120	445	192.168.2.4	159.230.126.176
Jan 14, 2025 22:41:52.042926073 CET	50121	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:41:52.047486067 CET	445	50120	159.230.126.176	192.168.2.4
Jan 14, 2025 22:41:52.047554016 CET	50120	445	192.168.2.4	159.230.126.176
Jan 14, 2025 22:41:52.047785997 CET	445	50121	159.230.126.1	192.168.2.4
Jan 14, 2025 22:41:52.047852993 CET	50121	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:41:52.047864914 CET	50121	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:41:52.048105001 CET	50122	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:41:52.052798986 CET	445	50121	159.230.126.1	192.168.2.4
Jan 14, 2025 22:41:52.052856922 CET	50121	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:41:52.052962065 CET	445	50122	159.230.126.1	192.168.2.4
Jan 14, 2025 22:41:52.053030968 CET	50122	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:41:52.053092957 CET	50122	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:41:52.058101892 CET	445	50122	159.230.126.1	192.168.2.4
Jan 14, 2025 22:41:52.333909988 CET	50123	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:52.338835955 CET	445	50123	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:52.338922024 CET	50123	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:52.338953018 CET	50123	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:41:52.343756914 CET	445	50123	36.85.203.1	192.168.2.4
Jan 14, 2025 22:41:52.662137985 CET	50124	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:52.667113066 CET	445	50124	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:52.667234898 CET	50124	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:52.667294025 CET	50124	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:52.672127962 CET	445	50124	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:52.974898100 CET	50125	445	192.168.2.4	24.6.220.9
Jan 14, 2025 22:41:52.979837894 CET	445	50125	24.6.220.9	192.168.2.4
Jan 14, 2025 22:41:52.979943991 CET	50125	445	192.168.2.4	24.6.220.9
Jan 14, 2025 22:41:52.980014086 CET	50125	445	192.168.2.4	24.6.220.9
Jan 14, 2025 22:41:52.980292082 CET	50126	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:41:52.984901905 CET	445	50125	24.6.220.9	192.168.2.4
Jan 14, 2025 22:41:52.984972000 CET	50125	445	192.168.2.4	24.6.220.9
Jan 14, 2025 22:41:52.985106945 CET	445	50126	24.6.220.1	192.168.2.4
Jan 14, 2025 22:41:52.985172033 CET	50126	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:41:52.985244036 CET	50126	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:41:52.985615969 CET	50127	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:41:52.990458965 CET	445	50127	24.6.220.1	192.168.2.4
Jan 14, 2025 22:41:52.990536928 CET	445	50126	24.6.220.1	192.168.2.4
Jan 14, 2025 22:41:52.990581989 CET	50127	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:41:52.990601063 CET	50126	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:41:52.990654945 CET	50127	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:41:52.995481968 CET	445	50127	24.6.220.1	192.168.2.4
Jan 14, 2025 22:41:53.637450933 CET	445	50060	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:53.637568951 CET	50060	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:53.637659073 CET	50060	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:53.637695074 CET	50060	445	192.168.2.4	95.132.23.1
Jan 14, 2025 22:41:53.643100023 CET	445	50060	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:53.643110037 CET	445	50060	95.132.23.1	192.168.2.4
Jan 14, 2025 22:41:53.693481922 CET	50128	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:41:53.698496103 CET	445	50128	95.132.23.2	192.168.2.4
Jan 14, 2025 22:41:53.698600054 CET	50128	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:41:53.698671103 CET	50128	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:41:53.699038982 CET	50129	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:41:53.703679085 CET	445	50128	95.132.23.2	192.168.2.4
Jan 14, 2025 22:41:53.703733921 CET	50128	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:41:53.703835011 CET	445	50129	95.132.23.2	192.168.2.4
Jan 14, 2025 22:41:53.703897953 CET	50129	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:41:53.703948975 CET	50129	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:41:53.708722115 CET	445	50129	95.132.23.2	192.168.2.4
Jan 14, 2025 22:41:53.853014946 CET	50130	445	192.168.2.4	8.141.111.79
Jan 14, 2025 22:41:53.858045101 CET	445	50130	8.141.111.79	192.168.2.4
Jan 14, 2025 22:41:53.858129978 CET	50130	445	192.168.2.4	8.141.111.79
Jan 14, 2025 22:41:53.858232021 CET	50130	445	192.168.2.4	8.141.111.79
Jan 14, 2025 22:41:53.858412981 CET	50131	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:41:53.863078117 CET	445	50130	8.141.111.79	192.168.2.4
Jan 14, 2025 22:41:53.863140106 CET	50130	445	192.168.2.4	8.141.111.79
Jan 14, 2025 22:41:53.863176107 CET	445	50131	8.141.111.1	192.168.2.4
Jan 14, 2025 22:41:53.863229036 CET	50131	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:41:53.863318920 CET	50131	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:41:53.865426064 CET	50132	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:41:53.868154049 CET	445	50131	8.141.111.1	192.168.2.4
Jan 14, 2025 22:41:53.868217945 CET	50131	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:41:53.870273113 CET	445	50132	8.141.111.1	192.168.2.4
