Edit tour

Windows Analysis Report
tTbeoLWNhb.dll

Overview

General Information

Sample name:	tTbeoLWNhb.dll renamed because original name is a hash value
Original sample name:	4c58581fa08accc15994f3db1098a5bc.dll
Analysis ID:	1591518
MD5:	4c58581fa08accc15994f3db1098a5bc
SHA1:	1a349b33c6cc821b814138eb9619fcbce20e6eda
SHA256:	7ab78920ad07396864187254f5323571807df03ca90c6b5eab2d1c8d0c27b4d5
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6844 cmdline: loaddll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2832 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 4528 cmdline: rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 792 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 9BCD08D46432B6DAC27417B0DE3DA8B1)

tasksche.exe (PID: 6168 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 82246A37BC2B94A29240A8B49DE5CF57)

rundll32.exe (PID: 4320 cmdline: rundll32.exe C:\Users\user\Desktop\tTbeoLWNhb.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2100 cmdline: rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 3904 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 9BCD08D46432B6DAC27417B0DE3DA8B1)

tasksche.exe (PID: 6720 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 82246A37BC2B94A29240A8B49DE5CF57)

mssecsvc.exe (PID: 2160 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 9BCD08D46432B6DAC27417B0DE3DA8B1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
tTbeoLWNhb.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
tTbeoLWNhb.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
tTbeoLWNhb.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
C:\Windows\mssecsvc.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\mssecsvc.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xe048:$x7: mssecsvc.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
C:\Windows\mssecsvc.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
C:\Windows\mssecsvc.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\mssecsvc.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 4 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000000.1537482998.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000C.00000002.1548367393.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1510211339.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000C.00000000.1547215244.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.1537853597.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2174815751.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2174815751.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.1538073196.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.1538073196.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1525566306.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1525566306.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000002.1549881056.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2175529883.000000000229D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2175529883.000000000229D000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1525328575.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.1550066057.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.1550066057.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000000.1510351488.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1510351488.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 792	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 2160	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 3904	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvc.exe.1d6b084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.228e8c8.11.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.22c096c.12.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.22c096c.12.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.22c096c.12.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.22c096c.12.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.229d948.10.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.229d948.10.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.229d948.10.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.229d948.10.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1d9d128.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d9d128.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d9d128.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1d9d128.4.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.2.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.2.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d7a104.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d7a104.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d7a104.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1d7a104.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.228e8c8.11.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.228e8c8.11.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.228e8c8.11.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d6b084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d6b084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x286de4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x276bb0:$x3: tasksche.exe 0x286dc0:$x3: tasksche.exe 0x286d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x286e14:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x276c1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x24126c:$x7: mssecsvc.exe 0x25cb94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x276b88:$x8: C:\%s\qeriuwjhrf 0x286de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x241254:$s1: C:\%s\%s 0x25cb7c:$s1: C:\%s\%s 0x276b9c:$s1: C:\%s\%s 0x286d14:$s3: cmd.exe /c "%s" 0x2b9268:$s4: msg/m_portuguese.wnry
8.2.mssecsvc.exe.1d6b084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1d6b084.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x286dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x286de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1d6b084.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2798fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x24d8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24f25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x27f0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d9d128.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d9d128.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d9d128.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1d9d128.4.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1d760a4.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d760a4.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d760a4.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.22998e8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.22998e8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.22998e8.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.22c096c.12.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.22c096c.12.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.22c096c.12.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.22c096c.12.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.229d948.10.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.229d948.10.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.229d948.10.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1d7a104.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1d7a104.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x50b9ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x50b9d4:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1d7a104.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 135 entries

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:29.281978+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.8	49706	TCP
2025-01-15T02:52:30.686912+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.8	49707	TCP
2025-01-15T02:52:31.686298+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.8	49719	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:28.759322+0100	2024291	1	A Network Trojan was detected	192.168.2.8	57246	1.1.1.1	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:29.281342+0100	2024298	1	A Network Trojan was detected	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024298	1	A Network Trojan was detected	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024298	1	A Network Trojan was detected	192.168.2.8	49719	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:29.281342+0100	2024299	1	A Network Trojan was detected	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024299	1	A Network Trojan was detected	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024299	1	A Network Trojan was detected	192.168.2.8	49719	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:29.281342+0100	2024301	1	A Network Trojan was detected	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024301	1	A Network Trojan was detected	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024301	1	A Network Trojan was detected	192.168.2.8	49719	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:29.281342+0100	2024302	1	A Network Trojan was detected	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024302	1	A Network Trojan was detected	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024302	1	A Network Trojan was detected	192.168.2.8	49719	104.16.167.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T02:52:29.281342+0100	2803304	3	Unknown Traffic	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2803304	3	Unknown Traffic	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2803304	3	Unknown Traffic	192.168.2.8	49719	104.16.167.228	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tTbeoLWNhb.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\mssecsvc.exe	Avira: detection malicious, Label: TR/Ransom.Gen
Source: C:\Windows\tasksche.exe	Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 100%
Source: C:\Windows\mssecsvc.exe	ReversingLabs: Detection: 93%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 100%

Multi AV Scanner detection for submitted file

Source: tTbeoLWNhb.dll	ReversingLabs: Detection: 94%
Source: tTbeoLWNhb.dll	Virustotal: Detection: 93%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\mssecsvc.exe	Joe Sandbox ML: detected
Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: tTbeoLWNhb.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 10_2_004018B9 CryptReleaseContext,

10_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: tTbeoLWNhb.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source:	Binary string: ntdll.pdb source: tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr
Source:	Binary string: ntdll.pdb3 source: tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.8:49719 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.8:49719 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.8:49719 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.8:49719 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.8:49706 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.8:49706 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.8:49706 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.8:49706 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.8:49707 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.8:49707 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.8:49707 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.8:49707 -> 104.16.167.228:80

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 01:52:29 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90223a068edf8c99-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 01:52:30 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90223a0e4a055e65-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 01:52:31 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 90223a15992bde9b-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: unknown

Network traffic detected: IP country count 11

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.8:57246 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49719 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49706 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.8:49719
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.8:49706
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49707 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.8:49707

Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.83
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.83
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.83
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.83
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 28.124.93.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.67
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.67
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.67
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.1
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.67
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.1
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.1
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.1
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.1
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.1
Source: unknown	TCP traffic detected without corresponding DNS query: 152.30.194.1
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.26
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.26
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.26
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.26
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 101.229.22.1
Source: unknown	TCP traffic detected without corresponding DNS query: 121.178.121.98
Source: unknown	TCP traffic detected without corresponding DNS query: 121.178.121.98
Source: unknown	TCP traffic detected without corresponding DNS query: 121.178.121.98
Source: unknown	TCP traffic detected without corresponding DNS query: 121.178.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 121.178.121.98
Source: unknown	TCP traffic detected without corresponding DNS query: 121.178.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 121.178.121.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://api.adtimaserver.vn/rdext/json2?count=1&zoneId=870285593013603088
Source: mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://api.adtimaserver.vn/renders4?agent=&zones=1894904669163438980
Source: mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://b.scorecardresearch.com/b?c1=2&c2=10367196&ns__t=1497259682395&ns_c=UTF-8&cv=3.1&c8=Ng%C6%B0%
Source: tasksche.exe.6.dr	String found in binary or memory: http://eva.vn/phim-hay/buc-anh-he-lo-nguoi-dan-ong-cuoi-cung-cua-van-trong-song-chung-voi-me-chong-g
Source: mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://log.adtimaserver.vn/trackpv/?aid=c26abb975506e00158a22c6b553a9c90&category=ct%3Dvi%3Bcategory
Source: tasksche.exe.6.dr	String found in binary or memory: http://mp3.zing.vn/album/Nhung-Bai-Hat-Hay-Nhat-Cua-Nhu-Quynh-Nhu-Quynh/ZWZBOZOA.htmlAdtima
Source: mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://mp3.zing.vn/album/Nhung-Bai-Hat-Hay-Nhat-Cua-Nhu-Quynh-Nhu-Quynh/ZWZBOZOA.htmlCriteo
Source: mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://mp3.zing.vn/album/Nhung-Bai-Hat-Hay-Nhat-Cua-Nhu-Quynh-Nhu-Quynh/ZWZBOZOA.htmlScorecardResear
Source: tasksche.exe.6.dr	String found in binary or memory: http://quangcao.24h.com.vn/quangcao/2017/03/test17007_bbthanhmai_tremai_9397.html
Source: tasksche.exe.6.dr	String found in binary or memory: http://quangcao.eva.vn/quangcao/2017/03/test17007_bbthanhmai_giamgia50_9396.html
Source: mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://rtax.criteo.com/delivery/rta/rta.js?netId=3254&cookieName=crtg_vng_rta&rnd=74276450073&varNam
Source: tasksche.exe.6.dr	String found in binary or memory: http://st-n.ads3-adnow.com/js/ta.js
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://toolbar.conduit.com/Developer/HtmlAndGadget/Methods/JSInjection.aspx
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://tpc.googlesyndication.com/
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://tpc.googlesyndication.com/Dhttp://tpc.googlesyndication.com/safeframe/1-0-9/html/container.ht
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: http://tpc.googlesyndication.com/safeframe/1-0-9/html/container.html
Source: mssecsvc.exe.3.dr	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 00000006.00000002.1541734957.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.1551092192.0000000000C7F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.1551092192.0000000000C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2
Source: mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/i
Source: mssecsvc.exe, 0000000B.00000002.1551092192.0000000000C48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ll
Source: mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/s9
Source: mssecsvc.exe, 00000008.00000002.2173045165.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: tasksche.exe.6.dr	String found in binary or memory: https://apis.google.com/se/0/_/
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: https://muachung.vn/du-lich/hanh-huong-yen-tu-chua-dong-ba-vang-1-ngay-165493.html?utm_source=admark
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: https://muachung.vn/du-lich/thung-nai-dong-thac-bo-moc-chau-2n1d-89780.html?utm_source=admarket&utm_
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: https://muachung.vn/gia-dung-noi-that/combo-10-vien-tay-bon-cau-176957.html?utm_source=admarket&utm_
Source: mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	String found in binary or memory: https://muachung.vn/gia-dung-noi-that/combo-3-khan-mat-nhat-100-cotton-34x34cm-175139.html?utm_sourc
Source: tasksche.exe.6.dr	String found in binary or memory: https://www.google-analytics.com/plugins/ua/linkid.js

Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

10_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: tTbeoLWNhb.dll, type: SAMPLE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.22c096c.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.229d948.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d9d128.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d7a104.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.228e8c8.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d9d128.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d760a4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.22998e8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.22c096c.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.229d948.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1d7a104.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000000.1510211339.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1537853597.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2174815751.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1538073196.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1525566306.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1549881056.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2175529883.000000000229D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1525328575.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1550066057.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1510351488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 2160, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 3904, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\mssecsvc.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: tTbeoLWNhb.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: tTbeoLWNhb.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1d6b084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.228e8c8.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22c096c.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22c096c.12.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.22c096c.12.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.229d948.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.229d948.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.229d948.10.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1d9d128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d9d128.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1d9d128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d7a104.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d7a104.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1d7a104.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.228e8c8.11.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.228e8c8.11.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d9d128.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d9d128.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1d9d128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1d760a4.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d760a4.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.22998e8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22998e8.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.22c096c.12.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.22c096c.12.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.22c096c.12.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.229d948.10.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.229d948.10.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1d7a104.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1d7a104.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0000000A.00000000.1537482998.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000002.1548367393.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000000.1547215244.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2174815751.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000000.1538073196.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1525566306.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2175529883.000000000229D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.1550066057.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1510351488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 10_2_00406C40	10_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 10_2_00402A76	10_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 10_2_00402E7E	10_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 10_2_0040350F	10_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 10_2_00404C19	10_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 10_2_0040541F	10_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 10_2_00403797	10_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 10_2_004043B7	10_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 10_2_004031BC	10_2_004031BC

Source: Joe Sandbox View	Dropped File: C:\WINDOWS\qeriuwjhrf (copy) 372BE1952CBC480EE462D263E3E067B82AE542E7B65789508575642BD960F18E
Source: Joe Sandbox View	Dropped File: C:\Windows\tasksche.exe 372BE1952CBC480EE462D263E3E067B82AE542E7B65789508575642BD960F18E

Source: mssecsvc.exe.3.dr	Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: tasksche.exe.6.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: tTbeoLWNhb.dll

Binary or memory string: OriginalFilenamentdll.dllj% vs tTbeoLWNhb.dll

Source: tTbeoLWNhb.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: tTbeoLWNhb.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: tTbeoLWNhb.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1d6b084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.228e8c8.11.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.22c096c.12.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.22c096c.12.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.22c096c.12.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.229d948.10.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.229d948.10.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.229d948.10.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1d9d128.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1d9d128.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1d9d128.4.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1d7a104.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1d7a104.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1d7a104.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.228e8c8.11.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.228e8c8.11.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1d6b084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1d9d128.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1d9d128.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1d9d128.4.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1d760a4.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1d760a4.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.22998e8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.22998e8.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.22c096c.12.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.22c096c.12.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.22c096c.12.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.229d948.10.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.229d948.10.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1d7a104.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1d7a104.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0000000A.00000000.1537482998.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000002.1548367393.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000000.1547215244.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2174815751.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000000.1538073196.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1525566306.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2175529883.000000000229D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.1550066057.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1510351488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\mssecsvc.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 0000000A.00000000.1537482998.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000002.1548367393.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/3@1/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	8_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03

Source: tTbeoLWNhb.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTbeoLWNhb.dll,PlayGame

Source: tTbeoLWNhb.dll	ReversingLabs: Detection: 94%
Source: tTbeoLWNhb.dll	Virustotal: Detection: 93%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTbeoLWNhb.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",PlayGame
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tTbeoLWNhb.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: tTbeoLWNhb.dll

Static file information: File size 5267459 > 1048576

Source: tTbeoLWNhb.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source:	Binary string: ntdll.pdb source: tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr
Source:	Binary string: ntdll.pdb3 source: tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr

Source: C:\Windows\tasksche.exe

Code function: 10_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 10_2_00407710 push eax; ret		10_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 10_2_004076C8 push eax; ret		10_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\mssecsvc.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 3428	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 3428	Thread sleep time: -186000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 3404	Thread sleep count: 131 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 3404	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 3428	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\tasksche.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\tasksche.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\tasksche.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\tasksche.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: mssecsvc.exe, 00000006.00000002.1541734957.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhc
Source: mssecsvc.exe, 00000006.00000002.1541734957.0000000000B54000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2174378063.0000000000CAC000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.1551092192.0000000000C9E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000B.00000002.1551092192.0000000000C48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mssecsvc.exe, 00000006.00000002.1541734957.0000000000B54000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMv

Source: C:\Windows\tasksche.exe

Code function: 10_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

10_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 10_2_004029CC free,GetProcessHeap,HeapFree,

10_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	11 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tTbeoLWNhb.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
tTbeoLWNhb.dll	93%	Virustotal		Browse
tTbeoLWNhb.dll	100%	Avira	TR/Ransom.Gen
tTbeoLWNhb.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\mssecsvc.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\mssecsvc.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	100%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\mssecsvc.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
https://muachung.vn/du-lich/thung-nai-dong-thac-bo-moc-chau-2n1d-89780.html?utm_source=admarket&utm_	0%	Avira URL Cloud	safe
http://toolbar.conduit.com/Developer/HtmlAndGadget/Methods/JSInjection.aspx	0%	Avira URL Cloud	safe
http://st-n.ads3-adnow.com/js/ta.js	0%	Avira URL Cloud	safe
http://quangcao.24h.com.vn/quangcao/2017/03/test17007_bbthanhmai_tremai_9397.html	0%	Avira URL Cloud	safe
https://muachung.vn/gia-dung-noi-that/combo-3-khan-mat-nhat-100-cotton-34x34cm-175139.html?utm_sourc	0%	Avira URL Cloud	safe
http://quangcao.eva.vn/quangcao/2017/03/test17007_bbthanhmai_giamgia50_9396.html	0%	Avira URL Cloud	safe
https://muachung.vn/du-lich/hanh-huong-yen-tu-chua-dong-ba-vang-1-ngay-165493.html?utm_source=admark	0%	Avira URL Cloud	safe
https://muachung.vn/gia-dung-noi-that/combo-10-vien-tay-bon-cau-176957.html?utm_source=admarket&utm_	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	true	false		high
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/ll	mssecsvc.exe, 0000000B.00000002.1551092192.0000000000C48000.00000004.00000020.00020000.00000000.sdmp	false		high
http://b.scorecardresearch.com/b?c1=2&c2=10367196&ns__t=1497259682395&ns_c=UTF-8&cv=3.1&c8=Ng%C6%B0%	mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false		high
http://rtax.criteo.com/delivery/rta/rta.js?netId=3254&cookieName=crtg_vng_rta&rnd=74276450073&varNam	mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false		high
http://api.adtimaserver.vn/rdext/json2?count=1&zoneId=870285593013603088	mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false		high
https://muachung.vn/du-lich/thung-nai-dong-thac-bo-moc-chau-2n1d-89780.html?utm_source=admarket&utm_	mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
https://muachung.vn/gia-dung-noi-that/combo-3-khan-mat-nhat-100-cotton-34x34cm-175139.html?utm_sourc	mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://log.adtimaserver.vn/trackpv/?aid=c26abb975506e00158a22c6b553a9c90&category=ct%3Dvi%3Bcategory	mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false		high
http://toolbar.conduit.com/Developer/HtmlAndGadget/Methods/JSInjection.aspx	mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://mp3.zing.vn/album/Nhung-Bai-Hat-Hay-Nhat-Cua-Nhu-Quynh-Nhu-Quynh/ZWZBOZOA.htmlCriteo	mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	mssecsvc.exe.3.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/2	mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://muachung.vn/du-lich/hanh-huong-yen-tu-chua-dong-ba-vang-1-ngay-165493.html?utm_source=admark	mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://mp3.zing.vn/album/Nhung-Bai-Hat-Hay-Nhat-Cua-Nhu-Quynh-Nhu-Quynh/ZWZBOZOA.htmlScorecardResear	mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false		high
http://quangcao.eva.vn/quangcao/2017/03/test17007_bbthanhmai_giamgia50_9396.html	tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/i	mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	false		high
https://apis.google.com/se/0/_/	tasksche.exe.6.dr	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/s9	mssecsvc.exe, 00000008.00000002.2174378063.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	false		high
http://st-n.ads3-adnow.com/js/ta.js	tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://mp3.zing.vn/album/Nhung-Bai-Hat-Hay-Nhat-Cua-Nhu-Quynh-Nhu-Quynh/ZWZBOZOA.htmlAdtima	tasksche.exe.6.dr	false		high
http://quangcao.24h.com.vn/quangcao/2017/03/test17007_bbthanhmai_tremai_9397.html	tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://eva.vn/phim-hay/buc-anh-he-lo-nguoi-dan-ong-cuoi-cung-cua-van-trong-song-chung-voi-me-chong-g	tasksche.exe.6.dr	false		high
http://api.adtimaserver.vn/renders4?agent=&zones=1894904669163438980	mssecsvc.exe, 00000006.00000000.1510351488.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.00000000020A9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000025CD000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 0000000A.00000000.1537510797.000000000070C000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000002.1550066057.0000000000A1C000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000002.1548413990.000000000070C000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false		high
https://muachung.vn/gia-dung-noi-that/combo-10-vien-tay-bon-cau-176957.html?utm_source=admarket&utm_	mssecsvc.exe, 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000008.00000002.2174815751.0000000001F9F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2175529883.00000000024C3000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmp, mssecsvc.exe, 0000000B.00000000.1538073196.0000000000912000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000C.00000000.1547246088.0000000000602000.00000002.00000001.01000000.00000007.sdmp, tTbeoLWNhb.dll, mssecsvc.exe.3.dr, tasksche.exe.6.dr	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe, 00000008.00000002.2173045165.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.78.105.2	unknown	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	false
5.78.105.3	unknown	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	false
5.78.105.1	unknown	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	false
1.32.83.1	unknown	Malaysia	4788	TMNET-AS-APTMNetInternetServiceProviderMY	false
163.172.72.249	unknown	United Kingdom	12876	OnlineSASFR	false
203.207.57.154	unknown	Indonesia	55699	STARNET-AS-IDPTCemerlangMultimediaID	false
107.39.6.89	unknown	United States	16567	NETRIX-16567US	false
219.130.9.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
177.124.25.1	unknown	Brazil	262315	ROALNETSOLUCOESWEBLTDABR	false
5.78.105.227	unknown	Iran (ISLAMIC Republic Of)	16322	PARSONLINETehran-IRANIR	false
107.39.6.1	unknown	United States	16567	NETRIX-16567US	false
101.229.22.2	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
101.229.22.1	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
121.178.121.98	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
22.150.89.111	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
28.124.93.83	unknown	United States	7922	COMCAST-7922US	false
177.124.25.37	unknown	Brazil	262315	ROALNETSOLUCOESWEBLTDABR	false
181.250.17.1	unknown	Colombia	26611	COMCELSACO	false
107.227.162.245	unknown	United States	7018	ATT-INTERNET4US	false
21.90.103.237	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
95.55.13.208	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false
215.188.3.1	unknown	United States	721	DNIC-ASBLK-00721-00726US	false
165.71.85.103	unknown	United States	29885	UCHHS-ASUS	false
155.74.15.2	unknown	United States	4010	DNIC-AS-04010US	false
95.55.13.1	unknown	Russian Federation	12389	ROSTELECOM-ASRU	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591518
Start date and time:	2025-01-15 02:51:18 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tTbeoLWNhb.dll renamed because original name is a hash value
Original Sample Name:	4c58581fa08accc15994f3db1098a5bc.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/3@1/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 199.232.214.172, 2.23.77.188, 13.85.23.206, 52.165.164.15, 13.107.246.45
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 6168 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:52:30	API Interceptor	1x Sleep call for process: loaddll32.exe modified
20:53:04	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	v9xYj92wR3.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	bopY0ot9wf.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	hzQNazOx3Z.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	sEVVq8g1dJ.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	hsmSW6Eifl.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	Yx3rRuVx3c.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	5Q6ffmX9tQ.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	9nNO3SHiV1.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
	k6fBkyS1R6.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
bg.microsoft.map.fastly.net	Document-01-16-25.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	Eastern Contractors Corporation Contract and submittal document.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	v9xYj92wR3.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	https://securityalert-corporate.com/click/f288bff9-842d-4e34-8d2d-41ad20e48e9d	Get hash	malicious	Unknown	Browse	199.232.214.172
	FjSrGs0AE2.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	jgd5ZGl1vA.dll	Get hash	malicious	Wannacry	Browse	199.232.214.172
	logitix.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	DHL AWB CUSTOM CLEARANCE.xls	Get hash	malicious	Unknown	Browse	199.232.214.172
	62.122.184.98 (2).ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	62.122.184.98 (2).ps1	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PARSONLINETehran-IRANIR	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	188.245.202.211
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.245.212.29
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	installer.bat	Get hash	malicious	Vidar	Browse	188.245.216.205
	skript.bat	Get hash	malicious	Vidar	Browse	188.245.216.205
	din.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	yoda.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	lem.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	script.ps1	Get hash	malicious	Vidar	Browse	188.245.216.205
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
PARSONLINETehran-IRANIR	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	188.245.202.211
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.245.212.29
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	installer.bat	Get hash	malicious	Vidar	Browse	188.245.216.205
	skript.bat	Get hash	malicious	Vidar	Browse	188.245.216.205
	din.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	yoda.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	lem.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	script.ps1	Get hash	malicious	Vidar	Browse	188.245.216.205
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
PARSONLINETehran-IRANIR	https://www.xrmtoolbox.com/	Get hash	malicious	Unknown	Browse	188.245.202.211
	http://cipassoitalia.it	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	188.245.212.29
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	installer.bat	Get hash	malicious	Vidar	Browse	188.245.216.205
	skript.bat	Get hash	malicious	Vidar	Browse	188.245.216.205
	din.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	yoda.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	lem.exe	Get hash	malicious	Vidar	Browse	188.245.216.205
	script.ps1	Get hash	malicious	Vidar	Browse	188.245.216.205
	PodcastsTries.exe	Get hash	malicious	Vidar	Browse	188.245.216.205

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Windows\tasksche.exe	u6J827hhVw.dll	Get hash	malicious	Wannacry	Browse
C:\WINDOWS\qeriuwjhrf (copy)	u6J827hhVw.dll	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	6.679837028931889
Encrypted:	false
SSDEEP:	49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA8Kx/aa56Lx:QqPoBhz1aRxcSUDk36SANKx/ag6Lx
MD5:	82246A37BC2B94A29240A8B49DE5CF57
SHA1:	60D6DF7C05D3A037ADB5FF61A563A7AE7AB00F36
SHA-256:	372BE1952CBC480EE462D263E3E067B82AE542E7B65789508575642BD960F18E
SHA-512:	047CAB5FB0EF6BF88DB1FE2FBF7200CF810A1B057E9B3488E32A6D8CF96DD56E9D397C5DC16885F48ACA4D858A3612AF74284819E50006E3279BCF9642200289
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: u6J827hhVw.dll, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\mssecsvc.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3723264
Entropy (8bit):	6.672529088248042
Encrypted:	false
SSDEEP:	49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA8Kx/aa56L:XDqPoBhz1aRxcSUDk36SANKx/ag6L
MD5:	9BCD08D46432B6DAC27417B0DE3DA8B1
SHA1:	D16FAE609A6CC1049FB008039555C2CC67DB8638
SHA-256:	4BEAB4D0D34AA39DAECD1846D8A574AACBDA506618BDBABC3FFEEA46E121E774
SHA-512:	B987E4B323FC59B82B71F4F5E0FE71B0324811247AB488C19688CDC1430322DEAADB6B73528178277B3AC9E3E89F5F938381B768839D99E7A72600EA5DFD636A
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=.A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L.....L.....................08...................@...........................f......................................................1.T.5..........................................................................................................text.............................. ..`.rdata..............................@..@.data....H0......p..................@....rsrc...T.5...1...5.. ..............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	6.679837028931889
Encrypted:	false
SSDEEP:	49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA8Kx/aa56Lx:QqPoBhz1aRxcSUDk36SANKx/ag6Lx
MD5:	82246A37BC2B94A29240A8B49DE5CF57
SHA1:	60D6DF7C05D3A037ADB5FF61A563A7AE7AB00F36
SHA-256:	372BE1952CBC480EE462D263E3E067B82AE542E7B65789508575642BD960F18E
SHA-512:	047CAB5FB0EF6BF88DB1FE2FBF7200CF810A1B057E9B3488E32A6D8CF96DD56E9D397C5DC16885F48ACA4D858A3612AF74284819E50006E3279BCF9642200289
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Joe Sandbox View:	Filename: u6J827hhVw.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.130986261798626
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tTbeoLWNhb.dll
File size:	5'267'459 bytes
MD5:	4c58581fa08accc15994f3db1098a5bc
SHA1:	1a349b33c6cc821b814138eb9619fcbce20e6eda
SHA256:	7ab78920ad07396864187254f5323571807df03ca90c6b5eab2d1c8d0c27b4d5
SHA512:	99e85447b5c2a3380cb9add92c5ca2ded417cdc1de2fbc3655b32014a53fd7202cdf6cda6955bbc8605bd6667cffafc9df3a04b10e0dcf15079481ede3b62da1
SSDEEP:	49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA8Kx/aa56L:TDqPoBhz1aRxcSUDk36SANKx/ag6L
TLSH:	15369C42A3F94619F2F63F3059BA17706F7ABC92A97DC60E1280516E1DB1E40CDB1B63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F9F81547A7Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F9F81547A98h
cmp esi, 01h
je 00007F9F81547A77h
cmp esi, 02h
jne 00007F9F81547A94h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F9F81547A7Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F9F81547A7Eh
push edi
push esi
push ebx
call 00007F9F8154798Ah
test eax, eax
jne 00007F9F81547A76h
xor eax, eax
jmp 00007F9F81547AC0h
push edi
push esi
push ebx
call 00007F9F8154783Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F9F81547A7Eh
test eax, eax
jne 00007F9F81547AA9h
push edi
push eax
push ebx
call 00007F9F81547966h
test esi, esi
je 00007F9F81547A77h
cmp esi, 03h
jne 00007F9F81547A98h
push edi
push esi
push ebx
call 00007F9F81547955h
test eax, eax
jne 00007F9F81547A75h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F9F81547A83h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F9F81547A7Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	ce779cfbc39a87e5ea501859118f27b5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8770942687988281