Jan 14, 2025 22:41:53.870354891 CET	50132	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:41:53.878376961 CET	50132	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:41:53.883162975 CET	445	50132	8.141.111.1	192.168.2.4
Jan 14, 2025 22:41:54.308713913 CET	445	50124	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:54.308813095 CET	50124	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:54.308861971 CET	50124	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:54.308895111 CET	50124	445	192.168.2.4	62.23.223.8
Jan 14, 2025 22:41:54.313703060 CET	445	50124	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:54.313713074 CET	445	50124	62.23.223.8	192.168.2.4
Jan 14, 2025 22:41:54.333859921 CET	50133	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:54.338840961 CET	445	50133	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:54.338931084 CET	50133	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:54.338960886 CET	50133	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:41:54.343817949 CET	445	50133	74.34.234.1	192.168.2.4
Jan 14, 2025 22:41:54.365333080 CET	50134	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:54.370192051 CET	445	50134	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:54.370332956 CET	50134	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:54.370424986 CET	50134	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:54.370940924 CET	50135	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:54.375761986 CET	445	50134	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:54.375874043 CET	50134	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:54.375953913 CET	445	50135	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:54.376023054 CET	50135	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:54.376068115 CET	50135	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:54.381050110 CET	445	50135	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:54.678396940 CET	50136	445	192.168.2.4	174.98.210.149
Jan 14, 2025 22:41:54.684329033 CET	445	50136	174.98.210.149	192.168.2.4
Jan 14, 2025 22:41:54.684418917 CET	50136	445	192.168.2.4	174.98.210.149
Jan 14, 2025 22:41:54.684449911 CET	50136	445	192.168.2.4	174.98.210.149
Jan 14, 2025 22:41:54.684659004 CET	50137	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:41:54.690370083 CET	445	50136	174.98.210.149	192.168.2.4
Jan 14, 2025 22:41:54.690382957 CET	445	50137	174.98.210.1	192.168.2.4
Jan 14, 2025 22:41:54.690432072 CET	50136	445	192.168.2.4	174.98.210.149
Jan 14, 2025 22:41:54.690485954 CET	50137	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:41:54.690606117 CET	50137	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:41:54.691023111 CET	50138	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:41:54.698447943 CET	445	50137	174.98.210.1	192.168.2.4
Jan 14, 2025 22:41:54.698482037 CET	445	50138	174.98.210.1	192.168.2.4
Jan 14, 2025 22:41:54.698533058 CET	50137	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:41:54.698580980 CET	50138	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:41:54.698611975 CET	50138	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:41:54.703352928 CET	445	50138	174.98.210.1	192.168.2.4
Jan 14, 2025 22:41:55.350191116 CET	445	50064	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:55.350279093 CET	50064	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:55.350332022 CET	50064	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:55.350577116 CET	50064	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:55.355178118 CET	445	50064	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:55.355438948 CET	445	50064	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:55.443859100 CET	50139	445	192.168.2.4	32.135.43.254
Jan 14, 2025 22:41:55.448803902 CET	445	50139	32.135.43.254	192.168.2.4
Jan 14, 2025 22:41:55.448896885 CET	50139	445	192.168.2.4	32.135.43.254
Jan 14, 2025 22:41:55.448915958 CET	50139	445	192.168.2.4	32.135.43.254
Jan 14, 2025 22:41:55.449165106 CET	50140	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:41:55.453912020 CET	445	50139	32.135.43.254	192.168.2.4
Jan 14, 2025 22:41:55.453969002 CET	50139	445	192.168.2.4	32.135.43.254
Jan 14, 2025 22:41:55.454071045 CET	445	50140	32.135.43.1	192.168.2.4
Jan 14, 2025 22:41:55.454132080 CET	50140	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:41:55.454216957 CET	50140	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:41:55.454509974 CET	50141	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:41:55.459120989 CET	445	50140	32.135.43.1	192.168.2.4
Jan 14, 2025 22:41:55.459173918 CET	50140	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:41:55.459359884 CET	445	50141	32.135.43.1	192.168.2.4
Jan 14, 2025 22:41:55.459423065 CET	50141	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:41:55.459465981 CET	50141	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:41:55.464267969 CET	445	50141	32.135.43.1	192.168.2.4
Jan 14, 2025 22:41:55.601156950 CET	445	50065	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:55.601444006 CET	50065	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:55.601545095 CET	50065	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:55.601586103 CET	50065	445	192.168.2.4	132.150.152.1
Jan 14, 2025 22:41:55.606395960 CET	445	50065	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:55.606409073 CET	445	50065	132.150.152.1	192.168.2.4
Jan 14, 2025 22:41:55.662506104 CET	50142	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:41:55.667500973 CET	445	50142	132.150.152.2	192.168.2.4
Jan 14, 2025 22:41:55.667601109 CET	50142	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:41:55.667670965 CET	50142	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:41:55.668262959 CET	50143	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:41:55.672571898 CET	445	50142	132.150.152.2	192.168.2.4
Jan 14, 2025 22:41:55.672642946 CET	50142	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:41:55.673103094 CET	445	50143	132.150.152.2	192.168.2.4
Jan 14, 2025 22:41:55.673177004 CET	50143	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:41:55.673218966 CET	50143	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:41:55.677999973 CET	445	50143	132.150.152.2	192.168.2.4
Jan 14, 2025 22:41:56.011760950 CET	445	50135	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:56.011831045 CET	50135	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:56.011861086 CET	50135	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:56.011923075 CET	50135	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:56.016684055 CET	445	50135	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:56.016710997 CET	445	50135	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:57.401911974 CET	445	50070	138.57.43.1	192.168.2.4
Jan 14, 2025 22:41:57.401983976 CET	50070	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:57.402055025 CET	50070	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:57.402107000 CET	50070	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:41:57.406822920 CET	445	50070	138.57.43.1	192.168.2.4
Jan 14, 2025 22:41:57.406970978 CET	445	50070	138.57.43.1	192.168.2.4
Jan 14, 2025 22:41:57.583834887 CET	445	50071	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:57.587357998 CET	50071	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:57.587435007 CET	50071	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:57.587500095 CET	50071	445	192.168.2.4	44.158.242.1
Jan 14, 2025 22:41:57.592346907 CET	445	50071	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:57.592360020 CET	445	50071	44.158.242.1	192.168.2.4
Jan 14, 2025 22:41:57.646678925 CET	50149	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:41:57.651591063 CET	445	50149	44.158.242.2	192.168.2.4
Jan 14, 2025 22:41:57.654983044 CET	50149	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:41:57.655065060 CET	50149	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:41:57.655381918 CET	50150	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:41:57.660206079 CET	445	50149	44.158.242.2	192.168.2.4
Jan 14, 2025 22:41:57.660222054 CET	445	50150	44.158.242.2	192.168.2.4
Jan 14, 2025 22:41:57.660294056 CET	50149	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:41:57.660321951 CET	50150	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:41:57.660340071 CET	50150	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:41:57.665154934 CET	445	50150	44.158.242.2	192.168.2.4
Jan 14, 2025 22:41:58.365236044 CET	50153	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:58.370147943 CET	445	50153	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:58.370260000 CET	50153	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:58.370297909 CET	50153	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:41:58.375047922 CET	445	50153	51.209.245.1	192.168.2.4
Jan 14, 2025 22:41:59.021533012 CET	50158	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:59.026518106 CET	445	50158	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:59.026668072 CET	50158	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:59.026766062 CET	50158	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:41:59.031651974 CET	445	50158	62.23.223.9	192.168.2.4
Jan 14, 2025 22:41:59.396380901 CET	445	50075	116.248.34.1	192.168.2.4
Jan 14, 2025 22:41:59.396449089 CET	50075	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:59.396517038 CET	50075	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:59.396517038 CET	50075	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:41:59.401354074 CET	445	50075	116.248.34.1	192.168.2.4
Jan 14, 2025 22:41:59.401382923 CET	445	50075	116.248.34.1	192.168.2.4
Jan 14, 2025 22:41:59.600253105 CET	445	50076	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:59.600366116 CET	50076	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:59.600476027 CET	50076	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:59.600555897 CET	50076	445	192.168.2.4	93.57.185.1
Jan 14, 2025 22:41:59.605313063 CET	445	50076	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:59.605351925 CET	445	50076	93.57.185.1	192.168.2.4
Jan 14, 2025 22:41:59.662322044 CET	50168	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:41:59.667259932 CET	445	50168	93.57.185.2	192.168.2.4
Jan 14, 2025 22:41:59.667413950 CET	50168	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:41:59.667445898 CET	50168	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:41:59.667887926 CET	50169	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:41:59.672576904 CET	445	50168	93.57.185.2	192.168.2.4
Jan 14, 2025 22:41:59.672694921 CET	445	50169	93.57.185.2	192.168.2.4
Jan 14, 2025 22:41:59.672777891 CET	50169	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:41:59.672836065 CET	50169	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:41:59.672868013 CET	50168	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:41:59.677674055 CET	445	50169	93.57.185.2	192.168.2.4
Jan 14, 2025 22:41:59.739742041 CET	445	50078	92.108.92.2	192.168.2.4