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T02:52:28.759322+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.8	57246	1.1.1.1	53	UDP
2025-01-15T02:52:29.281342+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:29.281342+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:29.281342+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:29.281342+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:29.281342+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.8	49706	104.16.167.228	80	TCP
2025-01-15T02:52:29.281978+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.8	49706	TCP
2025-01-15T02:52:30.686897+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:30.686897+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.8	49707	104.16.167.228	80	TCP
2025-01-15T02:52:30.686912+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.8	49707	TCP
2025-01-15T02:52:31.685914+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.8	49719	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.8	49719	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.8	49719	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.8	49719	104.16.167.228	80	TCP
2025-01-15T02:52:31.685914+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.8	49719	104.16.167.228	80	TCP
2025-01-15T02:52:31.686298+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.8	49719	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:52:22.727521896 CET	49676	443	192.168.2.8	52.182.143.211
Jan 15, 2025 02:52:22.758711100 CET	49673	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:23.149352074 CET	49672	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:25.196249008 CET	49677	80	192.168.2.8	192.229.211.108
Jan 15, 2025 02:52:28.773701906 CET	49706	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:28.778582096 CET	80	49706	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:28.778669119 CET	49706	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:28.778832912 CET	49706	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:28.783684015 CET	80	49706	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:29.281239986 CET	80	49706	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:29.281342030 CET	49706	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:29.281977892 CET	80	49706	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:29.282207012 CET	49706	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:29.341025114 CET	49706	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:29.345853090 CET	80	49706	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:30.013470888 CET	49707	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:30.018327951 CET	80	49707	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:30.018400908 CET	49707	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:30.018604040 CET	49707	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:30.024473906 CET	80	49707	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:30.686815023 CET	80	49707	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:30.686855078 CET	80	49707	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:30.686897039 CET	49707	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:30.686897039 CET	49707	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:30.686912060 CET	80	49707	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:30.686950922 CET	49707	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:30.686991930 CET	49707	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:30.692105055 CET	80	49707	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:30.769743919 CET	49708	445	192.168.2.8	28.124.93.83
Jan 15, 2025 02:52:30.774667025 CET	445	49708	28.124.93.83	192.168.2.8
Jan 15, 2025 02:52:30.774791956 CET	49708	445	192.168.2.8	28.124.93.83
Jan 15, 2025 02:52:30.774791956 CET	49708	445	192.168.2.8	28.124.93.83
Jan 15, 2025 02:52:30.775166035 CET	49709	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:30.779925108 CET	445	49708	28.124.93.83	192.168.2.8
Jan 15, 2025 02:52:30.779970884 CET	445	49709	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:30.780014038 CET	49708	445	192.168.2.8	28.124.93.83
Jan 15, 2025 02:52:30.780060053 CET	49709	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:30.780119896 CET	49709	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:30.784957886 CET	445	49709	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:30.785027981 CET	49709	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:30.785682917 CET	49710	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:30.790457964 CET	445	49710	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:30.790616035 CET	49710	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:30.790669918 CET	49710	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:30.795417070 CET	445	49710	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:31.199167013 CET	49719	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:31.204034090 CET	80	49719	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:31.204118013 CET	49719	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:31.204535007 CET	49719	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:31.209315062 CET	80	49719	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:31.685693979 CET	80	49719	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:31.685914040 CET	49719	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:31.686005116 CET	49719	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:31.686297894 CET	80	49719	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:31.688025951 CET	49719	80	192.168.2.8	104.16.167.228
Jan 15, 2025 02:52:31.690711021 CET	80	49719	104.16.167.228	192.168.2.8
Jan 15, 2025 02:52:32.372613907 CET	49673	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:32.758738995 CET	49672	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:32.761460066 CET	49734	445	192.168.2.8	152.30.194.67
Jan 15, 2025 02:52:32.766226053 CET	445	49734	152.30.194.67	192.168.2.8
Jan 15, 2025 02:52:32.769326925 CET	49734	445	192.168.2.8	152.30.194.67
Jan 15, 2025 02:52:32.769412041 CET	49734	445	192.168.2.8	152.30.194.67
Jan 15, 2025 02:52:32.769789934 CET	49735	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:32.774393082 CET	445	49734	152.30.194.67	192.168.2.8
Jan 15, 2025 02:52:32.774565935 CET	49734	445	192.168.2.8	152.30.194.67
Jan 15, 2025 02:52:32.774607897 CET	445	49735	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:32.775333881 CET	49735	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:32.775333881 CET	49735	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:32.776864052 CET	49736	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:32.780309916 CET	445	49735	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:32.780319929 CET	445	49735	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:32.780610085 CET	49735	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:32.781647921 CET	445	49736	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:32.781754971 CET	49736	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:32.781754971 CET	49736	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:32.786562920 CET	445	49736	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:34.805459023 CET	49759	445	192.168.2.8	101.229.22.26
Jan 15, 2025 02:52:35.426258087 CET	443	49705	23.206.229.226	192.168.2.8
Jan 15, 2025 02:52:35.426464081 CET	49705	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:35.426609993 CET	443	49705	23.206.229.226	192.168.2.8
Jan 15, 2025 02:52:35.426651001 CET	49705	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:35.426897049 CET	443	49705	23.206.229.226	192.168.2.8
Jan 15, 2025 02:52:35.426942110 CET	49705	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:35.427113056 CET	443	49705	23.206.229.226	192.168.2.8
Jan 15, 2025 02:52:35.427150011 CET	49705	443	192.168.2.8	23.206.229.226
Jan 15, 2025 02:52:35.427807093 CET	445	49759	101.229.22.26	192.168.2.8
Jan 15, 2025 02:52:35.427886963 CET	49759	445	192.168.2.8	101.229.22.26
Jan 15, 2025 02:52:35.427936077 CET	49759	445	192.168.2.8	101.229.22.26
Jan 15, 2025 02:52:35.428214073 CET	49766	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:35.432981014 CET	445	49766	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:35.433089972 CET	445	49759	101.229.22.26	192.168.2.8
Jan 15, 2025 02:52:35.433119059 CET	49766	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:35.433137894 CET	49759	445	192.168.2.8	101.229.22.26
Jan 15, 2025 02:52:35.433193922 CET	49766	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:35.434717894 CET	49767	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:35.438051939 CET	445	49766	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:35.438127041 CET	49766	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:35.439532042 CET	445	49767	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:35.439613104 CET	49767	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:35.439662933 CET	49767	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:35.444377899 CET	445	49767	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:36.806798935 CET	49782	445	192.168.2.8	121.178.121.98
Jan 15, 2025 02:52:36.811670065 CET	445	49782	121.178.121.98	192.168.2.8
Jan 15, 2025 02:52:36.811737061 CET	49782	445	192.168.2.8	121.178.121.98
Jan 15, 2025 02:52:36.811803102 CET	49782	445	192.168.2.8	121.178.121.98
Jan 15, 2025 02:52:36.812026978 CET	49783	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:36.816761017 CET	445	49782	121.178.121.98	192.168.2.8
Jan 15, 2025 02:52:36.816823006 CET	49782	445	192.168.2.8	121.178.121.98
Jan 15, 2025 02:52:36.816883087 CET	445	49783	121.178.121.1	192.168.2.8
Jan 15, 2025 02:52:36.816942930 CET	49783	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:36.816996098 CET	49783	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:36.818191051 CET	49784	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:36.821863890 CET	445	49783	121.178.121.1	192.168.2.8
Jan 15, 2025 02:52:36.821930885 CET	49783	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:36.822985888 CET	445	49784	121.178.121.1	192.168.2.8
Jan 15, 2025 02:52:36.823076963 CET	49784	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:36.823298931 CET	49784	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:36.828063965 CET	445	49784	121.178.121.1	192.168.2.8
Jan 15, 2025 02:52:38.822112083 CET	49804	445	192.168.2.8	22.150.89.111
Jan 15, 2025 02:52:38.826909065 CET	445	49804	22.150.89.111	192.168.2.8
Jan 15, 2025 02:52:38.827025890 CET	49804	445	192.168.2.8	22.150.89.111
Jan 15, 2025 02:52:38.827050924 CET	49804	445	192.168.2.8	22.150.89.111
Jan 15, 2025 02:52:38.827178001 CET	49805	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:52:38.832441092 CET	445	49804	22.150.89.111	192.168.2.8
Jan 15, 2025 02:52:38.832456112 CET	445	49805	22.150.89.1	192.168.2.8
Jan 15, 2025 02:52:38.832494020 CET	49804	445	192.168.2.8	22.150.89.111
Jan 15, 2025 02:52:38.832535982 CET	49805	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:52:38.832616091 CET	49805	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:52:38.833542109 CET	49806	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:52:38.837512016 CET	445	49805	22.150.89.1	192.168.2.8
Jan 15, 2025 02:52:38.837574005 CET	49805	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:52:38.838396072 CET	445	49806	22.150.89.1	192.168.2.8
Jan 15, 2025 02:52:38.838471889 CET	49806	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:52:38.838511944 CET	49806	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:52:38.843297958 CET	445	49806	22.150.89.1	192.168.2.8
Jan 15, 2025 02:52:40.838110924 CET	49827	445	192.168.2.8	203.207.57.154
Jan 15, 2025 02:52:40.845405102 CET	445	49827	203.207.57.154	192.168.2.8
Jan 15, 2025 02:52:40.845482111 CET	49827	445	192.168.2.8	203.207.57.154
Jan 15, 2025 02:52:40.845530987 CET	49827	445	192.168.2.8	203.207.57.154
Jan 15, 2025 02:52:40.845721960 CET	49828	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:52:40.851999044 CET	445	49827	203.207.57.154	192.168.2.8
Jan 15, 2025 02:52:40.852014065 CET	445	49828	203.207.57.1	192.168.2.8
Jan 15, 2025 02:52:40.852058887 CET	49827	445	192.168.2.8	203.207.57.154
Jan 15, 2025 02:52:40.852102995 CET	49828	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:52:40.852149010 CET	49828	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:52:40.853176117 CET	49829	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:52:40.857089043 CET	445	49828	203.207.57.1	192.168.2.8
Jan 15, 2025 02:52:40.857136011 CET	49828	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:52:40.857971907 CET	445	49829	203.207.57.1	192.168.2.8
Jan 15, 2025 02:52:40.858213902 CET	49829	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:52:40.858213902 CET	49829	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:52:40.863074064 CET	445	49829	203.207.57.1	192.168.2.8
Jan 15, 2025 02:52:42.840317011 CET	445	49736	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:42.840396881 CET	49736	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:42.840471983 CET	49736	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:42.840516090 CET	49736	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:42.845302105 CET	445	49736	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:42.845313072 CET	445	49736	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:42.852826118 CET	49852	445	192.168.2.8	157.182.126.93
Jan 15, 2025 02:52:42.857726097 CET	445	49852	157.182.126.93	192.168.2.8
Jan 15, 2025 02:52:42.857815027 CET	49852	445	192.168.2.8	157.182.126.93
Jan 15, 2025 02:52:42.857851028 CET	49852	445	192.168.2.8	157.182.126.93
Jan 15, 2025 02:52:42.858087063 CET	49853	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:52:42.862760067 CET	445	49852	157.182.126.93	192.168.2.8
Jan 15, 2025 02:52:42.862823963 CET	49852	445	192.168.2.8	157.182.126.93
Jan 15, 2025 02:52:42.862904072 CET	445	49853	157.182.126.1	192.168.2.8
Jan 15, 2025 02:52:42.862967968 CET	49853	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:52:42.863039970 CET	49853	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:52:42.863292933 CET	49854	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:52:42.867918968 CET	445	49853	157.182.126.1	192.168.2.8
Jan 15, 2025 02:52:42.867981911 CET	49853	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:52:42.868032932 CET	445	49854	157.182.126.1	192.168.2.8
Jan 15, 2025 02:52:42.868093967 CET	49854	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:52:42.868118048 CET	49854	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:52:42.872937918 CET	445	49854	157.182.126.1	192.168.2.8
Jan 15, 2025 02:52:44.868886948 CET	49880	445	192.168.2.8	107.227.162.245
Jan 15, 2025 02:52:44.873831034 CET	445	49880	107.227.162.245	192.168.2.8
Jan 15, 2025 02:52:44.873914957 CET	49880	445	192.168.2.8	107.227.162.245
Jan 15, 2025 02:52:44.874062061 CET	49880	445	192.168.2.8	107.227.162.245
Jan 15, 2025 02:52:44.874208927 CET	49881	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:52:44.878922939 CET	445	49880	107.227.162.245	192.168.2.8
Jan 15, 2025 02:52:44.878974915 CET	49880	445	192.168.2.8	107.227.162.245
Jan 15, 2025 02:52:44.878983021 CET	445	49881	107.227.162.1	192.168.2.8
Jan 15, 2025 02:52:44.879038095 CET	49881	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:52:44.879123926 CET	49881	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:52:44.879440069 CET	49882	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:52:44.884008884 CET	445	49881	107.227.162.1	192.168.2.8
Jan 15, 2025 02:52:44.884054899 CET	49881	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:52:44.884330034 CET	445	49882	107.227.162.1	192.168.2.8
Jan 15, 2025 02:52:44.884393930 CET	49882	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:52:44.884432077 CET	49882	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:52:44.889244080 CET	445	49882	107.227.162.1	192.168.2.8
Jan 15, 2025 02:52:45.852741003 CET	49895	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:45.857603073 CET	445	49895	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:45.858721972 CET	49895	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:45.858721972 CET	49895	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:45.863542080 CET	445	49895	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:46.884584904 CET	49907	445	192.168.2.8	155.74.15.15
Jan 15, 2025 02:52:46.889425039 CET	445	49907	155.74.15.15	192.168.2.8
Jan 15, 2025 02:52:46.889502048 CET	49907	445	192.168.2.8	155.74.15.15
Jan 15, 2025 02:52:46.889580965 CET	49907	445	192.168.2.8	155.74.15.15
Jan 15, 2025 02:52:46.889797926 CET	49908	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:52:46.894481897 CET	445	49907	155.74.15.15	192.168.2.8
Jan 15, 2025 02:52:46.894539118 CET	49907	445	192.168.2.8	155.74.15.15
Jan 15, 2025 02:52:46.894593000 CET	445	49908	155.74.15.1	192.168.2.8
Jan 15, 2025 02:52:46.894682884 CET	49908	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:52:46.894682884 CET	49908	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:52:46.895098925 CET	49909	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:52:46.899611950 CET	445	49908	155.74.15.1	192.168.2.8
Jan 15, 2025 02:52:46.899943113 CET	445	49909	155.74.15.1	192.168.2.8
Jan 15, 2025 02:52:46.899974108 CET	49908	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:52:46.900017023 CET	49909	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:52:46.900063038 CET	49909	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:52:46.904911995 CET	445	49909	155.74.15.1	192.168.2.8
Jan 15, 2025 02:52:48.902143002 CET	49932	445	192.168.2.8	55.167.153.133
Jan 15, 2025 02:52:48.909235001 CET	445	49932	55.167.153.133	192.168.2.8
Jan 15, 2025 02:52:48.909320116 CET	49932	445	192.168.2.8	55.167.153.133
Jan 15, 2025 02:52:48.909358978 CET	49932	445	192.168.2.8	55.167.153.133
Jan 15, 2025 02:52:48.909533024 CET	49933	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:52:48.916148901 CET	445	49933	55.167.153.1	192.168.2.8
Jan 15, 2025 02:52:48.916212082 CET	49933	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:52:48.916235924 CET	49933	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:52:48.916737080 CET	49934	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:52:48.916897058 CET	445	49932	55.167.153.133	192.168.2.8
Jan 15, 2025 02:52:48.917063951 CET	445	49932	55.167.153.133	192.168.2.8
Jan 15, 2025 02:52:48.917119980 CET	49932	445	192.168.2.8	55.167.153.133
Jan 15, 2025 02:52:48.923578978 CET	445	49933	55.167.153.1	192.168.2.8
Jan 15, 2025 02:52:48.923629999 CET	49933	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:52:48.923748016 CET	445	49934	55.167.153.1	192.168.2.8