Jan 14, 2025 22:41:59.739940882 CET	50078	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:59.740001917 CET	50078	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:59.740001917 CET	50078	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:41:59.744885921 CET	445	50078	92.108.92.2	192.168.2.4
Jan 14, 2025 22:41:59.744905949 CET	445	50078	92.108.92.2	192.168.2.4
Jan 14, 2025 22:42:00.412240982 CET	50181	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:42:00.417304993 CET	445	50181	138.57.43.1	192.168.2.4
Jan 14, 2025 22:42:00.417383909 CET	50181	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:42:00.417401075 CET	50181	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:42:00.422199965 CET	445	50181	138.57.43.1	192.168.2.4
Jan 14, 2025 22:42:00.653405905 CET	445	50158	62.23.223.9	192.168.2.4
Jan 14, 2025 22:42:00.653542995 CET	50158	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:42:00.653589010 CET	50158	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:42:00.653625965 CET	50158	445	192.168.2.4	62.23.223.9
Jan 14, 2025 22:42:00.658588886 CET	445	50158	62.23.223.9	192.168.2.4
Jan 14, 2025 22:42:00.658615112 CET	445	50158	62.23.223.9	192.168.2.4
Jan 14, 2025 22:42:00.789035082 CET	50184	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:00.793811083 CET	445	50184	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:00.793884039 CET	50184	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:00.793927908 CET	50184	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:00.794238091 CET	50186	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:00.798899889 CET	445	50184	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:00.798953056 CET	50184	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:00.799026012 CET	445	50186	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:00.799109936 CET	50186	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:00.799148083 CET	50186	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:00.803958893 CET	445	50186	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:01.275122881 CET	445	50082	164.124.34.1	192.168.2.4
Jan 14, 2025 22:42:01.275187969 CET	50082	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:42:01.275223970 CET	50082	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:42:01.275265932 CET	50082	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:42:01.280253887 CET	445	50082	164.124.34.1	192.168.2.4
Jan 14, 2025 22:42:01.280320883 CET	445	50082	164.124.34.1	192.168.2.4
Jan 14, 2025 22:42:01.632483959 CET	445	50083	40.106.189.1	192.168.2.4
Jan 14, 2025 22:42:01.632580042 CET	50083	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:42:01.632668018 CET	50083	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:42:01.632721901 CET	50083	445	192.168.2.4	40.106.189.1
Jan 14, 2025 22:42:01.638992071 CET	445	50083	40.106.189.1	192.168.2.4
Jan 14, 2025 22:42:01.639005899 CET	445	50083	40.106.189.1	192.168.2.4
Jan 14, 2025 22:42:01.693375111 CET	50201	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:01.699237108 CET	445	50201	40.106.189.2	192.168.2.4
Jan 14, 2025 22:42:01.699350119 CET	50201	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:01.699362993 CET	50201	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:01.699780941 CET	50202	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:01.705241919 CET	445	50201	40.106.189.2	192.168.2.4
Jan 14, 2025 22:42:01.705259085 CET	445	50202	40.106.189.2	192.168.2.4
Jan 14, 2025 22:42:01.705303907 CET	50201	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:01.705342054 CET	50202	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:01.705373049 CET	50202	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:01.710217953 CET	445	50202	40.106.189.2	192.168.2.4
Jan 14, 2025 22:42:02.412036896 CET	50216	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:42:02.417021036 CET	445	50216	116.248.34.1	192.168.2.4
Jan 14, 2025 22:42:02.419210911 CET	50216	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:42:02.419306040 CET	50216	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:42:02.424982071 CET	445	50216	116.248.34.1	192.168.2.4
Jan 14, 2025 22:42:02.681807995 CET	445	50186	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:02.681912899 CET	50186	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:02.681976080 CET	50186	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:02.681976080 CET	50186	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:02.686930895 CET	445	50186	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:02.686942101 CET	445	50186	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:02.755865097 CET	50223	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:42:02.760780096 CET	445	50223	92.108.92.2	192.168.2.4
Jan 14, 2025 22:42:02.760881901 CET	50223	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:42:02.760919094 CET	50223	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:42:02.765660048 CET	445	50223	92.108.92.2	192.168.2.4
Jan 14, 2025 22:42:03.005599022 CET	445	50088	155.93.3.1	192.168.2.4
Jan 14, 2025 22:42:03.005672932 CET	50088	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:42:03.007932901 CET	50088	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:42:03.007980108 CET	50088	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:42:03.012725115 CET	445	50088	155.93.3.1	192.168.2.4
Jan 14, 2025 22:42:03.012734890 CET	445	50088	155.93.3.1	192.168.2.4
Jan 14, 2025 22:42:03.806592941 CET	445	50089	29.248.211.1	192.168.2.4
Jan 14, 2025 22:42:03.806736946 CET	50089	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:42:03.806765079 CET	50089	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:42:03.806794882 CET	50089	445	192.168.2.4	29.248.211.1
Jan 14, 2025 22:42:03.811551094 CET	445	50089	29.248.211.1	192.168.2.4
Jan 14, 2025 22:42:03.811563015 CET	445	50089	29.248.211.1	192.168.2.4
Jan 14, 2025 22:42:03.866791010 CET	50253	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:03.871723890 CET	445	50253	29.248.211.2	192.168.2.4
Jan 14, 2025 22:42:03.871865034 CET	50253	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:03.871954918 CET	50253	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:03.872298002 CET	50254	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:03.876985073 CET	445	50253	29.248.211.2	192.168.2.4
Jan 14, 2025 22:42:03.877062082 CET	50253	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:03.877094984 CET	445	50254	29.248.211.2	192.168.2.4
Jan 14, 2025 22:42:03.877151012 CET	50254	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:03.877197981 CET	50254	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:03.881973982 CET	445	50254	29.248.211.2	192.168.2.4
Jan 14, 2025 22:42:04.287112951 CET	50264	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:42:04.292087078 CET	445	50264	164.124.34.1	192.168.2.4
Jan 14, 2025 22:42:04.292253971 CET	50264	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:42:04.292299986 CET	50264	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:42:04.297106981 CET	445	50264	164.124.34.1	192.168.2.4
Jan 14, 2025 22:42:04.665904045 CET	445	50092	98.156.92.1	192.168.2.4
Jan 14, 2025 22:42:04.667615891 CET	50092	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:42:04.667695045 CET	50092	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:42:04.667737961 CET	50092	445	192.168.2.4	98.156.92.1
Jan 14, 2025 22:42:04.672491074 CET	445	50092	98.156.92.1	192.168.2.4
Jan 14, 2025 22:42:04.672502995 CET	445	50092	98.156.92.1	192.168.2.4
Jan 14, 2025 22:42:05.693315983 CET	50313	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:05.694964886 CET	445	50093	186.87.86.1	192.168.2.4
Jan 14, 2025 22:42:05.695038080 CET	50093	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:42:05.695082903 CET	50093	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:42:05.695082903 CET	50093	445	192.168.2.4	186.87.86.1
Jan 14, 2025 22:42:05.698172092 CET	445	50313	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:05.698250055 CET	50313	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:05.698263884 CET	50313	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:05.699889898 CET	445	50093	186.87.86.1	192.168.2.4
Jan 14, 2025 22:42:05.699901104 CET	445	50093	186.87.86.1	192.168.2.4
Jan 14, 2025 22:42:05.703017950 CET	445	50313	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:05.755812883 CET	50315	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:05.760765076 CET	445	50315	186.87.86.2	192.168.2.4
Jan 14, 2025 22:42:05.760873079 CET	50315	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:05.760905981 CET	50315	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:05.761261940 CET	50316	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:05.767035961 CET	445	50316	186.87.86.2	192.168.2.4
Jan 14, 2025 22:42:05.767097950 CET	50316	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:05.767122030 CET	50316	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:05.768431902 CET	445	50315	186.87.86.2	192.168.2.4
Jan 14, 2025 22:42:05.768486977 CET	50315	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:05.772049904 CET	445	50316	186.87.86.2	192.168.2.4
Jan 14, 2025 22:42:06.021641970 CET	50331	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:42:06.026523113 CET	445	50331	155.93.3.1	192.168.2.4
Jan 14, 2025 22:42:06.026624918 CET	50331	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:42:06.026658058 CET	50331	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:42:06.031461954 CET	445	50331	155.93.3.1	192.168.2.4
Jan 14, 2025 22:42:06.196831942 CET	445	50096	88.243.135.1	192.168.2.4
Jan 14, 2025 22:42:06.196892023 CET	50096	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:42:06.196921110 CET	50096	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:42:06.196955919 CET	50096	445	192.168.2.4	88.243.135.1
Jan 14, 2025 22:42:06.201746941 CET	445	50096	88.243.135.1	192.168.2.4
Jan 14, 2025 22:42:06.201761007 CET	445	50096	88.243.135.1	192.168.2.4
Jan 14, 2025 22:42:07.344124079 CET	445	50313	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:07.344244003 CET	50313	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:07.344290972 CET	50313	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:07.344333887 CET	50313	445	192.168.2.4	62.23.223.10
Jan 14, 2025 22:42:07.349426985 CET	445	50313	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:07.349437952 CET	445	50313	62.23.223.10	192.168.2.4
Jan 14, 2025 22:42:07.396783113 CET	50446	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:07.401747942 CET	445	50446	62.23.223.11	192.168.2.4
Jan 14, 2025 22:42:07.401910067 CET	50446	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:07.401910067 CET	50446	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:07.402229071 CET	50448	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:07.406912088 CET	445	50446	62.23.223.11	192.168.2.4
Jan 14, 2025 22:42:07.407022953 CET	445	50448	62.23.223.11	192.168.2.4