Jan 15, 2025 02:52:48.923831940 CET	49934	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:52:48.923831940 CET	49934	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:52:48.930680990 CET	445	49934	55.167.153.1	192.168.2.8
Jan 15, 2025 02:52:50.915555954 CET	49956	445	192.168.2.8	1.32.83.223
Jan 15, 2025 02:52:50.920425892 CET	445	49956	1.32.83.223	192.168.2.8
Jan 15, 2025 02:52:50.920583963 CET	49956	445	192.168.2.8	1.32.83.223
Jan 15, 2025 02:52:50.920619011 CET	49956	445	192.168.2.8	1.32.83.223
Jan 15, 2025 02:52:50.920936108 CET	49957	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:52:50.925561905 CET	445	49956	1.32.83.223	192.168.2.8
Jan 15, 2025 02:52:50.925611973 CET	49956	445	192.168.2.8	1.32.83.223
Jan 15, 2025 02:52:50.925734997 CET	445	49957	1.32.83.1	192.168.2.8
Jan 15, 2025 02:52:50.925791979 CET	49957	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:52:50.925817013 CET	49957	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:52:50.926063061 CET	49958	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:52:50.930718899 CET	445	49957	1.32.83.1	192.168.2.8
Jan 15, 2025 02:52:50.930772066 CET	49957	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:52:50.930830002 CET	445	49958	1.32.83.1	192.168.2.8
Jan 15, 2025 02:52:50.930886030 CET	49958	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:52:50.930913925 CET	49958	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:52:50.935735941 CET	445	49958	1.32.83.1	192.168.2.8
Jan 15, 2025 02:52:52.137465954 CET	445	49710	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:52.137597084 CET	49710	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:52.137644053 CET	49710	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:52.137725115 CET	49710	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:52.142381907 CET	445	49710	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:52.142538071 CET	445	49710	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:52.930969000 CET	49981	445	192.168.2.8	106.127.87.62
Jan 15, 2025 02:52:52.935827971 CET	445	49981	106.127.87.62	192.168.2.8
Jan 15, 2025 02:52:52.935982943 CET	49981	445	192.168.2.8	106.127.87.62
Jan 15, 2025 02:52:52.936100006 CET	49981	445	192.168.2.8	106.127.87.62
Jan 15, 2025 02:52:52.936397076 CET	49982	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:52:52.940996885 CET	445	49981	106.127.87.62	192.168.2.8
Jan 15, 2025 02:52:52.941056967 CET	49981	445	192.168.2.8	106.127.87.62
Jan 15, 2025 02:52:52.941154003 CET	445	49982	106.127.87.1	192.168.2.8
Jan 15, 2025 02:52:52.941206932 CET	49982	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:52:52.941261053 CET	49982	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:52:52.941606045 CET	49983	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:52:52.946185112 CET	445	49982	106.127.87.1	192.168.2.8
Jan 15, 2025 02:52:52.946269035 CET	49982	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:52:52.946367025 CET	445	49983	106.127.87.1	192.168.2.8
Jan 15, 2025 02:52:52.946423054 CET	49983	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:52:52.946455002 CET	49983	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:52:52.951189995 CET	445	49983	106.127.87.1	192.168.2.8
Jan 15, 2025 02:52:54.946672916 CET	50005	445	192.168.2.8	54.57.185.99
Jan 15, 2025 02:52:54.951574087 CET	445	50005	54.57.185.99	192.168.2.8
Jan 15, 2025 02:52:54.951662064 CET	50005	445	192.168.2.8	54.57.185.99
Jan 15, 2025 02:52:54.951687098 CET	50005	445	192.168.2.8	54.57.185.99
Jan 15, 2025 02:52:54.951809883 CET	50006	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:52:54.956640005 CET	445	50005	54.57.185.99	192.168.2.8
Jan 15, 2025 02:52:54.956693888 CET	445	50006	54.57.185.1	192.168.2.8
Jan 15, 2025 02:52:54.956697941 CET	50005	445	192.168.2.8	54.57.185.99
Jan 15, 2025 02:52:54.956760883 CET	50006	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:52:54.956808090 CET	50006	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:52:54.957027912 CET	50007	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:52:54.961725950 CET	445	50006	54.57.185.1	192.168.2.8
Jan 15, 2025 02:52:54.961791992 CET	50006	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:52:54.961885929 CET	445	50007	54.57.185.1	192.168.2.8
Jan 15, 2025 02:52:54.961940050 CET	50007	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:52:54.962052107 CET	50007	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:52:54.966927052 CET	445	50007	54.57.185.1	192.168.2.8
Jan 15, 2025 02:52:55.149739981 CET	50010	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:55.154670954 CET	445	50010	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:55.154757977 CET	50010	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:55.154808044 CET	50010	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:52:55.159617901 CET	445	50010	28.124.93.1	192.168.2.8
Jan 15, 2025 02:52:55.918773890 CET	445	49895	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:55.919043064 CET	49895	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:55.919043064 CET	49895	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:55.919043064 CET	49895	445	192.168.2.8	152.30.194.1
Jan 15, 2025 02:52:55.923955917 CET	445	49895	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:55.924040079 CET	445	49895	152.30.194.1	192.168.2.8
Jan 15, 2025 02:52:55.977787018 CET	50013	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:52:55.982682943 CET	445	50013	152.30.194.2	192.168.2.8
Jan 15, 2025 02:52:55.982752085 CET	50013	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:52:55.982815981 CET	50013	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:52:55.983283043 CET	50014	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:52:55.987710953 CET	445	50013	152.30.194.2	192.168.2.8
Jan 15, 2025 02:52:55.987768888 CET	50013	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:52:55.988157988 CET	445	50014	152.30.194.2	192.168.2.8
Jan 15, 2025 02:52:55.988220930 CET	50014	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:52:55.988265991 CET	50014	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:52:55.993185997 CET	445	50014	152.30.194.2	192.168.2.8
Jan 15, 2025 02:52:56.810050011 CET	445	49767	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:56.810146093 CET	49767	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:56.829590082 CET	49767	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:56.829732895 CET	49767	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:56.834456921 CET	445	49767	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:56.834598064 CET	445	49767	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:56.971743107 CET	50015	445	192.168.2.8	215.188.3.11
Jan 15, 2025 02:52:56.976696014 CET	445	50015	215.188.3.11	192.168.2.8
Jan 15, 2025 02:52:56.976814032 CET	50015	445	192.168.2.8	215.188.3.11
Jan 15, 2025 02:52:56.976890087 CET	50015	445	192.168.2.8	215.188.3.11
Jan 15, 2025 02:52:56.977049112 CET	50016	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:52:56.981913090 CET	445	50015	215.188.3.11	192.168.2.8
Jan 15, 2025 02:52:56.981996059 CET	50015	445	192.168.2.8	215.188.3.11
Jan 15, 2025 02:52:56.982089996 CET	445	50016	215.188.3.1	192.168.2.8
Jan 15, 2025 02:52:56.982168913 CET	50016	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:52:56.982233047 CET	50016	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:52:56.987351894 CET	445	50016	215.188.3.1	192.168.2.8
Jan 15, 2025 02:52:56.987427950 CET	50016	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:52:56.989978075 CET	50017	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:52:56.994914055 CET	445	50017	215.188.3.1	192.168.2.8
Jan 15, 2025 02:52:56.995050907 CET	50017	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:52:56.995089054 CET	50017	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:52:56.999948025 CET	445	50017	215.188.3.1	192.168.2.8
Jan 15, 2025 02:52:58.199948072 CET	445	49784	121.178.121.1	192.168.2.8
Jan 15, 2025 02:52:58.200032949 CET	49784	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:58.200095892 CET	49784	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:58.200176954 CET	49784	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:52:58.204813957 CET	445	49784	121.178.121.1	192.168.2.8
Jan 15, 2025 02:52:58.204916000 CET	445	49784	121.178.121.1	192.168.2.8
Jan 15, 2025 02:52:58.977933884 CET	50018	445	192.168.2.8	163.125.116.6
Jan 15, 2025 02:52:58.982744932 CET	445	50018	163.125.116.6	192.168.2.8
Jan 15, 2025 02:52:58.984632015 CET	50018	445	192.168.2.8	163.125.116.6
Jan 15, 2025 02:52:58.984647989 CET	50018	445	192.168.2.8	163.125.116.6
Jan 15, 2025 02:52:58.984810114 CET	50019	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:52:58.989675999 CET	445	50019	163.125.116.1	192.168.2.8
Jan 15, 2025 02:52:58.989926100 CET	445	50018	163.125.116.6	192.168.2.8
Jan 15, 2025 02:52:58.990000010 CET	50018	445	192.168.2.8	163.125.116.6
Jan 15, 2025 02:52:58.990267038 CET	50020	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:52:58.990272999 CET	50019	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:52:58.995076895 CET	445	50020	163.125.116.1	192.168.2.8
Jan 15, 2025 02:52:58.995244980 CET	445	50019	163.125.116.1	192.168.2.8
Jan 15, 2025 02:52:58.995352983 CET	50019	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:52:58.995357037 CET	50020	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:52:58.995408058 CET	50020	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:52:59.000222921 CET	445	50020	163.125.116.1	192.168.2.8
Jan 15, 2025 02:52:59.837297916 CET	50021	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:59.842158079 CET	445	50021	101.229.22.1	192.168.2.8
Jan 15, 2025 02:52:59.844435930 CET	50021	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:59.849272966 CET	50021	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:52:59.854027033 CET	445	50021	101.229.22.1	192.168.2.8
Jan 15, 2025 02:53:00.282246113 CET	445	49806	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:00.282306910 CET	49806	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:00.282361984 CET	49806	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:00.282435894 CET	49806	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:00.287209034 CET	445	49806	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:00.287223101 CET	445	49806	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:00.993674040 CET	50022	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.000881910 CET	445	50022	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:01.000993967 CET	50022	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.001022100 CET	50022	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.001199961 CET	50023	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.008657932 CET	445	50023	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:01.008749962 CET	50023	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.008810043 CET	50023	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.009123087 CET	50024	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.009332895 CET	445	50022	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:01.009396076 CET	50022	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.016999006 CET	445	50024	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:01.017163038 CET	50024	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.017163038 CET	50024	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.017551899 CET	445	50023	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:01.017612934 CET	50023	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:01.024717093 CET	445	50024	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:01.212130070 CET	50025	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:53:01.217984915 CET	445	50025	121.178.121.1	192.168.2.8
Jan 15, 2025 02:53:01.221913099 CET	50025	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:53:01.221973896 CET	50025	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:53:01.227502108 CET	445	50025	121.178.121.1	192.168.2.8
Jan 15, 2025 02:53:02.217499018 CET	445	49829	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:02.217618942 CET	49829	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:02.217618942 CET	49829	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:02.217689037 CET	49829	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:02.222464085 CET	445	49829	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:02.222475052 CET	445	49829	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:03.009215117 CET	50026	445	192.168.2.8	47.41.183.0
Jan 15, 2025 02:53:03.014111996 CET	445	50026	47.41.183.0	192.168.2.8
Jan 15, 2025 02:53:03.014179945 CET	50026	445	192.168.2.8	47.41.183.0
Jan 15, 2025 02:53:03.014249086 CET	50026	445	192.168.2.8	47.41.183.0
Jan 15, 2025 02:53:03.014394999 CET	50027	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:03.019144058 CET	445	50026	47.41.183.0	192.168.2.8
Jan 15, 2025 02:53:03.019220114 CET	445	50027	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:03.019253969 CET	50026	445	192.168.2.8	47.41.183.0
Jan 15, 2025 02:53:03.019356012 CET	50027	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:03.019433022 CET	50027	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:03.019829035 CET	50028	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:03.024331093 CET	445	50027	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:03.024384022 CET	445	50027	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:03.024429083 CET	50027	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:03.024591923 CET	445	50028	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:03.024647951 CET	50028	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:03.024678946 CET	50028	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:03.029486895 CET	445	50028	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:03.290487051 CET	50029	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:03.295229912 CET	445	50029	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:03.295339108 CET	50029	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:03.295387030 CET	50029	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:03.300148964 CET	445	50029	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:04.215661049 CET	445	49854	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:04.215718985 CET	49854	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:04.215769053 CET	49854	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:04.215769053 CET	49854	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:04.220557928 CET	445	49854	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:04.220572948 CET	445	49854	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:05.162777901 CET	50030	445	192.168.2.8	177.124.25.37
Jan 15, 2025 02:53:05.167682886 CET	445	50030	177.124.25.37	192.168.2.8
Jan 15, 2025 02:53:05.167754889 CET	50030	445	192.168.2.8	177.124.25.37
Jan 15, 2025 02:53:05.193377018 CET	50030	445	192.168.2.8	177.124.25.37
Jan 15, 2025 02:53:05.193566084 CET	50031	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:05.198256969 CET	445	50030	177.124.25.37	192.168.2.8
Jan 15, 2025 02:53:05.198417902 CET	50030	445	192.168.2.8	177.124.25.37
Jan 15, 2025 02:53:05.198470116 CET	445	50031	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:05.198548079 CET	50031	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:05.222966909 CET	50031	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:05.227848053 CET	445	50031	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:05.228002071 CET	50031	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:05.237704992 CET	50032	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:05.242516994 CET	445	50032	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:05.242578983 CET	50032	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:05.242868900 CET	50032	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:05.247661114 CET	445	50032	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:05.259038925 CET	50033	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:05.263928890 CET	445	50033	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:05.264000893 CET	50033	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:05.266592979 CET	50033	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:05.271368980 CET	445	50033	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:06.055854082 CET	445	50014	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:06.056021929 CET	50014	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:06.056096077 CET	50014	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:06.056149006 CET	50014	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:06.060969114 CET	445	50014	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:06.061060905 CET	445	50014	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:06.250874996 CET	445	49882	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:06.250932932 CET	49882	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:06.250957966 CET	49882	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:06.250993967 CET	49882	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:06.255758047 CET	445	49882	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:06.255769968 CET	445	49882	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:07.040452003 CET	50034	445	192.168.2.8	156.145.218.214
Jan 15, 2025 02:53:07.045284033 CET	445	50034	156.145.218.214	192.168.2.8
Jan 15, 2025 02:53:07.048206091 CET	50034	445	192.168.2.8	156.145.218.214
Jan 15, 2025 02:53:07.048223972 CET	50034	445	192.168.2.8	156.145.218.214
Jan 15, 2025 02:53:07.048371077 CET	50035	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:07.053185940 CET	445	50035	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:07.053200006 CET	445	50034	156.145.218.214	192.168.2.8
Jan 15, 2025 02:53:07.053266048 CET	50034	445	192.168.2.8	156.145.218.214
Jan 15, 2025 02:53:07.053352118 CET	50035	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:07.053352118 CET	50035	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:07.053566933 CET	50036	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:07.058265924 CET	445	50035	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:07.058331013 CET	445	50036	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:07.058377981 CET	50035	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:07.058408022 CET	50036	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:07.058428049 CET	50036	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:07.063137054 CET	445	50036	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:07.227653027 CET	50037	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:07.232428074 CET	445	50037	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:07.232644081 CET	50037	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:07.232707977 CET	50037	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:07.237488031 CET	445	50037	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:08.280086040 CET	445	49909	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:08.280141115 CET	49909	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:08.280194044 CET	49909	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:08.280431986 CET	49909	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:08.284970045 CET	445	49909	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:08.285190105 CET	445	49909	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:08.790456057 CET	50038	445	192.168.2.8	107.39.6.89