Jan 14, 2025 22:42:07.407049894 CET	50446	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:07.407073021 CET	50448	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:07.407116890 CET	50448	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:07.413177013 CET	445	50448	62.23.223.11	192.168.2.4
Jan 14, 2025 22:42:07.599920034 CET	445	50099	26.53.204.1	192.168.2.4
Jan 14, 2025 22:42:07.600136042 CET	50099	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:42:07.650336027 CET	445	50101	177.235.101.1	192.168.2.4
Jan 14, 2025 22:42:07.650408983 CET	50101	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:42:08.337100983 CET	50101	445	192.168.2.4	177.235.101.1
Jan 14, 2025 22:42:08.337217093 CET	50216	445	192.168.2.4	116.248.34.1
Jan 14, 2025 22:42:08.337258101 CET	50169	445	192.168.2.4	93.57.185.2
Jan 14, 2025 22:42:08.337292910 CET	50143	445	192.168.2.4	132.150.152.2
Jan 14, 2025 22:42:08.337292910 CET	50119	445	192.168.2.4	154.37.134.2
Jan 14, 2025 22:42:08.337321997 CET	50129	445	192.168.2.4	95.132.23.2
Jan 14, 2025 22:42:08.337382078 CET	50316	445	192.168.2.4	186.87.86.2
Jan 14, 2025 22:42:08.337402105 CET	50202	445	192.168.2.4	40.106.189.2
Jan 14, 2025 22:42:08.337419987 CET	50150	445	192.168.2.4	44.158.242.2
Jan 14, 2025 22:42:08.337444067 CET	50254	445	192.168.2.4	29.248.211.2
Jan 14, 2025 22:42:08.337470055 CET	50133	445	192.168.2.4	74.34.234.1
Jan 14, 2025 22:42:08.337539911 CET	50099	445	192.168.2.4	26.53.204.1
Jan 14, 2025 22:42:08.337564945 CET	50104	445	192.168.2.4	94.19.17.1
Jan 14, 2025 22:42:08.337609053 CET	50110	445	192.168.2.4	83.62.182.1
Jan 14, 2025 22:42:08.337630987 CET	50107	445	192.168.2.4	61.245.141.1
Jan 14, 2025 22:42:08.337630987 CET	50113	445	192.168.2.4	220.64.64.1
Jan 14, 2025 22:42:08.337654114 CET	50114	445	192.168.2.4	153.21.9.1
Jan 14, 2025 22:42:08.337682962 CET	50117	445	192.168.2.4	126.46.181.1
Jan 14, 2025 22:42:08.337701082 CET	50122	445	192.168.2.4	159.230.126.1
Jan 14, 2025 22:42:08.337723017 CET	50123	445	192.168.2.4	36.85.203.1
Jan 14, 2025 22:42:08.337750912 CET	50127	445	192.168.2.4	24.6.220.1
Jan 14, 2025 22:42:08.337778091 CET	50132	445	192.168.2.4	8.141.111.1
Jan 14, 2025 22:42:08.337848902 CET	50138	445	192.168.2.4	174.98.210.1
Jan 14, 2025 22:42:08.337877989 CET	50141	445	192.168.2.4	32.135.43.1
Jan 14, 2025 22:42:08.337897062 CET	50153	445	192.168.2.4	51.209.245.1
Jan 14, 2025 22:42:08.337928057 CET	50181	445	192.168.2.4	138.57.43.1
Jan 14, 2025 22:42:08.337970018 CET	50264	445	192.168.2.4	164.124.34.1
Jan 14, 2025 22:42:08.338020086 CET	50223	445	192.168.2.4	92.108.92.2
Jan 14, 2025 22:42:08.338188887 CET	50331	445	192.168.2.4	155.93.3.1
Jan 14, 2025 22:42:08.338917971 CET	50448	445	192.168.2.4	62.23.223.11
Jan 14, 2025 22:42:10.365626097 CET	49723	80	192.168.2.4	199.232.214.172
Jan 14, 2025 22:42:10.370661974 CET	80	49723	199.232.214.172	192.168.2.4
Jan 14, 2025 22:42:10.370723963 CET	49723	80	192.168.2.4	199.232.214.172
Jan 14, 2025 22:42:10.391160965 CET	49724	80	192.168.2.4	199.232.214.172
Jan 14, 2025 22:42:10.396133900 CET	80	49724	199.232.214.172	192.168.2.4
Jan 14, 2025 22:42:10.396199942 CET	49724	80	192.168.2.4	199.232.214.172
Jan 14, 2025 22:43:08.478377104 CET	50676	445	192.168.2.4	165.136.30.23
Jan 14, 2025 22:43:08.486581087 CET	445	50676	165.136.30.23	192.168.2.4
Jan 14, 2025 22:43:08.486711025 CET	50676	445	192.168.2.4	165.136.30.23
Jan 14, 2025 22:43:08.486740112 CET	50676	445	192.168.2.4	165.136.30.23
Jan 14, 2025 22:43:08.486991882 CET	50677	445	192.168.2.4	165.136.30.1
Jan 14, 2025 22:43:08.492108107 CET	445	50676	165.136.30.23	192.168.2.4
Jan 14, 2025 22:43:08.492129087 CET	445	50677	165.136.30.1	192.168.2.4
Jan 14, 2025 22:43:08.492189884 CET	50676	445	192.168.2.4	165.136.30.23
Jan 14, 2025 22:43:08.492240906 CET	50677	445	192.168.2.4	165.136.30.1
Jan 14, 2025 22:43:08.493051052 CET	50677	445	192.168.2.4	165.136.30.1
Jan 14, 2025 22:43:08.494272947 CET	50679	445	192.168.2.4	165.136.30.1
Jan 14, 2025 22:43:08.499025106 CET	445	50677	165.136.30.1	192.168.2.4
Jan 14, 2025 22:43:08.499082088 CET	50677	445	192.168.2.4	165.136.30.1
Jan 14, 2025 22:43:08.500833988 CET	445	50679	165.136.30.1	192.168.2.4
Jan 14, 2025 22:43:08.500896931 CET	50679	445	192.168.2.4	165.136.30.1
Jan 14, 2025 22:43:08.500984907 CET	50679	445	192.168.2.4	165.136.30.1
Jan 14, 2025 22:43:08.505743980 CET	445	50679	165.136.30.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 22:41:21.971124887 CET	138	138	192.168.2.4	192.168.2.255

Target ID:	0
Start time:	16:41:01
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll"
Imagebase:	0xf50000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	16:41:01
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\YZJG8NuHEP.dll,PlayGame
Imagebase:	0xf30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",#1
Imagebase:	0xf30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	36A6816280FA05CCF0410403B43F7091
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.1697675504.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	36A6816280FA05CCF0410403B43F7091
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1699473537.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2343027170.000000000212C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.2342710873.0000000001C12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	72F53F9BE5E49E89CAED84A61110BF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs Detection: 85%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff74b060000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7688 -ip 7688