Jan 15, 2025 02:53:08.795918941 CET	445	50038	107.39.6.89	192.168.2.8
Jan 15, 2025 02:53:08.795994997 CET	50038	445	192.168.2.8	107.39.6.89
Jan 15, 2025 02:53:08.796020031 CET	50038	445	192.168.2.8	107.39.6.89
Jan 15, 2025 02:53:08.796139002 CET	50039	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:08.801558971 CET	445	50038	107.39.6.89	192.168.2.8
Jan 15, 2025 02:53:08.801605940 CET	50038	445	192.168.2.8	107.39.6.89
Jan 15, 2025 02:53:08.802196026 CET	445	50039	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:08.802252054 CET	50039	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:08.802283049 CET	50039	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:08.802659035 CET	50040	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:08.807461023 CET	445	50040	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:08.807543039 CET	50040	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:08.807543039 CET	50040	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:08.807579041 CET	445	50039	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:08.807619095 CET	50039	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:08.812489033 CET	445	50040	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:09.071571112 CET	50041	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:09.076426029 CET	445	50041	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:09.076525927 CET	50041	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:09.076546907 CET	50041	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:09.081315994 CET	445	50041	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:09.258929968 CET	50042	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:09.263801098 CET	445	50042	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:09.265949011 CET	50042	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:09.265965939 CET	50042	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:09.271450996 CET	445	50042	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:10.293983936 CET	445	49934	55.167.153.1	192.168.2.8
Jan 15, 2025 02:53:10.294188023 CET	49934	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:10.294254065 CET	49934	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:10.294301987 CET	49934	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:10.299355984 CET	445	49934	55.167.153.1	192.168.2.8
Jan 15, 2025 02:53:10.300514936 CET	445	49934	55.167.153.1	192.168.2.8
Jan 15, 2025 02:53:10.431472063 CET	50043	445	192.168.2.8	163.172.72.249
Jan 15, 2025 02:53:10.438427925 CET	445	50043	163.172.72.249	192.168.2.8
Jan 15, 2025 02:53:10.438519001 CET	50043	445	192.168.2.8	163.172.72.249
Jan 15, 2025 02:53:10.438575983 CET	50043	445	192.168.2.8	163.172.72.249
Jan 15, 2025 02:53:10.438826084 CET	50044	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:10.445687056 CET	445	50044	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:10.445750952 CET	50044	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:10.445768118 CET	50044	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:10.445833921 CET	445	50043	163.172.72.249	192.168.2.8
Jan 15, 2025 02:53:10.445910931 CET	50043	445	192.168.2.8	163.172.72.249
Jan 15, 2025 02:53:10.446130991 CET	50045	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:10.452862024 CET	445	50045	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:10.453046083 CET	445	50044	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:10.453072071 CET	50045	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:10.453095913 CET	50044	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:10.453150988 CET	50045	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:10.460072994 CET	445	50045	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:11.290785074 CET	50046	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:11.295753002 CET	445	50046	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:11.295881033 CET	50046	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:11.295913935 CET	50046	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:11.300692081 CET	445	50046	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:11.962451935 CET	50047	445	192.168.2.8	181.250.17.254
Jan 15, 2025 02:53:11.967366934 CET	445	50047	181.250.17.254	192.168.2.8
Jan 15, 2025 02:53:11.967466116 CET	50047	445	192.168.2.8	181.250.17.254
Jan 15, 2025 02:53:11.967536926 CET	50047	445	192.168.2.8	181.250.17.254
Jan 15, 2025 02:53:11.967828035 CET	50048	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:11.972385883 CET	445	50047	181.250.17.254	192.168.2.8
Jan 15, 2025 02:53:11.972451925 CET	50047	445	192.168.2.8	181.250.17.254
Jan 15, 2025 02:53:11.972593069 CET	445	50048	181.250.17.1	192.168.2.8
Jan 15, 2025 02:53:11.972680092 CET	50048	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:11.972681046 CET	50048	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:11.972995996 CET	50049	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:11.977612019 CET	445	50048	181.250.17.1	192.168.2.8
Jan 15, 2025 02:53:11.977660894 CET	50048	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:11.977868080 CET	445	50049	181.250.17.1	192.168.2.8
Jan 15, 2025 02:53:11.977919102 CET	50049	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:11.977962971 CET	50049	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:11.982687950 CET	445	50049	181.250.17.1	192.168.2.8
Jan 15, 2025 02:53:12.080837011 CET	445	50045	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:12.080952883 CET	50045	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:12.080996990 CET	50045	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:12.081037998 CET	50045	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:12.085743904 CET	445	50045	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:12.085855961 CET	445	50045	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:12.296045065 CET	445	49958	1.32.83.1	192.168.2.8
Jan 15, 2025 02:53:12.296147108 CET	49958	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:53:12.296180964 CET	49958	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:53:12.296233892 CET	49958	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:53:12.301026106 CET	445	49958	1.32.83.1	192.168.2.8
Jan 15, 2025 02:53:12.301040888 CET	445	49958	1.32.83.1	192.168.2.8
Jan 15, 2025 02:53:13.305823088 CET	50050	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:13.310592890 CET	445	50050	55.167.153.1	192.168.2.8
Jan 15, 2025 02:53:13.310664892 CET	50050	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:13.310723066 CET	50050	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:13.315422058 CET	445	50050	55.167.153.1	192.168.2.8
Jan 15, 2025 02:53:13.384494066 CET	50051	445	192.168.2.8	44.41.62.34
Jan 15, 2025 02:53:13.390153885 CET	445	50051	44.41.62.34	192.168.2.8
Jan 15, 2025 02:53:13.390292883 CET	50051	445	192.168.2.8	44.41.62.34
Jan 15, 2025 02:53:13.390328884 CET	50051	445	192.168.2.8	44.41.62.34
Jan 15, 2025 02:53:13.390568972 CET	50052	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:13.396348000 CET	445	50052	44.41.62.1	192.168.2.8
Jan 15, 2025 02:53:13.396433115 CET	50052	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:13.396477938 CET	50052	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:13.396720886 CET	50053	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:13.397180080 CET	445	50051	44.41.62.34	192.168.2.8
Jan 15, 2025 02:53:13.397244930 CET	50051	445	192.168.2.8	44.41.62.34
Jan 15, 2025 02:53:13.402391911 CET	445	50053	44.41.62.1	192.168.2.8
Jan 15, 2025 02:53:13.402571917 CET	50053	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:13.402605057 CET	445	50052	44.41.62.1	192.168.2.8
Jan 15, 2025 02:53:13.402643919 CET	50053	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:13.402657032 CET	50052	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:13.407366037 CET	445	50053	44.41.62.1	192.168.2.8
Jan 15, 2025 02:53:14.345252037 CET	445	49983	106.127.87.1	192.168.2.8
Jan 15, 2025 02:53:14.345314980 CET	49983	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:53:14.345382929 CET	49983	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:53:14.345419884 CET	49983	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:53:14.350151062 CET	445	49983	106.127.87.1	192.168.2.8
Jan 15, 2025 02:53:14.350162029 CET	445	49983	106.127.87.1	192.168.2.8
Jan 15, 2025 02:53:14.712447882 CET	50054	445	192.168.2.8	5.78.105.227
Jan 15, 2025 02:53:14.717197895 CET	445	50054	5.78.105.227	192.168.2.8
Jan 15, 2025 02:53:14.717286110 CET	50054	445	192.168.2.8	5.78.105.227
Jan 15, 2025 02:53:14.717328072 CET	50054	445	192.168.2.8	5.78.105.227
Jan 15, 2025 02:53:14.717482090 CET	50055	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:14.722263098 CET	445	50054	5.78.105.227	192.168.2.8
Jan 15, 2025 02:53:14.722273111 CET	445	50055	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:14.722320080 CET	50054	445	192.168.2.8	5.78.105.227
Jan 15, 2025 02:53:14.722371101 CET	50055	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:14.722424030 CET	50055	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:14.722652912 CET	50056	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:14.727389097 CET	445	50055	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:14.727438927 CET	50055	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:14.727468967 CET	445	50056	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:14.727519989 CET	50056	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:14.727668047 CET	50056	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:14.732433081 CET	445	50056	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:15.087174892 CET	50057	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:15.095607996 CET	445	50057	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:15.095699072 CET	50057	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:15.095760107 CET	50057	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:15.104624987 CET	445	50057	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:15.306051016 CET	50058	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:53:15.310988903 CET	445	50058	1.32.83.1	192.168.2.8
Jan 15, 2025 02:53:15.311091900 CET	50058	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:53:15.311131001 CET	50058	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:53:15.315970898 CET	445	50058	1.32.83.1	192.168.2.8
Jan 15, 2025 02:53:15.946911097 CET	50059	445	192.168.2.8	81.205.124.50
Jan 15, 2025 02:53:15.951742887 CET	445	50059	81.205.124.50	192.168.2.8
Jan 15, 2025 02:53:15.952281952 CET	50059	445	192.168.2.8	81.205.124.50
Jan 15, 2025 02:53:15.952370882 CET	50059	445	192.168.2.8	81.205.124.50
Jan 15, 2025 02:53:15.952549934 CET	50060	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:15.957258940 CET	445	50059	81.205.124.50	192.168.2.8
Jan 15, 2025 02:53:15.957329035 CET	445	50060	81.205.124.1	192.168.2.8
Jan 15, 2025 02:53:15.957340956 CET	50059	445	192.168.2.8	81.205.124.50
Jan 15, 2025 02:53:15.957392931 CET	50060	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:15.957453012 CET	50060	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:15.957818031 CET	50061	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:15.962295055 CET	445	50060	81.205.124.1	192.168.2.8
Jan 15, 2025 02:53:15.962409973 CET	50060	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:15.962662935 CET	445	50061	81.205.124.1	192.168.2.8
Jan 15, 2025 02:53:15.962764025 CET	50061	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:15.962801933 CET	50061	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:15.967607975 CET	445	50061	81.205.124.1	192.168.2.8
Jan 15, 2025 02:53:16.317771912 CET	445	50056	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:16.317920923 CET	50056	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:16.317959070 CET	50056	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:16.317959070 CET	50056	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:16.322814941 CET	445	50056	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:16.322824955 CET	445	50056	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:16.341109991 CET	445	50007	54.57.185.1	192.168.2.8
Jan 15, 2025 02:53:16.341347933 CET	50007	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:53:16.341347933 CET	50007	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:53:16.341347933 CET	50007	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:53:16.346195936 CET	445	50007	54.57.185.1	192.168.2.8
Jan 15, 2025 02:53:16.346205950 CET	445	50007	54.57.185.1	192.168.2.8
Jan 15, 2025 02:53:16.514867067 CET	445	50010	28.124.93.1	192.168.2.8
Jan 15, 2025 02:53:16.515062094 CET	50010	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:53:16.515062094 CET	50010	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:53:16.515098095 CET	50010	445	192.168.2.8	28.124.93.1
Jan 15, 2025 02:53:16.519896030 CET	445	50010	28.124.93.1	192.168.2.8
Jan 15, 2025 02:53:16.519958019 CET	445	50010	28.124.93.1	192.168.2.8
Jan 15, 2025 02:53:16.572844982 CET	50062	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:16.577761889 CET	445	50062	28.124.93.2	192.168.2.8
Jan 15, 2025 02:53:16.577864885 CET	50062	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:16.577936888 CET	50062	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:16.578202009 CET	50063	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:16.582870960 CET	445	50062	28.124.93.2	192.168.2.8
Jan 15, 2025 02:53:16.582973957 CET	50062	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:16.583012104 CET	445	50063	28.124.93.2	192.168.2.8
Jan 15, 2025 02:53:16.583070993 CET	50063	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:16.583101988 CET	50063	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:16.587831974 CET	445	50063	28.124.93.2	192.168.2.8
Jan 15, 2025 02:53:16.758315086 CET	445	50057	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:16.758424997 CET	50057	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:16.770946026 CET	50057	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:16.770946026 CET	50057	445	192.168.2.8	163.172.72.1
Jan 15, 2025 02:53:16.775823116 CET	445	50057	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:16.775854111 CET	445	50057	163.172.72.1	192.168.2.8
Jan 15, 2025 02:53:16.825212955 CET	50064	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:16.830059052 CET	445	50064	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:16.830147982 CET	50064	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:16.830238104 CET	50064	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:16.830533028 CET	50065	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:16.835150957 CET	445	50064	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:16.835201979 CET	50064	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:16.835422993 CET	445	50065	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:16.835484028 CET	50065	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:16.835537910 CET	50065	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:16.840316057 CET	445	50065	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:17.103184938 CET	50066	445	192.168.2.8	143.214.82.76
Jan 15, 2025 02:53:17.108025074 CET	445	50066	143.214.82.76	192.168.2.8
Jan 15, 2025 02:53:17.108194113 CET	50066	445	192.168.2.8	143.214.82.76
Jan 15, 2025 02:53:17.108282089 CET	50066	445	192.168.2.8	143.214.82.76
Jan 15, 2025 02:53:17.108407021 CET	50067	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:17.113303900 CET	445	50066	143.214.82.76	192.168.2.8
Jan 15, 2025 02:53:17.113368034 CET	50066	445	192.168.2.8	143.214.82.76
Jan 15, 2025 02:53:17.113904953 CET	445	50067	143.214.82.1	192.168.2.8
Jan 15, 2025 02:53:17.114017963 CET	50067	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:17.114017963 CET	50067	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:17.114238024 CET	50068	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:17.119007111 CET	445	50067	143.214.82.1	192.168.2.8
Jan 15, 2025 02:53:17.119040966 CET	445	50068	143.214.82.1	192.168.2.8
Jan 15, 2025 02:53:17.119067907 CET	50067	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:17.119103909 CET	50068	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:17.119153976 CET	50068	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:17.125113010 CET	445	50068	143.214.82.1	192.168.2.8
Jan 15, 2025 02:53:17.352677107 CET	50069	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:53:17.357645035 CET	445	50069	106.127.87.1	192.168.2.8
Jan 15, 2025 02:53:17.357743025 CET	50069	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:53:17.357743979 CET	50069	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:53:17.362684011 CET	445	50069	106.127.87.1	192.168.2.8
Jan 15, 2025 02:53:18.181261063 CET	50070	445	192.168.2.8	95.55.13.208
Jan 15, 2025 02:53:18.186070919 CET	445	50070	95.55.13.208	192.168.2.8
Jan 15, 2025 02:53:18.188146114 CET	50070	445	192.168.2.8	95.55.13.208
Jan 15, 2025 02:53:18.188275099 CET	50070	445	192.168.2.8	95.55.13.208
Jan 15, 2025 02:53:18.188458920 CET	50071	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:18.193227053 CET	445	50070	95.55.13.208	192.168.2.8
Jan 15, 2025 02:53:18.193341970 CET	445	50071	95.55.13.1	192.168.2.8
Jan 15, 2025 02:53:18.193399906 CET	50070	445	192.168.2.8	95.55.13.208
Jan 15, 2025 02:53:18.193434000 CET	50071	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:18.193484068 CET	50071	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:18.193746090 CET	50072	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:18.198381901 CET	445	50071	95.55.13.1	192.168.2.8
Jan 15, 2025 02:53:18.198542118 CET	445	50072	95.55.13.1	192.168.2.8
Jan 15, 2025 02:53:18.198590040 CET	50071	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:18.198626995 CET	50072	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:18.198657036 CET	50072	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:18.203463078 CET	445	50072	95.55.13.1	192.168.2.8
Jan 15, 2025 02:53:18.372453928 CET	445	50017	215.188.3.1	192.168.2.8
Jan 15, 2025 02:53:18.374098063 CET	50017	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:53:18.374098063 CET	50017	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:53:18.374098063 CET	50017	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:53:18.379096031 CET	445	50017	215.188.3.1	192.168.2.8
Jan 15, 2025 02:53:18.379132986 CET	445	50017	215.188.3.1	192.168.2.8
Jan 15, 2025 02:53:18.458204031 CET	445	50065	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:18.460757971 CET	50065	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:18.460813999 CET	50065	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:18.460813999 CET	50065	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:18.465909958 CET	445	50065	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:18.466012955 CET	445	50065	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:19.196804047 CET	50073	445	192.168.2.8	169.138.150.160
Jan 15, 2025 02:53:19.200553894 CET	445	50041	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:19.200701952 CET	50041	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:19.200701952 CET	50041	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:19.200740099 CET	50041	445	192.168.2.8	152.30.194.2
Jan 15, 2025 02:53:19.201687098 CET	445	50073	169.138.150.160	192.168.2.8
Jan 15, 2025 02:53:19.201761007 CET	50073	445	192.168.2.8	169.138.150.160
Jan 15, 2025 02:53:19.201836109 CET	50073	445	192.168.2.8	169.138.150.160
Jan 15, 2025 02:53:19.202047110 CET	50074	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:19.205596924 CET	445	50041	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:19.205626011 CET	445	50041	152.30.194.2	192.168.2.8
Jan 15, 2025 02:53:19.206757069 CET	445	50073	169.138.150.160	192.168.2.8
Jan 15, 2025 02:53:19.206814051 CET	50073	445	192.168.2.8	169.138.150.160
Jan 15, 2025 02:53:19.206948996 CET	445	50074	169.138.150.1	192.168.2.8
Jan 15, 2025 02:53:19.207019091 CET	50074	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:19.207087040 CET	50074	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:19.207341909 CET	50075	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:19.212107897 CET	445	50074	169.138.150.1	192.168.2.8
Jan 15, 2025 02:53:19.212191105 CET	50074	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:19.212194920 CET	445	50075	169.138.150.1	192.168.2.8
Jan 15, 2025 02:53:19.212258101 CET	50075	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:19.212292910 CET	50075	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:19.217089891 CET	445	50075	169.138.150.1	192.168.2.8
Jan 15, 2025 02:53:19.259023905 CET	50076	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:19.263926029 CET	445	50076	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:19.263992071 CET	50076	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:19.264034986 CET	50076	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:19.264380932 CET	50077	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:19.269002914 CET	445	50076	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:19.269053936 CET	50076	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:19.269141912 CET	445	50077	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:19.269211054 CET	50077	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:19.269211054 CET	50077	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:19.274015903 CET	445	50077	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:19.321573019 CET	50078	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:19.326519012 CET	445	50078	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:19.326632977 CET	50078	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:19.326745033 CET	50078	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:19.331505060 CET	445	50078	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:19.353282928 CET	50079	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:53:19.358118057 CET	445	50079	54.57.185.1	192.168.2.8
Jan 15, 2025 02:53:19.358186960 CET	50079	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:53:19.358222008 CET	50079	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:53:19.362962961 CET	445	50079	54.57.185.1	192.168.2.8
Jan 15, 2025 02:53:20.134315968 CET	50080	445	192.168.2.8	30.210.98.71
Jan 15, 2025 02:53:20.139219046 CET	445	50080	30.210.98.71	192.168.2.8
Jan 15, 2025 02:53:20.139355898 CET	50080	445	192.168.2.8	30.210.98.71
Jan 15, 2025 02:53:20.139519930 CET	50080	445	192.168.2.8	30.210.98.71
Jan 15, 2025 02:53:20.139780045 CET	50081	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:20.144435883 CET	445	50080	30.210.98.71	192.168.2.8
Jan 15, 2025 02:53:20.144490004 CET	50080	445	192.168.2.8	30.210.98.71
Jan 15, 2025 02:53:20.144597054 CET	445	50081	30.210.98.1	192.168.2.8
Jan 15, 2025 02:53:20.144649029 CET	50081	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:20.144690037 CET	50081	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:20.145169973 CET	50082	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:20.149640083 CET	445	50081	30.210.98.1	192.168.2.8
Jan 15, 2025 02:53:20.149691105 CET	50081	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:20.150068045 CET	445	50082	30.210.98.1	192.168.2.8
Jan 15, 2025 02:53:20.150140047 CET	50082	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:20.150260925 CET	50082	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:20.154987097 CET	445	50082	30.210.98.1	192.168.2.8
Jan 15, 2025 02:53:20.372518063 CET	445	50020	163.125.116.1	192.168.2.8
Jan 15, 2025 02:53:20.372603893 CET	50020	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:53:20.372627974 CET	50020	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:53:20.372667074 CET	50020	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:53:20.377630949 CET	445	50020	163.125.116.1	192.168.2.8
Jan 15, 2025 02:53:20.377645969 CET	445	50020	163.125.116.1	192.168.2.8
Jan 15, 2025 02:53:20.924200058 CET	445	50078	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:20.924323082 CET	50078	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:20.924323082 CET	50078	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:20.924453020 CET	50078	445	192.168.2.8	5.78.105.1
Jan 15, 2025 02:53:20.929202080 CET	445	50078	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:20.929286957 CET	445	50078	5.78.105.1	192.168.2.8
Jan 15, 2025 02:53:20.977812052 CET	50083	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:20.982673883 CET	445	50083	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:20.982841969 CET	50083	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:20.982928038 CET	50083	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:20.983295918 CET	50084	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:20.987773895 CET	445	50083	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:20.987863064 CET	50083	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:20.988152027 CET	445	50084	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:20.988213062 CET	50084	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:20.988233089 CET	50084	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:20.993108988 CET	445	50084	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:21.009268999 CET	50085	445	192.168.2.8	214.117.94.222
Jan 15, 2025 02:53:21.014189005 CET	445	50085	214.117.94.222	192.168.2.8
Jan 15, 2025 02:53:21.014280081 CET	50085	445	192.168.2.8	214.117.94.222
Jan 15, 2025 02:53:21.014329910 CET	50085	445	192.168.2.8	214.117.94.222
Jan 15, 2025 02:53:21.014518976 CET	50086	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:21.019268036 CET	445	50085	214.117.94.222	192.168.2.8
Jan 15, 2025 02:53:21.019339085 CET	445	50086	214.117.94.1	192.168.2.8
Jan 15, 2025 02:53:21.019347906 CET	50085	445	192.168.2.8	214.117.94.222
Jan 15, 2025 02:53:21.019404888 CET	50086	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:21.019440889 CET	50086	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:21.019686937 CET	50087	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:21.024359941 CET	445	50086	214.117.94.1	192.168.2.8
Jan 15, 2025 02:53:21.024389029 CET	445	50086	214.117.94.1	192.168.2.8
Jan 15, 2025 02:53:21.024436951 CET	50086	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:21.024588108 CET	445	50087	214.117.94.1	192.168.2.8
Jan 15, 2025 02:53:21.024698019 CET	50087	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:21.029150963 CET	50087	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:21.034080029 CET	445	50087	214.117.94.1	192.168.2.8
Jan 15, 2025 02:53:21.233450890 CET	445	50021	101.229.22.1	192.168.2.8
Jan 15, 2025 02:53:21.233547926 CET	50021	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:53:21.233609915 CET	50021	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:53:21.233669996 CET	50021	445	192.168.2.8	101.229.22.1
Jan 15, 2025 02:53:21.238404989 CET	445	50021	101.229.22.1	192.168.2.8
Jan 15, 2025 02:53:21.238416910 CET	445	50021	101.229.22.1	192.168.2.8
Jan 15, 2025 02:53:21.290566921 CET	50088	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:21.297066927 CET	445	50088	101.229.22.2	192.168.2.8
Jan 15, 2025 02:53:21.301928043 CET	50088	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:21.301973104 CET	50088	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:21.302270889 CET	50089	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:21.308660030 CET	445	50088	101.229.22.2	192.168.2.8
Jan 15, 2025 02:53:21.308830023 CET	445	50089	101.229.22.2	192.168.2.8
Jan 15, 2025 02:53:21.308933973 CET	50089	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:21.308983088 CET	50089	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:21.309081078 CET	50088	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:21.315509081 CET	445	50089	101.229.22.2	192.168.2.8
Jan 15, 2025 02:53:21.383980989 CET	50090	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:53:21.388951063 CET	445	50090	215.188.3.1	192.168.2.8
Jan 15, 2025 02:53:21.389019012 CET	50090	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:53:21.389043093 CET	50090	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:53:21.393938065 CET	445	50090	215.188.3.1	192.168.2.8
Jan 15, 2025 02:53:21.462182045 CET	50091	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:21.467674017 CET	445	50091	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:21.467751980 CET	50091	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:21.467777014 CET	50091	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:21.472821951 CET	445	50091	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:21.837518930 CET	50093	445	192.168.2.8	165.71.85.103
Jan 15, 2025 02:53:21.842566013 CET	445	50093	165.71.85.103	192.168.2.8
Jan 15, 2025 02:53:21.844710112 CET	50093	445	192.168.2.8	165.71.85.103
Jan 15, 2025 02:53:21.844753027 CET	50093	445	192.168.2.8	165.71.85.103
Jan 15, 2025 02:53:21.844873905 CET	50094	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:21.849699020 CET	445	50094	165.71.85.1	192.168.2.8
Jan 15, 2025 02:53:21.849833012 CET	445	50093	165.71.85.103	192.168.2.8
Jan 15, 2025 02:53:21.850052118 CET	50093	445	192.168.2.8	165.71.85.103
Jan 15, 2025 02:53:21.850063086 CET	50094	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:21.850167990 CET	50094	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:21.850483894 CET	50095	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:21.855081081 CET	445	50094	165.71.85.1	192.168.2.8
Jan 15, 2025 02:53:21.855446100 CET	445	50095	165.71.85.1	192.168.2.8
Jan 15, 2025 02:53:21.855520010 CET	50094	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:21.855602980 CET	50095	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:21.855602980 CET	50095	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:21.860523939 CET	445	50095	165.71.85.1	192.168.2.8
Jan 15, 2025 02:53:22.422930002 CET	445	50024	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:22.423156977 CET	50024	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:22.423290968 CET	50024	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:22.423362017 CET	50024	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:22.428014040 CET	445	50024	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:22.428113937 CET	445	50024	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:22.586815119 CET	445	50084	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:22.586882114 CET	50084	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:22.586930037 CET	50084	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:22.586975098 CET	50084	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:22.591784000 CET	445	50084	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:22.591814041 CET	445	50084	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:22.612463951 CET	445	50025	121.178.121.1	192.168.2.8
Jan 15, 2025 02:53:22.612550974 CET	50025	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:53:22.616118908 CET	50025	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:53:22.616178036 CET	50025	445	192.168.2.8	121.178.121.1
Jan 15, 2025 02:53:22.620974064 CET	445	50025	121.178.121.1	192.168.2.8
Jan 15, 2025 02:53:22.621004105 CET	445	50025	121.178.121.1	192.168.2.8
Jan 15, 2025 02:53:22.628281116 CET	50096	445	192.168.2.8	21.90.103.237
Jan 15, 2025 02:53:22.633151054 CET	445	50096	21.90.103.237	192.168.2.8
Jan 15, 2025 02:53:22.633225918 CET	50096	445	192.168.2.8	21.90.103.237
Jan 15, 2025 02:53:22.636477947 CET	50096	445	192.168.2.8	21.90.103.237
Jan 15, 2025 02:53:22.636610985 CET	50097	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:22.641371012 CET	445	50096	21.90.103.237	192.168.2.8
Jan 15, 2025 02:53:22.641433954 CET	50096	445	192.168.2.8	21.90.103.237
Jan 15, 2025 02:53:22.641462088 CET	445	50097	21.90.103.1	192.168.2.8
Jan 15, 2025 02:53:22.641520023 CET	50097	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:22.645258904 CET	50097	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:22.645622015 CET	50098	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:22.650089025 CET	445	50097	21.90.103.1	192.168.2.8
Jan 15, 2025 02:53:22.650134087 CET	50097	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:22.650418043 CET	445	50098	21.90.103.1	192.168.2.8
Jan 15, 2025 02:53:22.650475979 CET	50098	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:22.653686047 CET	50098	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:22.658615112 CET	445	50098	21.90.103.1	192.168.2.8
Jan 15, 2025 02:53:22.706727982 CET	50099	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:22.711693048 CET	445	50099	121.178.121.2	192.168.2.8
Jan 15, 2025 02:53:22.711755991 CET	50099	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:22.715064049 CET	50099	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:22.715919971 CET	50100	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:22.719968081 CET	445	50099	121.178.121.2	192.168.2.8
Jan 15, 2025 02:53:22.720022917 CET	50099	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:22.720854044 CET	445	50100	121.178.121.2	192.168.2.8
Jan 15, 2025 02:53:22.720909119 CET	50100	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:22.721076965 CET	50100	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:22.725893974 CET	445	50100	121.178.121.2	192.168.2.8
Jan 15, 2025 02:53:23.136194944 CET	445	50091	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:23.136274099 CET	50091	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:23.136301994 CET	50091	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:23.136337996 CET	50091	445	192.168.2.8	163.172.72.2
Jan 15, 2025 02:53:23.141787052 CET	445	50091	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:23.141801119 CET	445	50091	163.172.72.2	192.168.2.8
Jan 15, 2025 02:53:23.196454048 CET	50101	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:23.201245070 CET	445	50101	163.172.72.3	192.168.2.8
Jan 15, 2025 02:53:23.201318026 CET	50101	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:23.201340914 CET	50101	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:23.201669931 CET	50102	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:23.207119942 CET	445	50101	163.172.72.3	192.168.2.8
Jan 15, 2025 02:53:23.207170010 CET	50101	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:23.207297087 CET	445	50102	163.172.72.3	192.168.2.8
Jan 15, 2025 02:53:23.207357883 CET	50102	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:23.207380056 CET	50102	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:23.212869883 CET	445	50102	163.172.72.3	192.168.2.8
Jan 15, 2025 02:53:23.384020090 CET	50104	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:53:23.389125109 CET	445	50104	163.125.116.1	192.168.2.8
Jan 15, 2025 02:53:23.389225006 CET	50104	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:53:23.389271975 CET	50104	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:53:23.394124985 CET	445	50104	163.125.116.1	192.168.2.8
Jan 15, 2025 02:53:24.388174057 CET	445	50028	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:24.388281107 CET	50028	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:24.388334036 CET	50028	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:24.388386011 CET	50028	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:24.393199921 CET	445	50028	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:24.393244028 CET	445	50028	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:24.673163891 CET	445	50029	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:24.673367977 CET	50029	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:24.673367977 CET	50029	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:24.673398972 CET	50029	445	192.168.2.8	22.150.89.1
Jan 15, 2025 02:53:24.679095030 CET	445	50029	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:24.679111004 CET	445	50029	22.150.89.1	192.168.2.8
Jan 15, 2025 02:53:24.727814913 CET	50108	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:24.733685970 CET	445	50108	22.150.89.2	192.168.2.8
Jan 15, 2025 02:53:24.733771086 CET	50108	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:24.733836889 CET	50108	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:24.734128952 CET	50109	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:24.739368916 CET	445	50109	22.150.89.2	192.168.2.8
Jan 15, 2025 02:53:24.739387035 CET	445	50108	22.150.89.2	192.168.2.8
Jan 15, 2025 02:53:24.739437103 CET	50109	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:24.739464045 CET	50108	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:24.739465952 CET	50109	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:24.745361090 CET	445	50109	22.150.89.2	192.168.2.8