Imagebase:	0x3c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	16:41:02
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 228
Imagebase:	0x3c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	16:41:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\YZJG8NuHEP.dll",PlayGame
Imagebase:	0xf30000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:41:05
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	36A6816280FA05CCF0410403B43F7091
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000002.1729378890.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000C.00000000.1726689356.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:41:05
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	72F53F9BE5E49E89CAED84A61110BF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:41:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8028 -ip 8028
Imagebase:	0x3c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	16:41:05
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 196
Imagebase:	0x3c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:43:07
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	36A6816280FA05CCF0410403B43F7091
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000014.00000002.2955717981.000000000228B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000014.00000002.2955258904.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000014.00000000.2950059693.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	81.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

tasksche.exe, xrefs: 00407DEA
CreateFileA, xrefs: 00407D0F
C:\%s\%s, xrefs: 00407DFB
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
WINDOWS, xrefs: 00407DF2, 00407E0D
WriteFile, xrefs: 00407D1C
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000005.00000002.1701937096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1701883942.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701968897.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702543507.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000005.00000002.1701937096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1701883942.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701968897.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702543507.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.1701937096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1701883942.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701968897.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702543507.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000005.00000002.1701937096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1701883942.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701968897.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702543507.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.1701937096.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1701883942.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701968897.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1701991098.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702543507.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1702688188.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 7628, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.2341745059.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2341724953.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341764458.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341843769.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341860867.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000006.00000002.2341745059.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2341724953.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341764458.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341843769.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341860867.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000006.00000002.2341745059.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2341724953.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341764458.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341843769.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341860867.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

WINDOWS, xrefs: 00407DF2, 00407E0D
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3
CreateProcessA, xrefs: 00407D07
CloseHandle, xrefs: 00407D29
C:\%s\%s, xrefs: 00407DFB
kernel32.dll, xrefs: 00407CEA
/i, xrefs: 00407E8D

Memory Dump Source

Source File: 00000006.00000002.2341745059.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2341724953.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341764458.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341843769.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341860867.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.2341745059.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.2341724953.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341764458.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341781688.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341826497.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341843769.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341860867.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.2341948132.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 7688, Parent PID: 7584COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 004077BA Relevance: 1.6, APIs: 1, Instructions: 111
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000002), ref: 004077E7

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfd8e3bc251a609b923ee84314f981157ecd194afd53806702bb476cb8b66a50
Instruction ID: 57d92ca68de9f17921d1a12c15d34c329a61f20750848fe313e479baa5e7fd82
Opcode Fuzzy Hash: dfd8e3bc251a609b923ee84314f981157ecd194afd53806702bb476cb8b66a50
Instruction Fuzzy Hash: 10418DB1D04344AFDB20AFA4DE49A697BB8AB09710F20413FE581B72E1C7786841CB59

Non-executed Functions

Function 0040350F Relevance: 2.7, Strings: 2, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID: $Q;@
API String ID: 0-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00402A76 Relevance: 1.6, Strings: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 00404C19 Relevance: 1.6, Strings: 1, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WG@, xrefs: 00404C26

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID: WG@
API String ID: 0-1599502709
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 00403797 Relevance: 1.5, Strings: 1, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004043B6 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5062141294976e9a15f3d534513453e835868338a667c563a394678185a2e0ae
Instruction ID: 507edf943f6954747fb652e063bbb54c6dd3cd628c171472844fae73eabc1576
Opcode Fuzzy Hash: 5062141294976e9a15f3d534513453e835868338a667c563a394678185a2e0ae
Instruction Fuzzy Hash: A6520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 00406C40 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4aa03407b4b886905fa73947b5e66cb56c06cbdc47549cb14339d3dddfd134
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 9a4aa03407b4b886905fa73947b5e66cb56c06cbdc47549cb14339d3dddfd134
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00402E7E Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1876295025.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.1876274239.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876317005.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000007.00000002.1876341422.0000000000422000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Analysis Process: mssecsvc.exePID: 7408, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F380EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000014.00000002.2953904841.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2953884842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953932991.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954017909.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954051943.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000014.00000002.2953904841.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2953884842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953932991.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954017909.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954051943.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F380EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000014.00000002.2953904841.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2953884842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953932991.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954017909.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954051943.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F380EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

WriteFile, xrefs: 00407D1C
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
kernel32.dll, xrefs: 00407CEA
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
D, xrefs: 00407ED3
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000014.00000002.2953904841.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2953884842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953932991.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954017909.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954051943.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000014.00000002.2953904841.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000014.00000002.2953884842.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953932991.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953953545.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2953999772.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954017909.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954051943.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000014.00000002.2954148977.0000000000732000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report YZJG8NuHEP.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_95c5d52131db7cdcde798bdada93a1a1ba417_34a83304_57113ea3-4897-475b-987e-e697450e5ca3\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_95c5d52131db7cdcde798bdada93a1a1ba417_34a83304_ebbf6be9-8573-47fc-ae79-7da5b7c9842d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBF06.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC485.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4A5.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4B3.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC502.tmp.txt

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC975.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFB0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFD0.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCFE0.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD02F.tmp.txt

Windows Analysis Report
YZJG8NuHEP.dll