Jan 15, 2025 02:53:25.435275078 CET	50112	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:25.440073967 CET	445	50112	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:25.440140009 CET	50112	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:25.440167904 CET	50112	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:25.446510077 CET	445	50112	219.130.9.1	192.168.2.8
Jan 15, 2025 02:53:25.605495930 CET	50114	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:25.610291958 CET	445	50114	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:25.610359907 CET	50114	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:25.610388994 CET	50114	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:25.615156889 CET	445	50114	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:26.622740030 CET	445	50033	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:26.622863054 CET	50033	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:26.622920990 CET	50033	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:26.622968912 CET	50033	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:26.627686977 CET	445	50033	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:26.627717018 CET	445	50033	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:26.638036013 CET	445	50032	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:26.638104916 CET	50032	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:26.638168097 CET	50032	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:26.638220072 CET	50032	445	192.168.2.8	203.207.57.1
Jan 15, 2025 02:53:26.643038988 CET	445	50032	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:26.643055916 CET	445	50032	203.207.57.1	192.168.2.8
Jan 15, 2025 02:53:26.696645975 CET	50121	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:26.701642036 CET	445	50121	203.207.57.2	192.168.2.8
Jan 15, 2025 02:53:26.702088118 CET	50121	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:26.702127934 CET	50121	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:26.702449083 CET	50122	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:26.707071066 CET	445	50121	203.207.57.2	192.168.2.8
Jan 15, 2025 02:53:26.707257986 CET	445	50122	203.207.57.2	192.168.2.8
Jan 15, 2025 02:53:26.707319975 CET	50121	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:26.707339048 CET	50122	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:26.707357883 CET	50122	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:26.712151051 CET	445	50122	203.207.57.2	192.168.2.8
Jan 15, 2025 02:53:27.193053961 CET	445	50114	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:27.193186998 CET	50114	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:27.193229914 CET	50114	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:27.193265915 CET	50114	445	192.168.2.8	5.78.105.2
Jan 15, 2025 02:53:27.198847055 CET	445	50114	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:27.198878050 CET	445	50114	5.78.105.2	192.168.2.8
Jan 15, 2025 02:53:27.259099960 CET	50126	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:27.263972044 CET	445	50126	5.78.105.3	192.168.2.8
Jan 15, 2025 02:53:27.264044046 CET	50126	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:27.264108896 CET	50126	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:27.264560938 CET	50128	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:27.269117117 CET	445	50126	5.78.105.3	192.168.2.8
Jan 15, 2025 02:53:27.269182920 CET	50126	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:27.269447088 CET	445	50128	5.78.105.3	192.168.2.8
Jan 15, 2025 02:53:27.269505978 CET	50128	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:27.269584894 CET	50128	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:27.274390936 CET	445	50128	5.78.105.3	192.168.2.8
Jan 15, 2025 02:53:27.399602890 CET	50130	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:27.404551029 CET	445	50130	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:27.404665947 CET	50130	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:27.404685974 CET	50130	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:27.409516096 CET	445	50130	47.41.183.1	192.168.2.8
Jan 15, 2025 02:53:28.438895941 CET	445	50036	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:28.438954115 CET	50036	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:28.438981056 CET	50036	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:28.439018011 CET	50036	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:28.443942070 CET	445	50036	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:28.443972111 CET	445	50036	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:28.591229916 CET	445	50037	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:28.591460943 CET	50037	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:28.595565081 CET	50037	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:28.595612049 CET	50037	445	192.168.2.8	157.182.126.1
Jan 15, 2025 02:53:28.601972103 CET	445	50037	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:28.602003098 CET	445	50037	157.182.126.1	192.168.2.8
Jan 15, 2025 02:53:28.649657011 CET	50144	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:28.656008959 CET	445	50144	157.182.126.2	192.168.2.8
Jan 15, 2025 02:53:28.656084061 CET	50144	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:28.656126976 CET	50144	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:28.656461000 CET	50145	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:28.662770033 CET	445	50144	157.182.126.2	192.168.2.8
Jan 15, 2025 02:53:28.662831068 CET	50144	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:28.662833929 CET	445	50145	157.182.126.2	192.168.2.8
Jan 15, 2025 02:53:28.662902117 CET	50145	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:28.662946939 CET	50145	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:28.667745113 CET	445	50145	157.182.126.2	192.168.2.8
Jan 15, 2025 02:53:29.325706005 CET	445	50077	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:29.325875044 CET	50077	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:29.325875044 CET	50077	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:29.326020956 CET	50077	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:29.330763102 CET	445	50077	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:29.330872059 CET	445	50077	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:29.634200096 CET	50158	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:29.639105082 CET	445	50158	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:29.639235973 CET	50158	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:29.643798113 CET	50158	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:29.648617983 CET	445	50158	177.124.25.1	192.168.2.8
Jan 15, 2025 02:53:30.189086914 CET	445	50040	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:30.189188004 CET	50040	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:30.189232111 CET	50040	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:30.189232111 CET	50040	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:30.194099903 CET	445	50040	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:30.194113970 CET	445	50040	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:30.622569084 CET	445	50042	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:30.622783899 CET	50042	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:30.622783899 CET	50042	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:30.622783899 CET	50042	445	192.168.2.8	107.227.162.1
Jan 15, 2025 02:53:30.627650023 CET	445	50042	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:30.627665043 CET	445	50042	107.227.162.1	192.168.2.8
Jan 15, 2025 02:53:30.680969000 CET	50177	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:30.685874939 CET	445	50177	107.227.162.2	192.168.2.8
Jan 15, 2025 02:53:30.686016083 CET	50177	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:30.686016083 CET	50177	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:30.686301947 CET	50178	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:30.690982103 CET	445	50177	107.227.162.2	192.168.2.8
Jan 15, 2025 02:53:30.691124916 CET	50177	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:30.691179037 CET	445	50178	107.227.162.2	192.168.2.8
Jan 15, 2025 02:53:30.691342115 CET	50178	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:30.691378117 CET	50178	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:30.696209908 CET	445	50178	107.227.162.2	192.168.2.8
Jan 15, 2025 02:53:31.446382999 CET	50197	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:31.452830076 CET	445	50197	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:31.453042984 CET	50197	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:31.453109026 CET	50197	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:31.458008051 CET	445	50197	156.145.218.1	192.168.2.8
Jan 15, 2025 02:53:32.337369919 CET	50221	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:32.342247963 CET	445	50221	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:32.342338085 CET	50221	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:32.342379093 CET	50221	445	192.168.2.8	152.30.194.3
Jan 15, 2025 02:53:32.347140074 CET	445	50221	152.30.194.3	192.168.2.8
Jan 15, 2025 02:53:32.690701962 CET	445	50046	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:32.690952063 CET	50046	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:32.690952063 CET	50046	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:32.690953016 CET	50046	445	192.168.2.8	155.74.15.1
Jan 15, 2025 02:53:32.695935965 CET	445	50046	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:32.695945024 CET	445	50046	155.74.15.1	192.168.2.8
Jan 15, 2025 02:53:32.743612051 CET	50236	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:32.748523951 CET	445	50236	155.74.15.2	192.168.2.8
Jan 15, 2025 02:53:32.748641968 CET	50236	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:32.748760939 CET	50236	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:32.749106884 CET	50237	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:32.753644943 CET	445	50236	155.74.15.2	192.168.2.8
Jan 15, 2025 02:53:32.753706932 CET	50236	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:32.753951073 CET	445	50237	155.74.15.2	192.168.2.8
Jan 15, 2025 02:53:32.754034996 CET	50237	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:32.754075050 CET	50237	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:32.758794069 CET	445	50237	155.74.15.2	192.168.2.8
Jan 15, 2025 02:53:33.196544886 CET	50259	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:33.201481104 CET	445	50259	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:33.201611996 CET	50259	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:33.201647043 CET	50259	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:33.206388950 CET	445	50259	107.39.6.1	192.168.2.8
Jan 15, 2025 02:53:33.392406940 CET	445	50049	181.250.17.1	192.168.2.8
Jan 15, 2025 02:53:33.392565966 CET	50049	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:33.392566919 CET	50049	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:33.392672062 CET	50049	445	192.168.2.8	181.250.17.1
Jan 15, 2025 02:53:33.397471905 CET	445	50049	181.250.17.1	192.168.2.8
Jan 15, 2025 02:53:33.397480965 CET	445	50049	181.250.17.1	192.168.2.8
Jan 15, 2025 02:53:34.669666052 CET	445	50050	55.167.153.1	192.168.2.8
Jan 15, 2025 02:53:34.669735909 CET	50050	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:34.778867006 CET	445	50053	44.41.62.1	192.168.2.8
Jan 15, 2025 02:53:34.778958082 CET	50053	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:35.994887114 CET	50050	445	192.168.2.8	55.167.153.1
Jan 15, 2025 02:53:35.994978905 CET	50089	445	192.168.2.8	101.229.22.2
Jan 15, 2025 02:53:35.995037079 CET	50075	445	192.168.2.8	169.138.150.1
Jan 15, 2025 02:53:35.995069981 CET	50109	445	192.168.2.8	22.150.89.2
Jan 15, 2025 02:53:35.995094061 CET	50145	445	192.168.2.8	157.182.126.2
Jan 15, 2025 02:53:35.995107889 CET	50130	445	192.168.2.8	47.41.183.1
Jan 15, 2025 02:53:35.995148897 CET	50178	445	192.168.2.8	107.227.162.2
Jan 15, 2025 02:53:35.995217085 CET	50053	445	192.168.2.8	44.41.62.1
Jan 15, 2025 02:53:35.995239019 CET	50058	445	192.168.2.8	1.32.83.1
Jan 15, 2025 02:53:35.995264053 CET	50122	445	192.168.2.8	203.207.57.2
Jan 15, 2025 02:53:35.995264053 CET	50061	445	192.168.2.8	81.205.124.1
Jan 15, 2025 02:53:35.995302916 CET	50063	445	192.168.2.8	28.124.93.2
Jan 15, 2025 02:53:35.995306015 CET	50068	445	192.168.2.8	143.214.82.1
Jan 15, 2025 02:53:35.995331049 CET	50102	445	192.168.2.8	163.172.72.3
Jan 15, 2025 02:53:35.995347977 CET	50069	445	192.168.2.8	106.127.87.1
Jan 15, 2025 02:53:35.995368004 CET	50072	445	192.168.2.8	95.55.13.1
Jan 15, 2025 02:53:35.995439053 CET	50098	445	192.168.2.8	21.90.103.1
Jan 15, 2025 02:53:35.995491028 CET	50082	445	192.168.2.8	30.210.98.1
Jan 15, 2025 02:53:35.995492935 CET	50079	445	192.168.2.8	54.57.185.1
Jan 15, 2025 02:53:35.995546103 CET	50090	445	192.168.2.8	215.188.3.1
Jan 15, 2025 02:53:35.995548010 CET	50087	445	192.168.2.8	214.117.94.1
Jan 15, 2025 02:53:35.995573997 CET	50095	445	192.168.2.8	165.71.85.1
Jan 15, 2025 02:53:35.995584011 CET	50100	445	192.168.2.8	121.178.121.2
Jan 15, 2025 02:53:35.995631933 CET	50112	445	192.168.2.8	219.130.9.1
Jan 15, 2025 02:53:35.995647907 CET	50104	445	192.168.2.8	163.125.116.1
Jan 15, 2025 02:53:35.995647907 CET	50197	445	192.168.2.8	156.145.218.1
Jan 15, 2025 02:53:35.995701075 CET	50237	445	192.168.2.8	155.74.15.2
Jan 15, 2025 02:53:35.995714903 CET	50158	445	192.168.2.8	177.124.25.1
Jan 15, 2025 02:53:35.995724916 CET	50128	445	192.168.2.8	5.78.105.3
Jan 15, 2025 02:53:35.995748043 CET	50259	445	192.168.2.8	107.39.6.1
Jan 15, 2025 02:53:35.995789051 CET	50221	445	192.168.2.8	152.30.194.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 02:52:28.759321928 CET	57246	53	192.168.2.8	1.1.1.1
Jan 15, 2025 02:52:28.768349886 CET	53	57246	1.1.1.1	192.168.2.8
Jan 15, 2025 02:53:03.390356064 CET	138	138	192.168.2.8	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 02:52:28.759321928 CET	192.168.2.8	1.1.1.1	0x3923	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 02:52:28.768349886 CET	1.1.1.1	192.168.2.8	0x3923	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:52:28.768349886 CET	1.1.1.1	192.168.2.8	0x3923	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:52:43.640604973 CET	1.1.1.1	192.168.2.8	0x287a	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 02:52:43.640604973 CET	1.1.1.1	192.168.2.8	0x287a	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	104.16.167.228	80	792	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:52:28.778832912 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 02:52:29.281239986 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 01:52:29 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 90223a068edf8c99-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	104.16.167.228	80	2160	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:52:30.018604040 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 02:52:30.686815023 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 01:52:30 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 90223a0e4a055e65-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49719	104.16.167.228	80	3904	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 02:52:31.204535007 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 02:52:31.685693979 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 01:52:31 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 90223a15992bde9b-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Target ID:	0
Start time:	20:52:27
Start date:	14/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll"
Imagebase:	0x930000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:52:27
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	20:52:27
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	20:52:27
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\tTbeoLWNhb.dll,PlayGame
Imagebase:	0x170000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	20:52:27
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",#1
Imagebase:	0x170000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:52:27
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	9BCD08D46432B6DAC27417B0DE3DA8B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1510211339.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1510351488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1510351488.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\mssecsvc.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (with the help of binar.ly) Rule: WannaCry_Ransomware_Gen, Description: Detects WannaCry Ransomware, Source: C:\Windows\mssecsvc.exe, Author: Florian Roth (based on rule by US CERT) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\mssecsvc.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\mssecsvc.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	20:52:28
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	9BCD08D46432B6DAC27417B0DE3DA8B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2174815751.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2174815751.0000000001D7A000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1525566306.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1525566306.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2175529883.000000000229D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2175529883.000000000229D000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1525328575.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	20:52:30
Start date:	14/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\tTbeoLWNhb.dll",PlayGame
Imagebase:	0x170000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:52:30
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	82246A37BC2B94A29240A8B49DE5CF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.1537482998.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:52:30
Start date:	14/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	9BCD08D46432B6DAC27417B0DE3DA8B1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1537853597.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1538073196.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.1538073196.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1549881056.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1550066057.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.1550066057.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:52:31
Start date:	14/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	82246A37BC2B94A29240A8B49DE5CF57
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.1548367393.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.1547215244.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F8D0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

/i, xrefs: 00407E8D
CreateProcessA, xrefs: 00407D07
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F
WriteFile, xrefs: 00407D1C
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
C:\%s\%s, xrefs: 00407DFB
C:\%s\qeriuwjhrf, xrefs: 00407E12
WINDOWS, xrefs: 00407DF2, 00407E0D

Memory Dump Source

Source File: 00000006.00000002.1540425940.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1540399990.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540468667.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540545583.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1540425940.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1540399990.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540468667.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540545583.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1540425940.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1540399990.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540468667.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540545583.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F8D0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.1540425940.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1540399990.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540468667.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540545583.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F8D0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1540425940.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1540399990.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540468667.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540488496.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540545583.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1540682142.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 2160, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F8D0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2173112009.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2173090328.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173133845.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173229853.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173251184.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.2173112009.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2173090328.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173133845.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173229853.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173251184.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F8D0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000008.00000002.2173112009.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2173090328.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173133845.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173229853.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173251184.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F8D0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
C:\%s\%s, xrefs: 00407DFB
D, xrefs: 00407ED3
WINDOWS, xrefs: 00407DF2, 00407E0D
WriteFile, xrefs: 00407D1C
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12

Memory Dump Source

Source File: 00000008.00000002.2173112009.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2173090328.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173133845.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173229853.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173251184.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2173112009.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2173090328.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173133845.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173154900.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173205458.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173229853.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173251184.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.000000000090F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000912000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009E7000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EA000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009EE000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009F3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.00000000009FF000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A03000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A16000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A1F000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A24000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A38000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A44000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A4D000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A59000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2173372935.0000000000A69000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 6168, Parent PID: 792COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/../, xrefs: 00406DF5
/..\, xrefs: 00406E03
\..\, xrefs: 00406DD9
\../, xrefs: 00406DE7

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptGenKey, xrefs: 00401AAD
CryptEncrypt, xrefs: 00401A93
CryptAcquireContextA, xrefs: 00401A71
CryptDestroyKey, xrefs: 00401A86
CryptImportKey, xrefs: 00401A79
CryptDecrypt, xrefs: 00401AA0
advapi32.dll, xrefs: 00401A55

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

Q;@, xrefs: 004036E2, 004035FD
, xrefs: 004036AE

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

DeleteFileW, xrefs: 0040177F
CreateFileW, xrefs: 00401743
WriteFile, xrefs: 0040174B
ReadFile, xrefs: 00401758
MoveFileW, xrefs: 00401765
CloseHandle, xrefs: 0040178C
kernel32.dll, xrefs: 00401727
MoveFileExW, xrefs: 00401772

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 004072F6
\, xrefs: 00407358
%s%s, xrefs: 00407389
:, xrefs: 0040736E

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON

Download Yara Rule

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

t.wnry, xrefs: 00402125
attrib +h ., xrefs: 004020DC
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
TaskStart, xrefs: 00402145
tasksche.exe, xrefs: 00402061, 0040206D, 00402075

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

0@, xrefs: 00401157
Software\, xrefs: 0040110A
WanaCrypt0r, xrefs: 00401145

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

?!@, xrefs: 004021F8
GetNativeSystemInfo, xrefs: 004022A1
kernel32.dll, xrefs: 0040228C

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

%s%d, xrefs: 00401F10
Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 0000000A.00000002.1539139481.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.1539112484.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539173416.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539199298.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FD000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000005FF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000602000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006D7000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DA000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006DE000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006EF000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.00000000006F3000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000706000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070C000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000070F000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000714000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000728000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000734000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.000000000073D000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000749000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000A.00000002.1539225037.0000000000759000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tTbeoLWNhb.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\mssecsvc.exe

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
tTbeoLWNhb.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON