Edit tour

Windows Analysis Report
alN48K3xcD.dll

Overview

General Information

Sample name:	alN48K3xcD.dll renamed because original name is a hash value
Original sample name:	9cccad94729abbbd27c8071de58402b9.dll
Analysis ID:	1591813
MD5:	9cccad94729abbbd27c8071de58402b9
SHA1:	0bbd3b74d2fae3564266b63fc251860e48bd77bd
SHA256:	fc7b58c22d9f27207af9c640c751dcab61fd90621ed9df95591d78b2758073f5
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Tries to download HTTP data from a sinkholed server

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file does not import any functions

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7336 cmdline: loaddll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7388 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7412 cmdline: rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7476 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 25E8BF1FF6B34D9ACC77B9991F68409A)

tasksche.exe (PID: 7660 cmdline: C:\WINDOWS\tasksche.exe /i MD5: A848C62D74569AFFBA05EE92D4033A36)

WerFault.exe (PID: 7736 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 228 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 7396 cmdline: rundll32.exe C:\Users\user\Desktop\alN48K3xcD.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7784 cmdline: rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7800 cmdline: C:\WINDOWS\mssecsvc.exe MD5: 25E8BF1FF6B34D9ACC77B9991F68409A)

tasksche.exe (PID: 7908 cmdline: C:\WINDOWS\tasksche.exe /i MD5: A848C62D74569AFFBA05EE92D4033A36)

WerFault.exe (PID: 7960 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7908 -s 196 MD5: C31336C1EFC2CCB44B4326EA793040F2)

mssecsvc.exe (PID: 7572 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: 25E8BF1FF6B34D9ACC77B9991F68409A)

svchost.exe (PID: 7676 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

WerFault.exe (PID: 7712 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7660 -ip 7660 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 7940 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7908 -ip 7908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

svchost.exe (PID: 7916 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
alN48K3xcD.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
alN48K3xcD.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x353d0:$x3: tasksche.exe 0x3543b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x38b0a:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x387e4:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x383d0:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000E.00000000.1369474007.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1351302945.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1996236950.00000000023E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1340886302.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.1995899155.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000E.00000002.1379301697.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7476	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7572	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7800	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
14.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
14.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1ed8128.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1ed8128.2.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
14.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
14.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23e6948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e6948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23e6948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23d78c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.240996c.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.240996c.7.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1ea6084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.1eb5104.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb5104.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x22357:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1eb5104.5.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
14.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
14.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
15.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
15.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
15.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
15.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23d78c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23d78c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.23d78c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
14.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
14.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
14.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
14.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
14.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
14.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.240996c.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.240996c.7.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
14.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
14.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
14.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
14.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1ed8128.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1ed8128.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1ea6084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1ea6084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x284bb0:$x3: tasksche.exe 0x313d7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x284c1b:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x17350:$x7: mssecsvc.exe 0x24f26c:$x7: mssecsvc.exe 0x26ab94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x284b88:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x24f254:$s1: C:\%s\%s 0x26ab7c:$s1: C:\%s\%s 0x284b9c:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x281ed0:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x26f2c5:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x25c975:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
8.2.mssecsvc.exe.1ea6084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1ea6084.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2878fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x25b8d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x25d25a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x28d0a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.23e6948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e6948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1eb5104.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb5104.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1db57:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1eb10a4.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1eb10a4.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.23e28e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.23e28e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x263b7:$x6: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
Click to see the 82 entries

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7676, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Known Sinkhole Response Kryptos Logic

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:06:19.917699+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.7	49711	TCP
2025-01-15T14:06:20.787701+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.7	49715	TCP
2025-01-15T14:06:22.505498+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.7	49744	TCP
2025-01-15T14:08:25.775555+0100	2031515	3	Misc activity	104.16.167.228	80	192.168.2.7	50633	TCP

ET MALWARE Possible WannaCry DNS Lookup 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:06:19.377535+0100	2024291	1	A Network Trojan was detected	192.168.2.7	52337	1.1.1.1	53	UDP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:06:19.916946+0100	2024298	1	A Network Trojan was detected	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024298	1	A Network Trojan was detected	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024298	1	A Network Trojan was detected	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024298	1	A Network Trojan was detected	192.168.2.7	50633	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:06:19.916946+0100	2024299	1	A Network Trojan was detected	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024299	1	A Network Trojan was detected	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024299	1	A Network Trojan was detected	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024299	1	A Network Trojan was detected	192.168.2.7	50633	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:06:19.916946+0100	2024301	1	A Network Trojan was detected	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024301	1	A Network Trojan was detected	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024301	1	A Network Trojan was detected	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024301	1	A Network Trojan was detected	192.168.2.7	50633	104.16.167.228	80	TCP

ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:06:19.916946+0100	2024302	1	A Network Trojan was detected	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024302	1	A Network Trojan was detected	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024302	1	A Network Trojan was detected	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024302	1	A Network Trojan was detected	192.168.2.7	50633	104.16.167.228	80	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T14:06:19.916946+0100	2803304	3	Unknown Traffic	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2803304	3	Unknown Traffic	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2803304	3	Unknown Traffic	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2803304	3	Unknown Traffic	192.168.2.7	50633	104.16.167.228	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: alN48K3xcD.dll

Avira: detected

Antivirus detection for URL or domain

Source: https://login.live.co

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: HEUR/AGEN.1339339

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 79%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: alN48K3xcD.dll	Virustotal: Detection: 94%			Perma Link
Source: alN48K3xcD.dll	ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.3% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: alN48K3xcD.dll

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: alN48K3xcD.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.7:49715 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.7:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.7:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.7:49744 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.7:49744 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.7:49744 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.7:49744 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.7:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.7:49715 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.7:49715 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.7:49715 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.7:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024298 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1 : 192.168.2.7:50633 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024299 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 : 192.168.2.7:50633 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024301 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 : 192.168.2.7:50633 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2024302 - Severity 1 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 : 192.168.2.7:50633 -> 104.16.167.228:80

Tries to download HTTP data from a sinkholed server

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 13:06:19 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9026151a0a7d4326-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 13:06:20 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9026151f795c19b6-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 13:06:22 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9026152a3dd50cbe-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Jan 2025 13:08:25 GMTContent-Type: text/htmlContent-Length: 607Connection: closeServer: cloudflareCF-RAY: 9026182caad10cc0-EWRData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 66 6c 61 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 2d 62 6f 78 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 69 67 2d 63 6f 6e 74 65 6e 74 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6c 65 61 72 22 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 68 31 3e 53 69 6e 6b 68 6f 6c 65 64 21 3c 2f 68 31 3e 3c 70 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 69 6e 6b 68 6f 6c 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 2e 63 6f 6d 22 3e 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 61 3e 2e 3c 2f 70 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: Network traffic	Suricata IDS: 2024291 - Severity 1 - ET MALWARE Possible WannaCry DNS Lookup 1 : 192.168.2.7:52337 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49715 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49711 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49744 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.7:49711
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.7:49744
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.7:49715
Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:50633 -> 104.16.167.228:80
Source: Network traffic	Suricata IDS: 2031515 - Severity 3 - ET MALWARE Known Sinkhole Response Kryptos Logic : 104.16.167.228:80 -> 192.168.2.7:50633

Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.110
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.110
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.110
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.110
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 162.93.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.143
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.143
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.143
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.143
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.78
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.78
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.78
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.78
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.1
Source: unknown	TCP traffic detected without corresponding DNS query: 3.129.41.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 220.134.191.1
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 203.77.176.15
Source: unknown	TCP traffic detected without corresponding DNS query: 203.77.176.15

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Source: svchost.exe, 00000010.00000003.1488213786.0000014375D07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.N
Source: svchost.exe, 00000010.00000003.1501338119.0000014375D79000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000010.00000003.1383483739.0000014375D53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherData><CipherValue>M.
Source: svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 00000010.00000003.1488026444.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591419601.0000014375D13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1501528781.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547351882.000001437646F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1407749663.0000014375D54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1541973305.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526500142.00000143764E4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526453522.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526405713.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1556024167.00000143764B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb.net
Source: svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591572272.0000014376430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 00000010.00000002.2591597787.0000014376453000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000010.00000003.1547351882.000001437646F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbad
Source: svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbe
Source: svchost.exe, 00000010.00000002.2591196823.00000143754E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568733666.00000143754E2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542236700.00000143754E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.16.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000010.00000003.1542604403.0000014375D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
Source: svchost.exe, 00000010.00000003.1542604403.0000014375D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs
Source: svchost.exe, 00000010.00000003.1488213786.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591938555.0000014376512000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1580825324.0000014376512000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555831177.0000014375D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd-cbc
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA
Source: svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA
Source: svchost.exe, 00000010.00000003.1474148492.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdLrsBzT
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdOAPF
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdithm
Source: svchost.exe, 00000010.00000003.1501338119.0000014375D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555831177.0000014375D7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542236700.00000143754E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd/www
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000010.00000003.1542739578.0000014375D76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000010.00000003.1474148492.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdk22sF
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdldsi
Source: svchost.exe, 00000010.00000003.1501338119.0000014375D79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsAAAA
Source: svchost.exe, 00000010.00000003.1555831177.0000014375D7A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.sis-op
Source: svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000010.00000002.2591401122.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542959961.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568428184.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568490797.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542501302.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568405847.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555898968.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542699174.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542764814.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514148156.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1581229604.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514252995.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1581192571.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514125886.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542534619.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1581101248.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555922501.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514228989.0000014375D09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyAAAAA
Source: svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyC
Source: svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000010.00000003.1541973305.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526500142.00000143764E4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526453522.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526405713.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1556024167.00000143764B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000010.00000002.2591172475.00000143754C7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000010.00000003.1542739578.0000014375D76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustAAAAA
Source: Amcache.hve.12.dr	String found in binary or memory: http://upx.sf.net
Source: alN48K3xcD.dll	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Source: mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1362501340.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000E.00000002.1380161223.0000000000B8F000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000E.00000002.1380161223.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
Source: mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/5
Source: mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/E
Source: mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/EX
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Q
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/a
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com321
Source: mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com5X
Source: mssecsvc.exe, 00000008.00000002.1994955871.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comQ
Source: mssecsvc.exe, 0000000E.00000002.1380161223.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comT
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comf
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comgsq
Source: mssecsvc.exe, 0000000E.00000002.1380161223.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comq
Source: svchost.exe, 00000010.00000003.1567701504.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1580529333.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: svchost.exe, 00000010.00000003.1567701504.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1580529333.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000010.00000002.2591235005.0000014375502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Chang
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806014
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600s
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379949298.0000014375D57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 00000010.00000002.2591235005.0000014375502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.co
Source: svchost.exe, 00000010.00000002.2591572272.0000014376430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 00000010.00000003.1547351882.000001437646F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfC
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000010.00000003.1560947124.000001437651B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547351882.000001437646F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591878852.00000143764E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591527460.0000014376400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591572272.0000014376430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000010.00000003.1547351882.000001437648D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srfLMEMX
Source: svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000010.00000002.2591196823.00000143754E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568733666.00000143754E2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542236700.00000143754E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DkvBnbtLnkEBeylwWMZ
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000010.00000003.1380101220.0000014375D6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591572272.0000014376430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591235005.0000014375502000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379949298.0000014375D57000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000010.00000003.1379538657.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfDuC
Source: svchost.exe, 00000010.00000003.1555264995.00000143764BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfMuC
Source: svchost.exe, 00000010.00000003.1567875584.00000143764BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfOuC
Source: svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srff
Source: svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1418132529.0000014376439000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591172475.00000143754C7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547351882.000001437646F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf/~GvC
Source: svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfityCRL
Source: svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comnet
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srfGo
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer
Source: svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfx
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfublic
Source: svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsto
Source: svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: mssecsvc.exe, 00000006.00000002.1362501340.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000E.00000002.1380161223.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.kryptoslogic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: alN48K3xcD.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e6948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb5104.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23d78c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1ea6084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e6948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb5104.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1eb10a4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.23e28e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.1369474007.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1351302945.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1996236950.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1340886302.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1995899155.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1379301697.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7476, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7572, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7800, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: alN48K3xcD.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 14.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 14.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1ed8128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ed8128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 14.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 14.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23d78c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1ea6084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb5104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb5104.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 14.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 14.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 15.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 15.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 15.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 15.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23d78c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23d78c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 14.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 14.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 14.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 14.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 14.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.240996c.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.240996c.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 14.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 14.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 14.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1ed8128.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ed8128.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1ea6084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1ea6084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1ea6084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.23e6948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb5104.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1eb10a4.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.23e28e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 9_2_00406C40	9_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402A76	9_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402E7E	9_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040350F	9_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00404C19	9_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040541F	9_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00403797	9_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 9_2_004043B6	9_2_004043B6
Source: C:\Windows\tasksche.exe	Code function: 9_2_004031BC	9_2_004031BC

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7660 -ip 7660

Source: tasksche.exe.6.dr

Static PE information: No import functions for PE file found

Source: alN48K3xcD.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: alN48K3xcD.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 14.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1ed8128.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ed8128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 14.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23e6948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23d78c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240996c.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1ea6084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb5104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb5104.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 14.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 14.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 15.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 15.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 15.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23d78c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23d78c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 14.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 14.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 14.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 14.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.240996c.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.240996c.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 14.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 14.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 14.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1ed8128.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ed8128.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1ea6084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1ea6084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1ea6084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.23e6948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb5104.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1eb10a4.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.23e28e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@32/17@1/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		8_2_00407C40

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7660
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7940:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:7712:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7908

Source: C:\Windows\System32\svchost.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f2b7aee0-a867-43cb-95b1-e4cd9fd3fe2d

Jump to behavior

Source: alN48K3xcD.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\alN48K3xcD.dll,PlayGame

Source: alN48K3xcD.dll	Virustotal: Detection: 94%
Source: alN48K3xcD.dll	ReversingLabs: Detection: 92%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\alN48K3xcD.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7660 -ip 7660
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 228
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7908 -ip 7908
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7908 -s 196
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\alN48K3xcD.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7660 -ip 7660	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 228	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7908 -ip 7908	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7908 -s 196	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowsperformancerecordercontrol.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: weretw.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: alN48K3xcD.dll

Static file information: File size 5267459 > 1048576

Source: alN48K3xcD.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe	Code function: 9_2_00407710 push eax; ret		9_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 9_2_004076C8 push eax; ret		9_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 7632	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7632	Thread sleep time: -184000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7636	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7636	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7632	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.12.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.12.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mssecsvc.exe, 00000006.00000002.1362501340.0000000000DAE000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1362501340.0000000000DA9000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000006.00000002.1362501340.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.1995463251.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000E.00000002.1380161223.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568087730.00000143754AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567914450.00000143754AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.00000143754AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq\|
Source: Amcache.hve.12.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.12.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: mssecsvc.exe, 0000000E.00000002.1380161223.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: Amcache.hve.12.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.12.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.12.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: svchost.exe, 00000010.00000002.2591938555.0000014376508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.12.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.12.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\tasksche.exe

Code function: 9_2_004077BA EntryPoint,LdrInitializeThunk,

9_2_004077BA

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7660 -ip 7660	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 228	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7908 -ip 7908	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7908 -s 196	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
alN48K3xcD.dll	94%	Virustotal		Browse
alN48K3xcD.dll	92%	ReversingLabs	Win32.Ransomware.WannaCry
alN48K3xcD.dll	100%	Avira	TR/Ransom.Gen
alN48K3xcD.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\tasksche.exe	100%	Avira	HEUR/AGEN.1339339
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	79%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	79%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com5X	0%	Avira URL Cloud	safe
https://login.live.co	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comT	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com321	0%	Avira URL Cloud	safe
https://login.microsto	0%	Avira URL Cloud	safe
http://docs.sis-op	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comQ	0%	Avira URL Cloud	safe
http://Passport.N	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comf	0%	Avira URL Cloud	safe
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comgsq	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	true	false		high
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com5X	mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com321	mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdk22sF	svchost.exe, 00000010.00000003.1474148492.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdithm	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID	svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf	svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsto	svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceQuery.srf	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/EX	mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdldsi	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdLrsBzT	svchost.exe, 00000010.00000003.1474148492.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/ResolveUser.srf	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-	svchost.exe, 00000010.00000003.1542604403.0000014375D7B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/MSARST2.srf	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.N	svchost.exe, 00000010.00000003.1488213786.0000014375D07000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://Passport.NET/STS	svchost.exe, 00000010.00000003.1501338119.0000014375D79000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.live.co	svchost.exe, 00000010.00000002.2591235005.0000014375502000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	alN48K3xcD.dll	false		high
http://www.w3.	svchost.exe, 00000010.00000003.1567701504.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1580529333.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comQ	mssecsvc.exe, 00000008.00000002.1995463251.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAA	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comT	mssecsvc.exe, 0000000E.00000002.1380161223.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xs	svchost.exe, 00000010.00000003.1542604403.0000014375D7B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA	svchost.exe, 00000010.00000003.1542739578.0000014375D76000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds	svchost.exe, 00000010.00000003.1501338119.0000014375D79000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/devicechangecredential.srf	svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.sis-op	svchost.exe, 00000010.00000003.1555831177.0000014375D7A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/a	mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAA	svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf	svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb	svchost.exe, 00000010.00000003.1488026444.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591419601.0000014375D13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1501528781.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1547351882.000001437646F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1407749663.0000014375D54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1541973305.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526500142.00000143764E4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526453522.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526405713.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1556024167.00000143764B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tbad	svchost.exe, 00000010.00000003.1547351882.000001437646F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tbe	svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfublic	svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555831177.0000014375D7A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542236700.00000143754E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trustAAAAA	svchost.exe, 00000010.00000003.1542739578.0000014375D76000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/InlineSignup.aspx?iww=1&id=80502	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdOAPF	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd	svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Chang	svchost.exe, 00000010.00000002.2591235005.0000014375502000.00000004.00000020.00020000.00000000.sdmp	false		high
https://signup.live.com/signup.aspx	svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb_	svchost.exe, 00000010.00000002.2591597787.0000014376453000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comJ	mssecsvc.exe, 00000008.00000002.1994955871.000000000019D000.00000004.00000010.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srfx	svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/Q	mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comq	mssecsvc.exe, 0000000E.00000002.1380161223.0000000000B58000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com/ppsecure/DeviceQuery.srfGo	svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policy	svchost.exe, 00000010.00000002.2591401122.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542959961.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568428184.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568490797.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542501302.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568405847.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555898968.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542699174.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542764814.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514148156.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1581229604.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514252995.0000014375D0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1581192571.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514125886.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542534619.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1581101248.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555922501.0000014375D09000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1514228989.0000014375D09000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd/www	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/msangcwam	svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379979811.0000014375D40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379906252.0000014375D3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379949298.0000014375D57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/E	mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.w3.or	svchost.exe, 00000010.00000003.1567701504.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1580529333.00000143754BE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf	svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000010.00000002.2591196823.00000143754E3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1568733666.00000143754E2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1542236700.00000143754E2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://passport.net/tb	svchost.exe, 00000010.00000003.1497666334.0000014376470000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.12.dr	false		high
https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf	svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsAAAA	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comf	mssecsvc.exe, 00000008.00000002.1995463251.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds	svchost.exe, 00000010.00000003.1501338119.0000014375D79000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	svchost.exe, 00000010.00000003.1541973305.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526500142.00000143764E4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526453522.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591103576.00000143754B8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1526405713.0000014375D5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1556024167.00000143764B8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb.net	svchost.exe, 00000010.00000002.2591635631.0000014376468000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/5	mssecsvc.exe, 00000006.00000002.1362501340.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=80601	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379582766.0000014375D52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1380364543.0000014375D56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379393047.0000014375D2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc	svchost.exe, 00000010.00000002.2591441171.0000014375D37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600s	svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80601	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80600	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policyAAAAA	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/STS</ds:KeyName></ds:KeyInfo><CipherData><CipherValue>M.	svchost.exe, 00000010.00000003.1383483739.0000014375D53000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	svchost.exe, 00000010.00000002.2591172475.00000143754C7000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer	svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590949317.000001437542B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590971013.0000014375445000.00000004.00000020.00020000.00000000.sdmp	false		high
http://Passport.NET/tb:pp	svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591572272.0000014376430000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.kryptoslogic.com	mssecsvc.exe, 00000006.00000002.1362501340.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 0000000E.00000002.1380161223.0000000000BB8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd-cbc	svchost.exe, 00000010.00000003.1567855950.0000014375D74000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80605	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE	svchost.exe, 00000010.00000003.1379503929.0000014375D10000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/Wizard/Password/Change?id=806014	svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80603	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1379859724.0000014375D4D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.live.com/inlinesignup.aspx?iww=1&id=80604	svchost.exe, 00000010.00000003.1380017400.0000014375D63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2590992033.000001437545E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comgsq	mssecsvc.exe, 00000008.00000002.1995463251.0000000000BBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd	svchost.exe, 00000010.00000003.1488213786.0000014375D07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591938555.0000014376512000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1580825324.0000014376512000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1567835417.0000014375D6E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000010.00000003.1555831177.0000014375D7A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/09/policyC	svchost.exe, 00000010.00000002.2591465758.0000014375D5F000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
206.93.182.207	unknown	United States	3549	LVLT-3549US	false
203.77.176.15	unknown	Korea Republic of	24509	XPEDITE-AS-KRXpediteSystemsElectronicdocumentdistributi	false
220.134.191.1	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
220.134.191.2	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
13.34.249.1	unknown	United States	7018	ATT-INTERNET4US	false
158.21.165.1	unknown	United States	32033	EXXONMOBIL-UTEC-ASUS	false
136.162.19.1	unknown	United States	27510	CRAYUS	false
220.134.191.3	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
13.34.249.4	unknown	United States	7018	ATT-INTERNET4US	false
220.134.191.4	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	false
9.170.56.1	unknown	United States	3356	LEVEL3US	false
73.32.183.1	unknown	United States	7922	COMCAST-7922US	false
97.105.73.1	unknown	United States	11427	TWC-11427-TEXASUS	false
200.15.2.213	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
213.138.21.1	unknown	France	12684	SES-LUX-ASLU	false
208.183.42.1	unknown	United States	19957	TENNESSEE-NETUS	false
206.93.182.1	unknown	United States	3549	LVLT-3549US	false
208.183.42.193	unknown	United States	19957	TENNESSEE-NETUS	false
36.202.180.9	unknown	China	24138	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
32.149.7.1	unknown	United States	2686	ATGS-MMD-ASUS	false
3.129.41.78	unknown	United States	16509	AMAZON-02US	false
36.202.180.1	unknown	China	24138	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
89.74.77.37	unknown	Poland	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
162.93.121.1	unknown	United States	6949	CHARLES-SCHWABUS	false
162.93.121.2	unknown	United States	6949	CHARLES-SCHWABUS	false
32.149.7.237	unknown	United States	2686	ATGS-MMD-ASUS	false
157.157.97.4	unknown	Iceland	6677	ICENET-AS1IS	false
157.157.97.2	unknown	Iceland	6677	ICENET-AS1IS	false
157.157.97.3	unknown	Iceland	6677	ICENET-AS1IS	false
157.157.97.1	unknown	Iceland	6677	ICENET-AS1IS	false
9.170.56.131	unknown	United States	3356	LEVEL3US	false
73.32.183.92	unknown	United States	7922	COMCAST-7922US	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591813
Start date and time:	2025-01-15 14:05:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	alN48K3xcD.dll renamed because original name is a hash value
Original Sample Name:	9cccad94729abbbd27c8071de58402b9.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@32/17@1/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 40.126.31.69, 20.190.159.75, 20.190.159.23, 20.190.159.4, 20.190.159.2, 20.190.159.64, 40.126.31.71, 20.190.159.0, 199.232.214.172, 20.42.73.29, 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, time.windows.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, umwatson.events.data.microsoft.com, wu-b-net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:06:20	API Interceptor	1x Sleep call for process: loaddll32.exe modified
08:06:41	API Interceptor	2x Sleep call for process: WerFault.exe modified
08:06:55	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	NZZ71x6Cyz.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	bC61G18iPf.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	XB6SkLK7Al.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	ue5QSYCBPt.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	xjljKPlxqO.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	FAuEwllF3K.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	6fRzgDuqWT.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	104.16.167.228
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	104.16.166.228
bg.microsoft.map.fastly.net	RFQ # PC25-1301.xlsx	Get hash	malicious	Unknown	Browse	199.232.210.172
	21033090848109083.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclG	Get hash	malicious	Unknown	Browse	199.232.214.172
	0969686.vbe	Get hash	malicious	AgentTesla	Browse	199.232.210.172
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	199.232.210.172
	31070304561863532281.js	Get hash	malicious	Strela Downloader	Browse	199.232.210.172
	Inquiry.js	Get hash	malicious	PXRECVOWEIWOEI Stealer	Browse	199.232.214.172
	new.bat	Get hash	malicious	Unknown	Browse	199.232.214.172
	2387315401298627745.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	92.255.57.112.ps1	Get hash	malicious	PureCrypter	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	107.111.117.177
	https://adelademable.org/abujguyaleon.html	Get hash	malicious	Unknown	Browse	13.32.27.129
	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse	72.151.164.132
	tTbeoLWNhb.dll	Get hash	malicious	Wannacry	Browse	107.227.162.245
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	206.13.39.203
	http://industrious-tomato-ngvkcs.mystrikingly.com/	Get hash	malicious	Unknown	Browse	13.32.27.18
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	12.2.240.16
	habHh1BC0L.dll	Get hash	malicious	Wannacry	Browse	75.17.203.1
	19MgUpI9tj.dll	Get hash	malicious	Wannacry	Browse	76.252.20.1
	http://monitor.linkwhat.com/tl4tl4726Qz107cK770xR10599lj360px17lb07468gl70015oV95328Kn41253VG39381FP5605427918==aru2826664	Get hash	malicious	Phisher	Browse	13.32.23.8
LVLT-3549US	178.215.238.129-x86-2025-01-15T04_59_51.elf	Get hash	malicious	Mirai	Browse	209.136.135.27
	87c6RORO31.dll	Get hash	malicious	Wannacry	Browse	200.186.41.185
	mCgW5qofxC.dll	Get hash	malicious	Wannacry	Browse	131.241.117.1
	ppc.elf	Get hash	malicious	Unknown	Browse	67.16.191.82
	spc.elf	Get hash	malicious	Unknown	Browse	67.73.13.25
	meth6.elf	Get hash	malicious	Mirai	Browse	206.95.118.120
	meth7.elf	Get hash	malicious	Mirai	Browse	97.65.110.115
	sh4.elf	Get hash	malicious	Unknown	Browse	189.125.82.84
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	35.250.163.71
	5.elf	Get hash	malicious	Unknown	Browse	216.253.95.96
HINETDataCommunicationBusinessGroupTW	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	122.116.214.234
	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	220.130.244.2
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	36.227.128.128
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	118.161.193.22
	ppc.elf	Get hash	malicious	Unknown	Browse	114.38.29.71
	m68k.elf	Get hash	malicious	Unknown	Browse	60.248.126.39
	spc.elf	Get hash	malicious	Unknown	Browse	122.124.148.167
	x86_64.elf	Get hash	malicious	Unknown	Browse	220.131.103.228
	mpsl.elf	Get hash	malicious	Unknown	Browse	118.167.170.88
	sh4.elf	Get hash	malicious	Unknown	Browse	60.251.25.241
HINETDataCommunicationBusinessGroupTW	V01vdyUACe.dll	Get hash	malicious	Wannacry	Browse	122.116.214.234
	wmnq39xe8J.dll	Get hash	malicious	Wannacry	Browse	220.130.244.2
	GUtEaDsc9X.dll	Get hash	malicious	Wannacry	Browse	36.227.128.128
	04Ct9PoJrL.dll	Get hash	malicious	Wannacry	Browse	118.161.193.22
	ppc.elf	Get hash	malicious	Unknown	Browse	114.38.29.71
	m68k.elf	Get hash	malicious	Unknown	Browse	60.248.126.39
	spc.elf	Get hash	malicious	Unknown	Browse	122.124.148.167
	x86_64.elf	Get hash	malicious	Unknown	Browse	220.131.103.228
	mpsl.elf	Get hash	malicious	Unknown	Browse	118.167.170.88
	sh4.elf	Get hash	malicious	Unknown	Browse	60.251.25.241

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_58356131876c03b70c1bf657eebb55c2c5868ff_34a83304_1a0d97d8-772a-4217-87d7-45f838ee0189\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6257939576788141
Encrypted:	false
SSDEEP:	96:T9VrFIIvs1h6oIa7Rr6tQXIDcQSDc6SIwcEGcw3lm/+HbHsZAX/d5FMT2SlPkpXH:PSIv9E04DmIwsxmkjlzuiFdZ24IO8vw
MD5:	F70A571D6095F44AAF2A13474B00752B
SHA1:	10C45AAC51D6E901773B5DF01841A4AF4A7F07DD
SHA-256:	B84AD17CC346187D23DC9774F95EC39E636A3906175470FF0D57E99FB557F886
SHA-512:	6BF0CDD77838E939F57521ECFA990090FF0C4B2F4924DAF20858B005100ABA9D6558E7BD246963877CF188FD3F16F9A78A1577AC09413A1DB4B1DFAA5381C3C8
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.1.9.9.8.1.7.6.7.0.8.9.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.1.9.9.8.3.4.0.7.7.1.2.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.a.0.d.9.7.d.8.-.7.7.2.a.-.4.2.1.7.-.8.7.d.7.-.4.5.f.8.3.8.e.e.0.1.8.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.8.7.3.0.4.c.-.a.8.e.0.-.4.0.8.6.-.a.c.7.7.-.5.5.a.0.b.d.8.3.e.2.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.a.s.k.s.c.h.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.e.4.-.0.0.0.1.-.0.0.1.4.-.c.d.b.a.-.d.4.4.5.4.e.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.a.f.7.5.0.4.c.e.4.c.c.7.1.0.3.a.c.6.3.0.3.1.1.c.0.1.6.c.2.e.7.0.0.0.0.f.f.f.f.!.0.0.0.0.c.2.1.3.9.d.5.1.d.6.8.e.5.2.4.4.c.f.1.8.0.e.c.0.4.7.f.f.5.0.1.2.2.6.c.b.7.7.b.d.!.t.a.s.k.s.c.h.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.0./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_58356131876c03b70c1bf657eebb55c2c5868ff_34a83304_554de4e3-cce4-4d08-9bed-45610759fa3b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6331420298142316
Encrypted:	false
SSDEEP:	192:E3IxY9E04DmIwsxmkjEzuiFdZ24IO8vw:OIxY9/4Dm9sxmkjEzuiFdY4IO8vw
MD5:	129CC861FC5AEC1EC11171D986B1415D
SHA1:	4EAC730540875B6E356575D89B8D7974E99EC75A
SHA-256:	9A3A3E8A8AD0322E093C3BD1A7F32160AF6E91D0522633242EEEAF43F9EF2A12
SHA-512:	1F1D43E0E0F081A3E52625D896904D6170F201643752560C8B0DDD2B053C3F2A532BD8D62083F34F2F96853B443E1068AB55D0EDFCC7B3DF4FA613D2FF33FC3D
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.1.9.9.8.0.1.8.8.1.6.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.1.9.9.8.1.4.0.6.9.1.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.5.4.d.e.4.e.3.-.c.c.e.4.-.4.d.0.8.-.9.b.e.d.-.4.5.6.1.0.7.5.9.f.a.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.a.e.e.2.d.a.b.-.d.e.4.e.-.4.3.2.2.-.b.4.e.d.-.d.9.e.f.7.8.f.6.9.c.d.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.t.a.s.k.s.c.h.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.e.c.-.0.0.0.1.-.0.0.1.4.-.1.b.2.4.-.d.6.4.4.4.e.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.a.f.7.5.0.4.c.e.4.c.c.7.1.0.3.a.c.6.3.0.3.1.1.c.0.1.6.c.2.e.7.0.0.0.0.f.f.f.f.!.0.0.0.0.c.2.1.3.9.d.5.1.d.6.8.e.5.2.4.4.c.f.1.8.0.e.c.0.4.7.f.f.5.0.1.2.2.6.c.b.7.7.b.d.!.t.a.s.k.s.c.h.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.0./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F5B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jan 15 13:06:20 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1055652
Entropy (8bit):	0.8177924822992949
Encrypted:	false
SSDEEP:	1536:NXrkGka4niuAJnD5yUrkhgU2ZpUsO8ei5NAW2KCbs:NXrkDqpD5y+koZpUsO8ei5NAW2K5
MD5:	8529687D9348116B59F96E10EFB3450E
SHA1:	62B6743A4027C0DA5DED568903B4DEDAE2927ABD
SHA-256:	521251A41DB8146D31D043D7DD0315A76901DAE7B905C37F48036D5601013CB5
SHA-512:	4E438AC36C196EEFDED9AA0409C3126AE3CAD645F4C3B00BD8FABAF0ECA9CBAFEED4F5F9F0955DFF1BE20313BF136697BA2E731D11124AD4573348C4941BC48E
Malicious:	false
Preview:	MDMP..a..... .........g............4...............<.......D...............T.......8...........T...........H...\.......................................................................................................eJ......L.......GenuineIntel............T.............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4334.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6372
Entropy (8bit):	3.713244165993617
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+Y6mPRuqYIP6cIxpDT89bFOsfSXm:R6lXJR6SYIP6ctFNf7
MD5:	010DEF99E4196ECE6C911D6FA40423AD
SHA1:	49DD1BD9A5EB431241216B234BB16F1559596678
SHA-256:	123D6A12681F93263CD64FFFCF9ABC39B882EB25C6E5E5A16AF51E8C813DA9B9
SHA-512:	89CEF5670D54B86B38E2F6886245F0FF257994E43717910927DF4078710CBDF74AAC0A4D9259DA42D6994A33F0C2C87359E87E1A50FB159D5F8A961319881EA7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4364.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.4583303643889405
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg77aI9ADWpW8VYBYm8M4JNOgO3FGXH+q8vYOgOE3uG6SyTd:uIjfTI7Cy7VJJHL3KsTuG6SyTd
MD5:	66B57189C8956329105B580A760004A6
SHA1:	553848FE25F18A73D5D4EF019A587DB22DE1355E
SHA-256:	541924E20E0626DE5424C85C8E52868A1EE8CA1A63FBC8202D35AC52DF6CCAF4
SHA-512:	184AB821540F99C572A7ABC2F8086CE8A101266FE25AEFFD29A6A73B5D5E63871A06BCCF3FC606216487BF8FD83BD03616916807399FF25DF51EFB3C09C0F555
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677049" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4372.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80204
Entropy (8bit):	3.0583591439031697
Encrypted:	false
SSDEEP:	1536:0G28IN5FcUHnhdrVh6i/hslcD6KeWtupdbHQ/R:0G28IN5FcUHnhdrVh6i/hslcmKeWtup+
MD5:	C677F7122353DD8C78FAC837A094106B
SHA1:	3E82F687926317BA2F412BF8615C4D62E34260DA
SHA-256:	09C7ED9957561C067ED1CBA50B11A2D5475DD23EE54AC39FCE0F1ACAAE338B76
SHA-512:	421B2A3AE8BC5EF12E57C392807B8B602E428C33CA76D111F694E4C24DB8BD5746A530DE513FFCD726E1E8EC74DE51DA50A7A03653DB1D6AAEE7871CF52BF215
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43E0.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6852309677585917
Encrypted:	false
SSDEEP:	96:TiZYW1mJQsYyYyWIHNUYEZdHtEi5kkLQQwccDaalPMf/lI8U3:2ZDkFITyaalPMf/68U3
MD5:	1EDE3A13A51A4E6BDA10EF7EA935EC91
SHA1:	28CB58B1844F3DEFBCAD78E3CC40A332CDD20B74
SHA-256:	BBA90C5DF258FC0A529F889AAB4C9DBE1B8AF62C2A9BDEB2C684AEB25529A576
SHA-512:	EFF04528209C9CE17357583A32DD8BF17B534DAE5A259567DC579657437A7104AD403C968B76C0F26266F64E273333E33E2E3DA5DF9C7AE68ADA460C6D38E602
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WER45B4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jan 15 13:06:21 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	1055184
Entropy (8bit):	0.8185420095407017
Encrypted:	false
SSDEEP:	1536:Rrrkyka43euwlvwNGE7w9gUu5pUMq8eK95UW2KyU:RrrkXmFwNGuw85pUMq8eK95UW2KR
MD5:	932F151496B0781A742035E8F4D02813
SHA1:	9C6CD0082755DEA0090440F6413A4B61ABC68B20
SHA-256:	D95308B809F8221B6345B7A35C8B55A8A7BB7913536702505BA1D9925BC78858
SHA-512:	A8B5EFD90D18CB28E32219F52557BB68B22448A05DFCD88184872487A3830F22F38BD8E0C902306B4CF00F968F1A0FF551CF4A935F014C87C4A6DB750E39E5AE
Malicious:	false
Preview:	MDMP..a..... .........g............4........... ...<.......D...............T.......8...........T...........................\...........H...............................................................................eJ..............GenuineIntel............T.............g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B43.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6376
Entropy (8bit):	3.7165513843909554
Encrypted:	false
SSDEEP:	192:R6l7wVeJHI66OYIP6cIxpDa89b3Rsf09m:R6lXJo61YIP6cK3KfD
MD5:	2E93BF0F2FC25BA645EF3E731F5E08E0
SHA1:	9891B97AA54CCDA0DDB5B5E5DA80D63A1B4CDB1F
SHA-256:	15F39BFF9AF3C699F2C6EBD642497D8975EB2C5CD122335AD5DFAAC382B07F00
SHA-512:	116BCEAD863EB3B1DFB15B25A5CD18826F7D5F8234A03DCCF2FFA657004E1D8B4004E374BBA384111181FF744CA0C16140B857AD886466BDAA4FE2F12B43F5BC
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B72.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.458942616284532
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg77aI9ADWpW8VYTsYm8M4JNOgO3F3+q8vYOgO5s6Sy3d:uIjfTI7Cy7VUJHSKsas6Sy3d
MD5:	A4BCF30A23A0B4847F104DC053BF2811
SHA1:	EC4999E89FA66B44C8B7B9F96B0C971B29E4BC3A
SHA-256:	D0095160F8E0CD63B819DA4938D6203A08EBEA40B791E9631842805FC54194E0
SHA-512:	6AC9B8A37EEEB8A17F253BA51DF82E9251202172D414594D0D098CB66A46BA6951E15E85F5A02C7211065F3DE071D194B75344D007111E05B4644CEA72CE5CED
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677049" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B82.tmp.csv

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	80980
Entropy (8bit):	3.0577167807029184
Encrypted:	false
SSDEEP:	1536:mrqmKNuEgn8sqEh6a4slcDNKeWtupdbHQ/9:mrqmKNuEgn8sqEh6a4slcxKeWtupdbHY
MD5:	EEA8A26B79649986F51CF40EAD81EC73
SHA1:	42C6B6399B32A572765319E5278551A91D0D3D78
SHA-256:	E22B427B18A3609F36579DEBCE32669AC3ED27ABC50D5DE75C0CF19501B98534
SHA-512:	93BD56242573E196F3DC5CEBCB77260CA980F6FB536BFFB23A4897F043D2628CC280064E2257291492E243BBECA250C6009E02ABDA6FC2E039CCFCC0347D1D11
Malicious:	false
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4BC2.tmp.txt

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6852623853933664
Encrypted:	false
SSDEEP:	96:TiZYW96Oc8qrY8YsWO/HzUYEZg72tEidkqLQUwyrWIJa9lqMH/CIxU3:2ZD9crL5Gxa9lqMH/lxU3
MD5:	2F704A775E78EC28A6FFA51AF7897553
SHA1:	E04928A139397B73D32BA21EAD48D53CFC8048E5
SHA-256:	2DBC1848A2E7DB49FD9108690AD89F5EE20E54DED4EA2A5F9CADAE8E133B4D44
SHA-512:	D1BF72A3ACCEF8E3AA885F2CCC27657897A7F1CDF87585BD5EFBA57E7109B02252360C61A860AD78196A920DA407A844EEB284FA045C665E4F81278E12641685
Malicious:	false
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
Category:	dropped
Size (bytes):	4761
Entropy (8bit):	7.945585251880973
Encrypted:	false
SSDEEP:	96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
MD5:	77B20B5CD41BC6BB475CCA3F91AE6E3C
SHA1:	9E98ACE72BD2AB931341427A856EF4CEA6FAF806
SHA-256:	5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
SHA-512:	3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
Malicious:	false
Preview:	MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.\|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.\|.....VQ....<........... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	340
Entropy (8bit):	3.2565883919783145
Encrypted:	false
SSDEEP:	6:kKFoMq5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:6uLkPlE99SCQl2DUeXJlOA
MD5:	CB52D2F6D3C28246311E803790933025
SHA1:	DDC893BE2C0B1CC99FEDC80595A8DF7E99FAB95F
SHA-256:	A2C1D8CA9C8206023678566E8F09259C0E21FA0087BF84D0FEBF2C7F36C89328
SHA-512:	863212439DBC8BCB1BE85DAE7B7A3A3BD5E645D4A840E3BEB741CBA8EEA0AB86C72D4368B8F508B3B4712E612ED4087A6FC8B1E92433A3812368C8A03F5A660E
Malicious:	false
Preview:	p...... ..........TGNg..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

C:\WINDOWS\qeriuwjhrf (copy)

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.48132154136637
Encrypted:	false
SSDEEP:	98304:Qpz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QB1Cxcxk3ZAEUadzR8yc4Hj
MD5:	A848C62D74569AFFBA05EE92D4033A36
SHA1:	C2139D51D68E5244CF180EC047FF501226CB77BD
SHA-256:	C3F5E8D93AAED9BC2FD5FEA724CD35C1AFFACB1679C1FDBB5ACD3762582EB7B8
SHA-512:	A0E32E8E03183ECF687F546B64882BFBA104067B68F13D1F9645C9C0B3B385E96719ED81701CB335B3F053A818C44C06E7F6CA6CCDA3984590BF8FE67EA61896
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416568287784903
Encrypted:	false
SSDEEP:	6144:jcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNO5+:Yi58oSWIZBk2MM6AFBYo
MD5:	D331D69EF0928105E8A613179D0CD2AA
SHA1:	FD6FA73E3C04B2E72565366FA808A52B5BD85955
SHA-256:	87C5093FDD8DD37049DB509516946555756296FEC508E1FDF036EB7B6E35DC9E
SHA-512:	CE7957B8C37F7852123FB0E7699AF1E3EBCF5D750A237BC080EA2529F99399788FB44549052E7FDB82C68EB80525583282BF4149B884AFE2453581F3FCF10AE3
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN..ENg...............................................................................................................................................................................................................................................................................................................................................Q.q........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.48132154136637
Encrypted:	false
SSDEEP:	98304:Qpz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2Hj:QB1Cxcxk3ZAEUadzR8yc4Hj
MD5:	A848C62D74569AFFBA05EE92D4033A36
SHA1:	C2139D51D68E5244CF180EC047FF501226CB77BD
SHA-256:	C3F5E8D93AAED9BC2FD5FEA724CD35C1AFFACB1679C1FDBB5ACD3762582EB7B8
SHA-512:	A0E32E8E03183ECF687F546B64882BFBA104067B68F13D1F9645C9C0B3B385E96719ED81701CB335B3F053A818C44C06E7F6CA6CCDA3984590BF8FE67EA61896
Malicious:	true
Yara Hits:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.811685017751976
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	alN48K3xcD.dll
File size:	5'267'459 bytes
MD5:	9cccad94729abbbd27c8071de58402b9
SHA1:	0bbd3b74d2fae3564266b63fc251860e48bd77bd
SHA256:	fc7b58c22d9f27207af9c640c751dcab61fd90621ed9df95591d78b2758073f5
SHA512:	2209d4267c07de089fef98bcf4d6d5ff82cb5621e74da5650e620ffb5b68ae5148c92d355ce9accdb951d1f4a831ee08def663d43916de94e39284eadc24637f
SSDEEP:	98304:+Dpz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DB1Cxcxk3ZAEUadzR8yc4H
TLSH:	15363394665CD0FCF0400EF448678E6AF7B73C196BB64D1F97C0867A0E93B9BBA94601
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007FEC90C5FB0Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007FEC90C5FB28h
cmp esi, 01h
je 00007FEC90C5FB07h
cmp esi, 02h
jne 00007FEC90C5FB24h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FEC90C5FB0Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007FEC90C5FB0Eh
push edi
push esi
push ebx
call 00007FEC90C5FA1Ah
test eax, eax
jne 00007FEC90C5FB06h
xor eax, eax
jmp 00007FEC90C5FB50h
push edi
push esi
push ebx
call 00007FEC90C5F8CCh
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007FEC90C5FB0Eh
test eax, eax
jne 00007FEC90C5FB39h
push edi
push eax
push ebx
call 00007FEC90C5F9F6h
test esi, esi
je 00007FEC90C5FB07h
cmp esi, 03h
jne 00007FEC90C5FB28h
push edi
push esi
push ebx
call 00007FEC90C5F9E5h
test eax, eax
jne 00007FEC90C5FB05h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007FEC90C5FB13h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007FEC90C5FB0Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	dbd32feb57ba44457f8e5cbb38609e62	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.45653438568115234

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T14:06:19.377535+0100	2024291	ET MALWARE Possible WannaCry DNS Lookup 1	1	192.168.2.7	52337	1.1.1.1	53	UDP
2025-01-15T14:06:19.916946+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:19.916946+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:19.916946+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:19.916946+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:19.916946+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.7	49711	104.16.167.228	80	TCP
2025-01-15T14:06:19.917699+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.7	49711	TCP
2025-01-15T14:06:20.787284+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:20.787284+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.7	49715	104.16.167.228	80	TCP
2025-01-15T14:06:20.787701+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.7	49715	TCP
2025-01-15T14:06:22.504934+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:06:22.504934+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.7	49744	104.16.167.228	80	TCP
2025-01-15T14:06:22.505498+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.7	49744	TCP
2025-01-15T14:08:25.770154+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.7	50633	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024298	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1	1	192.168.2.7	50633	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024299	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2	1	192.168.2.7	50633	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024301	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4	1	192.168.2.7	50633	104.16.167.228	80	TCP
2025-01-15T14:08:25.770154+0100	2024302	ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5	1	192.168.2.7	50633	104.16.167.228	80	TCP
2025-01-15T14:08:25.775555+0100	2031515	ET MALWARE Known Sinkhole Response Kryptos Logic	3	104.16.167.228	80	192.168.2.7	50633	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 14:06:12.368360996 CET	49677	443	192.168.2.7	20.50.201.200
Jan 15, 2025 14:06:13.306014061 CET	49675	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:13.306159019 CET	49674	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:13.493367910 CET	49672	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:13.868421078 CET	49677	443	192.168.2.7	20.50.201.200
Jan 15, 2025 14:06:16.852725983 CET	49677	443	192.168.2.7	20.50.201.200
Jan 15, 2025 14:06:19.422761917 CET	49711	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:19.427615881 CET	80	49711	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:19.427705050 CET	49711	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:19.428608894 CET	49711	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:19.433399916 CET	80	49711	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:19.916870117 CET	80	49711	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:19.916945934 CET	49711	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:19.917699099 CET	80	49711	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:19.917762995 CET	49711	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:19.925975084 CET	49711	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:19.930771112 CET	80	49711	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:20.280569077 CET	49715	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:20.285387039 CET	80	49715	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:20.285456896 CET	49715	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:20.296495914 CET	49715	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:20.301285982 CET	80	49715	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:20.787223101 CET	80	49715	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:20.787283897 CET	49715	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:20.787700891 CET	80	49715	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:20.787770987 CET	49715	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:20.791588068 CET	49715	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:20.796331882 CET	80	49715	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:20.879391909 CET	49720	445	192.168.2.7	162.93.121.110
Jan 15, 2025 14:06:20.884166002 CET	445	49720	162.93.121.110	192.168.2.7
Jan 15, 2025 14:06:20.884232998 CET	49720	445	192.168.2.7	162.93.121.110
Jan 15, 2025 14:06:20.885155916 CET	49720	445	192.168.2.7	162.93.121.110
Jan 15, 2025 14:06:20.885348082 CET	49721	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:20.890049934 CET	445	49720	162.93.121.110	192.168.2.7
Jan 15, 2025 14:06:20.890089989 CET	49720	445	192.168.2.7	162.93.121.110
Jan 15, 2025 14:06:20.890180111 CET	445	49721	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:20.890238047 CET	49721	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:20.890264988 CET	49721	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:20.893104076 CET	49722	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:20.895221949 CET	445	49721	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:20.895263910 CET	49721	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:20.898019075 CET	445	49722	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:20.898087025 CET	49722	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:20.898139000 CET	49722	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:20.902916908 CET	445	49722	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:21.649588108 CET	49671	443	192.168.2.7	204.79.197.203
Jan 15, 2025 14:06:22.004895926 CET	49744	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:22.009697914 CET	80	49744	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:22.009818077 CET	49744	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:22.009947062 CET	49744	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:22.014669895 CET	80	49744	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:22.504756927 CET	80	49744	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:22.504934072 CET	49744	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:22.505029917 CET	49744	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:22.505497932 CET	80	49744	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:22.505562067 CET	49744	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:06:22.511552095 CET	80	49744	104.16.167.228	192.168.2.7
Jan 15, 2025 14:06:22.806230068 CET	49677	443	192.168.2.7	20.50.201.200
Jan 15, 2025 14:06:22.891227007 CET	49759	445	192.168.2.7	220.134.191.143
Jan 15, 2025 14:06:22.896096945 CET	445	49759	220.134.191.143	192.168.2.7
Jan 15, 2025 14:06:22.896184921 CET	49759	445	192.168.2.7	220.134.191.143
Jan 15, 2025 14:06:22.896294117 CET	49759	445	192.168.2.7	220.134.191.143
Jan 15, 2025 14:06:22.896471977 CET	49760	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:22.901299953 CET	445	49759	220.134.191.143	192.168.2.7
Jan 15, 2025 14:06:22.901316881 CET	445	49760	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:22.901364088 CET	49759	445	192.168.2.7	220.134.191.143
Jan 15, 2025 14:06:22.901372910 CET	49760	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:22.907071114 CET	49760	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:22.911875010 CET	445	49760	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:22.913233995 CET	49760	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:22.919811964 CET	49674	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:22.919821024 CET	49675	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:22.927028894 CET	49761	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:22.931818008 CET	445	49761	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:22.932481050 CET	49761	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:22.932481050 CET	49761	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:22.937340021 CET	445	49761	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:23.102720022 CET	49672	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:24.900753021 CET	49795	445	192.168.2.7	3.129.41.78
Jan 15, 2025 14:06:24.905643940 CET	445	49795	3.129.41.78	192.168.2.7
Jan 15, 2025 14:06:24.905723095 CET	49795	445	192.168.2.7	3.129.41.78
Jan 15, 2025 14:06:24.905764103 CET	49795	445	192.168.2.7	3.129.41.78
Jan 15, 2025 14:06:24.906003952 CET	49796	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:24.910758018 CET	445	49795	3.129.41.78	192.168.2.7
Jan 15, 2025 14:06:24.910814047 CET	445	49796	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:24.910821915 CET	49795	445	192.168.2.7	3.129.41.78
Jan 15, 2025 14:06:24.910880089 CET	49796	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:24.910953999 CET	49796	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:24.911747932 CET	49797	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:24.915774107 CET	445	49796	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:24.915826082 CET	49796	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:24.916584015 CET	445	49797	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:24.916645050 CET	49797	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:24.916739941 CET	49797	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:24.921524048 CET	445	49797	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:25.006267071 CET	445	49761	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:25.006555080 CET	49761	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:25.006555080 CET	49761	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:25.006555080 CET	49761	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:25.011456966 CET	445	49761	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:25.011471987 CET	445	49761	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:25.517322063 CET	443	49699	104.98.116.138	192.168.2.7
Jan 15, 2025 14:06:25.517421007 CET	49699	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:26.918734074 CET	49832	445	192.168.2.7	203.77.176.15
Jan 15, 2025 14:06:26.923618078 CET	445	49832	203.77.176.15	192.168.2.7
Jan 15, 2025 14:06:26.923713923 CET	49832	445	192.168.2.7	203.77.176.15
Jan 15, 2025 14:06:26.923806906 CET	49832	445	192.168.2.7	203.77.176.15
Jan 15, 2025 14:06:26.923990965 CET	49833	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:26.928872108 CET	445	49832	203.77.176.15	192.168.2.7
Jan 15, 2025 14:06:26.928904057 CET	445	49833	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:26.928940058 CET	49832	445	192.168.2.7	203.77.176.15
Jan 15, 2025 14:06:26.929003954 CET	49833	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:26.929080963 CET	49833	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:26.930107117 CET	49834	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:26.934092045 CET	445	49833	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:26.934155941 CET	49833	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:26.934952021 CET	445	49834	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:26.935034990 CET	49834	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:26.935094118 CET	49834	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:26.939879894 CET	445	49834	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:28.009485960 CET	49857	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:28.014362097 CET	445	49857	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:28.014473915 CET	49857	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:28.014594078 CET	49857	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:28.019521952 CET	445	49857	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:28.935698986 CET	49872	445	192.168.2.7	210.217.39.139
Jan 15, 2025 14:06:28.940941095 CET	445	49872	210.217.39.139	192.168.2.7
Jan 15, 2025 14:06:28.941050053 CET	49872	445	192.168.2.7	210.217.39.139
Jan 15, 2025 14:06:28.941119909 CET	49872	445	192.168.2.7	210.217.39.139
Jan 15, 2025 14:06:28.941426992 CET	49873	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:28.946329117 CET	445	49873	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:28.946388960 CET	445	49872	210.217.39.139	192.168.2.7
Jan 15, 2025 14:06:28.946532011 CET	49872	445	192.168.2.7	210.217.39.139
Jan 15, 2025 14:06:28.946983099 CET	49873	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:28.946984053 CET	49873	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:28.947685957 CET	49874	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:28.951946020 CET	445	49873	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:28.951981068 CET	445	49873	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:28.952120066 CET	49873	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:28.952543974 CET	445	49874	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:28.952624083 CET	49874	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:28.952663898 CET	49874	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:28.957494974 CET	445	49874	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:30.046686888 CET	445	49857	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:30.046761036 CET	49857	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:30.046845913 CET	49857	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:30.046936035 CET	49857	445	192.168.2.7	220.134.191.1
Jan 15, 2025 14:06:30.051594019 CET	445	49857	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:30.051688910 CET	445	49857	220.134.191.1	192.168.2.7
Jan 15, 2025 14:06:30.103208065 CET	49894	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:30.108086109 CET	445	49894	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:30.108222008 CET	49894	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:30.108289003 CET	49894	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:30.109476089 CET	49895	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:30.113286018 CET	445	49894	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:30.113360882 CET	49894	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:30.114306927 CET	445	49895	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:30.114375114 CET	49895	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:30.114420891 CET	49895	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:30.119261026 CET	445	49895	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:30.947962046 CET	49912	445	192.168.2.7	213.225.108.59
Jan 15, 2025 14:06:30.952783108 CET	445	49912	213.225.108.59	192.168.2.7
Jan 15, 2025 14:06:30.952861071 CET	49912	445	192.168.2.7	213.225.108.59
Jan 15, 2025 14:06:30.952971935 CET	49912	445	192.168.2.7	213.225.108.59
Jan 15, 2025 14:06:30.953182936 CET	49913	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:30.957808018 CET	445	49912	213.225.108.59	192.168.2.7
Jan 15, 2025 14:06:30.957866907 CET	49912	445	192.168.2.7	213.225.108.59
Jan 15, 2025 14:06:30.957964897 CET	445	49913	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:30.958045006 CET	49913	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:30.958133936 CET	49913	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:30.959374905 CET	49914	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:30.963198900 CET	445	49913	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:30.963248014 CET	49913	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:30.964180946 CET	445	49914	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:30.964251995 CET	49914	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:30.964344978 CET	49914	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:30.970340967 CET	445	49914	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:32.188441038 CET	445	49895	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:32.188513041 CET	49895	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:32.188561916 CET	49895	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:32.188621998 CET	49895	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:32.193403959 CET	445	49895	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:32.193484068 CET	445	49895	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:32.962649107 CET	49949	445	192.168.2.7	140.204.240.99
Jan 15, 2025 14:06:32.967513084 CET	445	49949	140.204.240.99	192.168.2.7
Jan 15, 2025 14:06:32.967591047 CET	49949	445	192.168.2.7	140.204.240.99
Jan 15, 2025 14:06:32.967679977 CET	49949	445	192.168.2.7	140.204.240.99
Jan 15, 2025 14:06:32.967776060 CET	49950	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:32.972585917 CET	445	49950	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:32.972661972 CET	445	49949	140.204.240.99	192.168.2.7
Jan 15, 2025 14:06:32.972667933 CET	49950	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:32.972716093 CET	49949	445	192.168.2.7	140.204.240.99
Jan 15, 2025 14:06:32.972722054 CET	49950	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:32.973007917 CET	49951	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:32.977644920 CET	445	49950	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:32.977700949 CET	49950	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:32.977750063 CET	445	49951	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:32.977807045 CET	49951	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:32.977824926 CET	49951	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:32.982569933 CET	445	49951	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:33.948919058 CET	49699	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:33.949335098 CET	49970	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:33.949364901 CET	443	49970	104.98.116.138	192.168.2.7
Jan 15, 2025 14:06:33.949450016 CET	49970	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:33.953706026 CET	443	49699	104.98.116.138	192.168.2.7
Jan 15, 2025 14:06:33.956917048 CET	49970	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:06:33.956929922 CET	443	49970	104.98.116.138	192.168.2.7
Jan 15, 2025 14:06:34.712219954 CET	49677	443	192.168.2.7	20.50.201.200
Jan 15, 2025 14:06:34.978377104 CET	49989	445	192.168.2.7	30.216.192.243
Jan 15, 2025 14:06:34.983263969 CET	445	49989	30.216.192.243	192.168.2.7
Jan 15, 2025 14:06:34.983372927 CET	49989	445	192.168.2.7	30.216.192.243
Jan 15, 2025 14:06:34.983443975 CET	49989	445	192.168.2.7	30.216.192.243
Jan 15, 2025 14:06:34.983544111 CET	49990	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:34.988310099 CET	445	49990	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:34.988379002 CET	49990	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:34.988439083 CET	49990	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:34.988451004 CET	445	49989	30.216.192.243	192.168.2.7
Jan 15, 2025 14:06:34.988503933 CET	49989	445	192.168.2.7	30.216.192.243
Jan 15, 2025 14:06:34.988831043 CET	49991	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:34.993488073 CET	445	49990	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:34.993568897 CET	49990	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:34.993612051 CET	445	49991	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:34.993752003 CET	49991	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:34.993779898 CET	49991	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:34.998610020 CET	445	49991	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:35.197104931 CET	49997	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:35.201975107 CET	445	49997	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:35.202188015 CET	49997	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:35.202188015 CET	49997	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:35.207025051 CET	445	49997	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:36.994223118 CET	50029	445	192.168.2.7	89.74.77.37
Jan 15, 2025 14:06:36.999108076 CET	445	50029	89.74.77.37	192.168.2.7
Jan 15, 2025 14:06:36.999186993 CET	50029	445	192.168.2.7	89.74.77.37
Jan 15, 2025 14:06:36.999224901 CET	50029	445	192.168.2.7	89.74.77.37
Jan 15, 2025 14:06:36.999368906 CET	50030	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:37.004173994 CET	445	50030	89.74.77.1	192.168.2.7
Jan 15, 2025 14:06:37.004256010 CET	445	50029	89.74.77.37	192.168.2.7
Jan 15, 2025 14:06:37.004273891 CET	50030	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:37.004306078 CET	50029	445	192.168.2.7	89.74.77.37
Jan 15, 2025 14:06:37.004386902 CET	50030	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:37.004683018 CET	50031	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:37.009294033 CET	445	50030	89.74.77.1	192.168.2.7
Jan 15, 2025 14:06:37.009381056 CET	50030	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:37.009565115 CET	445	50031	89.74.77.1	192.168.2.7
Jan 15, 2025 14:06:37.009676933 CET	50031	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:37.009721994 CET	50031	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:37.014535904 CET	445	50031	89.74.77.1	192.168.2.7
Jan 15, 2025 14:06:37.250588894 CET	445	49997	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:37.250653982 CET	49997	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:37.250716925 CET	49997	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:37.250792027 CET	49997	445	192.168.2.7	220.134.191.2
Jan 15, 2025 14:06:37.255486965 CET	445	49997	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:37.255537987 CET	445	49997	220.134.191.2	192.168.2.7
Jan 15, 2025 14:06:37.306396008 CET	50040	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:37.311378956 CET	445	50040	220.134.191.3	192.168.2.7
Jan 15, 2025 14:06:37.311470032 CET	50040	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:37.311511993 CET	50040	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:37.311934948 CET	50042	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:37.316731930 CET	445	50040	220.134.191.3	192.168.2.7
Jan 15, 2025 14:06:37.316783905 CET	445	50042	220.134.191.3	192.168.2.7
Jan 15, 2025 14:06:37.316802979 CET	50040	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:37.317029953 CET	50042	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:37.317029953 CET	50042	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:37.321929932 CET	445	50042	220.134.191.3	192.168.2.7
Jan 15, 2025 14:06:39.009579897 CET	50070	445	192.168.2.7	36.202.180.9
Jan 15, 2025 14:06:39.014588118 CET	445	50070	36.202.180.9	192.168.2.7
Jan 15, 2025 14:06:39.014667034 CET	50070	445	192.168.2.7	36.202.180.9
Jan 15, 2025 14:06:39.014703989 CET	50070	445	192.168.2.7	36.202.180.9
Jan 15, 2025 14:06:39.014862061 CET	50071	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:06:39.019670963 CET	445	50071	36.202.180.1	192.168.2.7
Jan 15, 2025 14:06:39.019752026 CET	445	50070	36.202.180.9	192.168.2.7
Jan 15, 2025 14:06:39.019783020 CET	50071	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:06:39.019802094 CET	50070	445	192.168.2.7	36.202.180.9
Jan 15, 2025 14:06:39.019841909 CET	50071	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:06:39.020396948 CET	50072	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:06:39.024846077 CET	445	50071	36.202.180.1	192.168.2.7
Jan 15, 2025 14:06:39.024913073 CET	50071	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:06:39.025213003 CET	445	50072	36.202.180.1	192.168.2.7
Jan 15, 2025 14:06:39.025320053 CET	50072	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:06:39.025320053 CET	50072	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:06:39.030220985 CET	445	50072	36.202.180.1	192.168.2.7
Jan 15, 2025 14:06:41.025629997 CET	50113	445	192.168.2.7	157.157.97.201
Jan 15, 2025 14:06:41.030596972 CET	445	50113	157.157.97.201	192.168.2.7
Jan 15, 2025 14:06:41.030688047 CET	50113	445	192.168.2.7	157.157.97.201
Jan 15, 2025 14:06:41.030771971 CET	50113	445	192.168.2.7	157.157.97.201
Jan 15, 2025 14:06:41.030955076 CET	50114	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:41.035666943 CET	445	50113	157.157.97.201	192.168.2.7
Jan 15, 2025 14:06:41.035727024 CET	50113	445	192.168.2.7	157.157.97.201
Jan 15, 2025 14:06:41.035753965 CET	445	50114	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:41.035819054 CET	50114	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:41.035881042 CET	50114	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:41.036250114 CET	50115	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:41.040786982 CET	445	50114	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:41.040841103 CET	50114	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:41.041275978 CET	445	50115	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:41.041343927 CET	50115	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:41.041408062 CET	50115	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:41.046219110 CET	445	50115	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:42.282453060 CET	445	49722	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:42.282530069 CET	49722	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:42.282618999 CET	49722	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:42.282707930 CET	49722	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:42.287499905 CET	445	49722	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:42.287513971 CET	445	49722	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:42.729695082 CET	445	50115	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:42.729775906 CET	50115	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:42.729892969 CET	50115	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:42.729939938 CET	50115	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:42.734759092 CET	445	50115	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:42.734772921 CET	445	50115	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:43.040783882 CET	50149	445	192.168.2.7	206.93.182.207
Jan 15, 2025 14:06:43.046107054 CET	445	50149	206.93.182.207	192.168.2.7
Jan 15, 2025 14:06:43.046185970 CET	50149	445	192.168.2.7	206.93.182.207
Jan 15, 2025 14:06:43.046241999 CET	50149	445	192.168.2.7	206.93.182.207
Jan 15, 2025 14:06:43.046417952 CET	50150	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:06:43.051585913 CET	445	50149	206.93.182.207	192.168.2.7
Jan 15, 2025 14:06:43.051683903 CET	50149	445	192.168.2.7	206.93.182.207
Jan 15, 2025 14:06:43.051922083 CET	445	50150	206.93.182.1	192.168.2.7
Jan 15, 2025 14:06:43.051990986 CET	50150	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:06:43.052068949 CET	50150	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:06:43.052345037 CET	50151	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:06:43.057813883 CET	445	50151	206.93.182.1	192.168.2.7
Jan 15, 2025 14:06:43.057904005 CET	50151	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:06:43.058003902 CET	445	50150	206.93.182.1	192.168.2.7
Jan 15, 2025 14:06:43.058005095 CET	50151	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:06:43.058068991 CET	50150	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:06:43.062777042 CET	445	50151	206.93.182.1	192.168.2.7
Jan 15, 2025 14:06:45.057677031 CET	50189	445	192.168.2.7	9.170.56.131
Jan 15, 2025 14:06:45.062520027 CET	445	50189	9.170.56.131	192.168.2.7
Jan 15, 2025 14:06:45.062583923 CET	50189	445	192.168.2.7	9.170.56.131
Jan 15, 2025 14:06:45.062774897 CET	50189	445	192.168.2.7	9.170.56.131
Jan 15, 2025 14:06:45.062964916 CET	50190	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:06:45.067692041 CET	445	50189	9.170.56.131	192.168.2.7
Jan 15, 2025 14:06:45.067708015 CET	445	50190	9.170.56.1	192.168.2.7
Jan 15, 2025 14:06:45.067740917 CET	50189	445	192.168.2.7	9.170.56.131
Jan 15, 2025 14:06:45.067781925 CET	50190	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:06:45.067955971 CET	50190	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:06:45.068766117 CET	50191	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:06:45.072741985 CET	445	50190	9.170.56.1	192.168.2.7
Jan 15, 2025 14:06:45.072791100 CET	50190	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:06:45.073573112 CET	445	50191	9.170.56.1	192.168.2.7
Jan 15, 2025 14:06:45.073632956 CET	50191	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:06:45.073683977 CET	50191	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:06:45.078421116 CET	445	50191	9.170.56.1	192.168.2.7
Jan 15, 2025 14:06:45.290846109 CET	50194	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:45.295733929 CET	445	50194	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:45.295842886 CET	50194	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:45.295939922 CET	50194	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:06:45.300721884 CET	445	50194	162.93.121.1	192.168.2.7
Jan 15, 2025 14:06:45.743691921 CET	50203	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:45.748609066 CET	445	50203	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:45.748701096 CET	50203	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:45.748733044 CET	50203	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:45.753488064 CET	445	50203	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:46.279977083 CET	445	49797	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:46.280040026 CET	49797	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:46.280169010 CET	49797	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:46.280296087 CET	49797	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:46.284955025 CET	445	49797	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:46.285087109 CET	445	49797	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:47.072609901 CET	50211	445	192.168.2.7	81.92.82.29
Jan 15, 2025 14:06:47.077466965 CET	445	50211	81.92.82.29	192.168.2.7
Jan 15, 2025 14:06:47.077547073 CET	50211	445	192.168.2.7	81.92.82.29
Jan 15, 2025 14:06:47.077598095 CET	50211	445	192.168.2.7	81.92.82.29
Jan 15, 2025 14:06:47.077821016 CET	50212	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:06:47.082601070 CET	445	50211	81.92.82.29	192.168.2.7
Jan 15, 2025 14:06:47.082611084 CET	445	50212	81.92.82.1	192.168.2.7
Jan 15, 2025 14:06:47.082691908 CET	50211	445	192.168.2.7	81.92.82.29
Jan 15, 2025 14:06:47.082694054 CET	50212	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:06:47.082815886 CET	50212	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:06:47.083158016 CET	50213	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:06:47.087785006 CET	445	50212	81.92.82.1	192.168.2.7
Jan 15, 2025 14:06:47.087840080 CET	50212	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:06:47.087939024 CET	445	50213	81.92.82.1	192.168.2.7
Jan 15, 2025 14:06:47.088001013 CET	50213	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:06:47.088031054 CET	50213	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:06:47.092905045 CET	445	50213	81.92.82.1	192.168.2.7
Jan 15, 2025 14:06:47.428529024 CET	445	50203	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:47.428654909 CET	50203	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:47.428719044 CET	50203	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:47.428750038 CET	50203	445	192.168.2.7	157.157.97.1
Jan 15, 2025 14:06:47.433572054 CET	445	50203	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:47.433600903 CET	445	50203	157.157.97.1	192.168.2.7
Jan 15, 2025 14:06:47.494136095 CET	50217	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:47.499011040 CET	445	50217	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:47.499100924 CET	50217	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:47.499174118 CET	50217	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:47.499644995 CET	50218	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:47.504060984 CET	445	50217	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:47.504117012 CET	50217	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:47.504432917 CET	445	50218	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:47.504494905 CET	50218	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:47.504539967 CET	50218	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:47.509316921 CET	445	50218	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:48.312278032 CET	445	49834	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:48.312369108 CET	49834	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:48.312531948 CET	49834	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:48.312614918 CET	49834	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:48.317449093 CET	445	49834	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:48.317476034 CET	445	49834	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:49.095385075 CET	50227	445	192.168.2.7	94.245.226.115
Jan 15, 2025 14:06:49.100222111 CET	445	50227	94.245.226.115	192.168.2.7
Jan 15, 2025 14:06:49.100296021 CET	50227	445	192.168.2.7	94.245.226.115
Jan 15, 2025 14:06:49.100429058 CET	50227	445	192.168.2.7	94.245.226.115
Jan 15, 2025 14:06:49.100636959 CET	50228	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:06:49.105264902 CET	445	50227	94.245.226.115	192.168.2.7
Jan 15, 2025 14:06:49.105310917 CET	50227	445	192.168.2.7	94.245.226.115
Jan 15, 2025 14:06:49.105449915 CET	445	50228	94.245.226.1	192.168.2.7
Jan 15, 2025 14:06:49.105506897 CET	50228	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:06:49.105566978 CET	50228	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:06:49.109616995 CET	50229	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:06:49.110538006 CET	445	50228	94.245.226.1	192.168.2.7
Jan 15, 2025 14:06:49.110582113 CET	50228	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:06:49.114460945 CET	445	50229	94.245.226.1	192.168.2.7
Jan 15, 2025 14:06:49.114526033 CET	50229	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:06:49.114581108 CET	50229	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:06:49.119368076 CET	445	50229	94.245.226.1	192.168.2.7
Jan 15, 2025 14:06:49.194876909 CET	445	50218	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:49.194977045 CET	50218	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:49.195041895 CET	50218	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:49.195091009 CET	50218	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:49.199835062 CET	445	50218	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:49.199843884 CET	445	50218	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:49.290787935 CET	50231	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:49.295644045 CET	445	50231	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:49.295783043 CET	50231	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:49.295808077 CET	50231	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:06:49.300663948 CET	445	50231	3.129.41.1	192.168.2.7
Jan 15, 2025 14:06:50.343485117 CET	445	49874	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:50.343568087 CET	49874	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:50.343645096 CET	49874	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:50.343712091 CET	49874	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:50.348382950 CET	445	49874	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:50.348464966 CET	445	49874	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:51.104361057 CET	50246	445	192.168.2.7	158.21.165.74
Jan 15, 2025 14:06:51.109124899 CET	445	50246	158.21.165.74	192.168.2.7
Jan 15, 2025 14:06:51.109189987 CET	50246	445	192.168.2.7	158.21.165.74
Jan 15, 2025 14:06:51.109236002 CET	50246	445	192.168.2.7	158.21.165.74
Jan 15, 2025 14:06:51.109436035 CET	50247	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:06:51.114175081 CET	445	50247	158.21.165.1	192.168.2.7
Jan 15, 2025 14:06:51.114232063 CET	50247	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:06:51.114255905 CET	445	50246	158.21.165.74	192.168.2.7
Jan 15, 2025 14:06:51.114295006 CET	50246	445	192.168.2.7	158.21.165.74
Jan 15, 2025 14:06:51.114331961 CET	50247	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:06:51.114603996 CET	50248	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:06:51.119110107 CET	445	50247	158.21.165.1	192.168.2.7
Jan 15, 2025 14:06:51.119158983 CET	50247	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:06:51.119453907 CET	445	50248	158.21.165.1	192.168.2.7
Jan 15, 2025 14:06:51.119519949 CET	50248	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:06:51.119575977 CET	50248	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:06:51.124289036 CET	445	50248	158.21.165.1	192.168.2.7
Jan 15, 2025 14:06:51.322474003 CET	50249	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:51.327244997 CET	445	50249	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:51.327327967 CET	50249	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:51.327387094 CET	50249	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:06:51.547101021 CET	445	50249	203.77.176.1	192.168.2.7
Jan 15, 2025 14:06:52.197088003 CET	50255	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:52.201940060 CET	445	50255	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:52.202044964 CET	50255	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:52.202094078 CET	50255	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:52.206929922 CET	445	50255	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:52.343517065 CET	445	49914	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:52.343770981 CET	49914	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:52.343848944 CET	49914	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:52.344002008 CET	49914	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:52.349488020 CET	445	49914	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:52.350637913 CET	445	49914	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:53.119008064 CET	50261	445	192.168.2.7	19.99.222.131
Jan 15, 2025 14:06:53.123893976 CET	445	50261	19.99.222.131	192.168.2.7
Jan 15, 2025 14:06:53.123979092 CET	50261	445	192.168.2.7	19.99.222.131
Jan 15, 2025 14:06:53.124017000 CET	50261	445	192.168.2.7	19.99.222.131
Jan 15, 2025 14:06:53.124162912 CET	50262	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:06:53.128921032 CET	445	50262	19.99.222.1	192.168.2.7
Jan 15, 2025 14:06:53.128981113 CET	50262	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:06:53.129060030 CET	445	50261	19.99.222.131	192.168.2.7
Jan 15, 2025 14:06:53.129070044 CET	50262	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:06:53.129120111 CET	50261	445	192.168.2.7	19.99.222.131
Jan 15, 2025 14:06:53.129332066 CET	50263	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:06:53.133877993 CET	445	50262	19.99.222.1	192.168.2.7
Jan 15, 2025 14:06:53.133929968 CET	50262	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:06:53.134160042 CET	445	50263	19.99.222.1	192.168.2.7
Jan 15, 2025 14:06:53.134227037 CET	50263	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:06:53.134274006 CET	50263	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:06:53.139029026 CET	445	50263	19.99.222.1	192.168.2.7
Jan 15, 2025 14:06:53.353308916 CET	50265	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:53.358170986 CET	445	50265	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:53.358261108 CET	50265	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:53.358323097 CET	50265	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:06:53.363081932 CET	445	50265	210.217.39.1	192.168.2.7
Jan 15, 2025 14:06:53.898056984 CET	445	50255	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:53.898294926 CET	50255	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:53.898375034 CET	50255	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:53.898422003 CET	50255	445	192.168.2.7	157.157.97.2
Jan 15, 2025 14:06:53.903332949 CET	445	50255	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:53.903342962 CET	445	50255	157.157.97.2	192.168.2.7
Jan 15, 2025 14:06:53.962445021 CET	50271	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:53.967354059 CET	445	50271	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:53.967428923 CET	50271	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:53.967458963 CET	50271	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:53.967861891 CET	50272	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:53.972357988 CET	445	50271	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:53.972419977 CET	50271	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:53.972656965 CET	445	50272	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:53.972718954 CET	50272	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:53.972991943 CET	50272	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:53.977713108 CET	445	50272	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:54.373126984 CET	445	49951	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:54.373218060 CET	49951	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:54.373313904 CET	49951	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:54.373389959 CET	49951	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:54.378117085 CET	445	49951	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:54.378216982 CET	445	49951	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:55.135958910 CET	50282	445	192.168.2.7	213.138.21.234
Jan 15, 2025 14:06:55.140824080 CET	445	50282	213.138.21.234	192.168.2.7
Jan 15, 2025 14:06:55.140898943 CET	50282	445	192.168.2.7	213.138.21.234
Jan 15, 2025 14:06:55.140969992 CET	50282	445	192.168.2.7	213.138.21.234
Jan 15, 2025 14:06:55.141125917 CET	50283	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:06:55.145873070 CET	445	50282	213.138.21.234	192.168.2.7
Jan 15, 2025 14:06:55.145925999 CET	50282	445	192.168.2.7	213.138.21.234
Jan 15, 2025 14:06:55.146003962 CET	445	50283	213.138.21.1	192.168.2.7
Jan 15, 2025 14:06:55.146069050 CET	50283	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:06:55.146120071 CET	50283	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:06:55.146481037 CET	50284	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:06:55.151009083 CET	445	50283	213.138.21.1	192.168.2.7
Jan 15, 2025 14:06:55.151057959 CET	50283	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:06:55.151328087 CET	445	50284	213.138.21.1	192.168.2.7
Jan 15, 2025 14:06:55.151386023 CET	50284	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:06:55.151446104 CET	50284	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:06:55.156224966 CET	445	50284	213.138.21.1	192.168.2.7
Jan 15, 2025 14:06:55.353369951 CET	50285	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:55.358225107 CET	445	50285	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:55.358319998 CET	50285	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:55.358405113 CET	50285	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:06:55.363142014 CET	445	50285	213.225.108.1	192.168.2.7
Jan 15, 2025 14:06:55.648037910 CET	445	50272	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:55.648149967 CET	50272	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:55.652311087 CET	50272	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:55.652424097 CET	50272	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:55.657391071 CET	445	50272	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:55.657404900 CET	445	50272	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:56.361495018 CET	445	49991	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:56.361579895 CET	49991	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:56.361663103 CET	49991	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:56.361700058 CET	49991	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:56.366544962 CET	445	49991	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:56.366555929 CET	445	49991	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:57.009891987 CET	50294	445	192.168.2.7	32.149.7.237
Jan 15, 2025 14:06:57.015081882 CET	445	50294	32.149.7.237	192.168.2.7
Jan 15, 2025 14:06:57.015207052 CET	50294	445	192.168.2.7	32.149.7.237
Jan 15, 2025 14:06:57.015227079 CET	50294	445	192.168.2.7	32.149.7.237
Jan 15, 2025 14:06:57.015431881 CET	50295	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:06:57.020112991 CET	445	50294	32.149.7.237	192.168.2.7
Jan 15, 2025 14:06:57.020175934 CET	50294	445	192.168.2.7	32.149.7.237
Jan 15, 2025 14:06:57.020180941 CET	445	50295	32.149.7.1	192.168.2.7
Jan 15, 2025 14:06:57.020246029 CET	50295	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:06:57.020262957 CET	50295	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:06:57.020685911 CET	50296	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:06:57.025230885 CET	445	50295	32.149.7.1	192.168.2.7
Jan 15, 2025 14:06:57.025468111 CET	445	50296	32.149.7.1	192.168.2.7
Jan 15, 2025 14:06:57.025531054 CET	50295	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:06:57.025576115 CET	50296	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:06:57.025604010 CET	50296	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:06:57.030404091 CET	445	50296	32.149.7.1	192.168.2.7
Jan 15, 2025 14:06:57.384471893 CET	50299	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:57.389415026 CET	445	50299	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:57.390556097 CET	50299	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:57.390624046 CET	50299	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:06:57.395364046 CET	445	50299	140.204.240.1	192.168.2.7
Jan 15, 2025 14:06:58.392386913 CET	445	50031	89.74.77.1	192.168.2.7
Jan 15, 2025 14:06:58.392472982 CET	50031	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:58.392561913 CET	50031	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:58.392561913 CET	50031	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:06:58.397413969 CET	445	50031	89.74.77.1	192.168.2.7
Jan 15, 2025 14:06:58.397422075 CET	445	50031	89.74.77.1	192.168.2.7
Jan 15, 2025 14:06:58.670918941 CET	50305	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:58.675807953 CET	445	50305	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:58.675909996 CET	50305	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:58.679027081 CET	50305	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:06:58.683831930 CET	445	50305	157.157.97.3	192.168.2.7
Jan 15, 2025 14:06:58.685617924 CET	445	50042	220.134.191.3	192.168.2.7
Jan 15, 2025 14:06:58.685703039 CET	50042	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:58.687035084 CET	50042	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:58.687099934 CET	50042	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:06:58.691871881 CET	445	50042	220.134.191.3	192.168.2.7
Jan 15, 2025 14:06:58.691888094 CET	445	50042	220.134.191.3	192.168.2.7
Jan 15, 2025 14:06:58.778856993 CET	50307	445	192.168.2.7	97.105.73.70
Jan 15, 2025 14:06:58.783752918 CET	445	50307	97.105.73.70	192.168.2.7
Jan 15, 2025 14:06:58.783823967 CET	50307	445	192.168.2.7	97.105.73.70
Jan 15, 2025 14:06:58.788330078 CET	50307	445	192.168.2.7	97.105.73.70
Jan 15, 2025 14:06:58.788467884 CET	50308	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:06:58.793158054 CET	445	50307	97.105.73.70	192.168.2.7
Jan 15, 2025 14:06:58.793221951 CET	50307	445	192.168.2.7	97.105.73.70
Jan 15, 2025 14:06:58.793242931 CET	445	50308	97.105.73.1	192.168.2.7
Jan 15, 2025 14:06:58.793297052 CET	50308	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:06:58.795865059 CET	50308	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:06:58.796175003 CET	50309	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:06:58.800726891 CET	445	50308	97.105.73.1	192.168.2.7
Jan 15, 2025 14:06:58.800789118 CET	50308	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:06:58.800976038 CET	445	50309	97.105.73.1	192.168.2.7
Jan 15, 2025 14:06:58.801058054 CET	50309	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:06:58.806195021 CET	50309	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:06:58.811140060 CET	445	50309	97.105.73.1	192.168.2.7
Jan 15, 2025 14:06:59.368870974 CET	50313	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:59.373745918 CET	445	50313	30.216.192.1	192.168.2.7
Jan 15, 2025 14:06:59.373812914 CET	50313	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:59.373859882 CET	50313	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:06:59.378603935 CET	445	50313	30.216.192.1	192.168.2.7
Jan 15, 2025 14:07:00.370615005 CET	445	50305	157.157.97.3	192.168.2.7
Jan 15, 2025 14:07:00.370687008 CET	50305	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:07:00.370724916 CET	50305	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:07:00.370762110 CET	50305	445	192.168.2.7	157.157.97.3
Jan 15, 2025 14:07:00.375463009 CET	445	50305	157.157.97.3	192.168.2.7
Jan 15, 2025 14:07:00.375479937 CET	445	50305	157.157.97.3	192.168.2.7
Jan 15, 2025 14:07:00.400357008 CET	50319	445	192.168.2.7	222.186.55.166
Jan 15, 2025 14:07:00.405170918 CET	445	50319	222.186.55.166	192.168.2.7
Jan 15, 2025 14:07:00.407088995 CET	50319	445	192.168.2.7	222.186.55.166
Jan 15, 2025 14:07:00.407109976 CET	50319	445	192.168.2.7	222.186.55.166
Jan 15, 2025 14:07:00.407401085 CET	50320	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:00.412102938 CET	445	50319	222.186.55.166	192.168.2.7
Jan 15, 2025 14:07:00.412322044 CET	445	50320	222.186.55.1	192.168.2.7
Jan 15, 2025 14:07:00.412404060 CET	50319	445	192.168.2.7	222.186.55.166
Jan 15, 2025 14:07:00.412456036 CET	50320	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:00.412559032 CET	50320	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:00.412873983 CET	50321	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:00.417452097 CET	445	50320	222.186.55.1	192.168.2.7
Jan 15, 2025 14:07:00.417756081 CET	445	50321	222.186.55.1	192.168.2.7
Jan 15, 2025 14:07:00.417833090 CET	50320	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:00.417860031 CET	50321	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:00.417891979 CET	50321	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:00.422684908 CET	445	50321	222.186.55.1	192.168.2.7
Jan 15, 2025 14:07:00.425611973 CET	445	50072	36.202.180.1	192.168.2.7
Jan 15, 2025 14:07:00.427079916 CET	50072	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:00.427099943 CET	50072	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:00.427149057 CET	50072	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:00.431343079 CET	50322	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:00.431945086 CET	445	50072	36.202.180.1	192.168.2.7
Jan 15, 2025 14:07:00.431952953 CET	445	50072	36.202.180.1	192.168.2.7
Jan 15, 2025 14:07:00.436192989 CET	445	50322	157.157.97.4	192.168.2.7
Jan 15, 2025 14:07:00.439109087 CET	50322	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:00.439198971 CET	50322	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:00.439450026 CET	50323	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:00.444037914 CET	445	50322	157.157.97.4	192.168.2.7
Jan 15, 2025 14:07:00.444181919 CET	445	50323	157.157.97.4	192.168.2.7
Jan 15, 2025 14:07:00.444238901 CET	50322	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:00.444259882 CET	50323	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:00.444277048 CET	50323	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:00.449069023 CET	445	50323	157.157.97.4	192.168.2.7
Jan 15, 2025 14:07:01.400165081 CET	50329	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:07:01.404969931 CET	445	50329	89.74.77.1	192.168.2.7
Jan 15, 2025 14:07:01.405152082 CET	50329	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:07:01.405220985 CET	50329	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:07:01.409965992 CET	445	50329	89.74.77.1	192.168.2.7
Jan 15, 2025 14:07:01.700550079 CET	50330	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:07:01.835479021 CET	445	50330	220.134.191.3	192.168.2.7
Jan 15, 2025 14:07:01.835556984 CET	50330	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:07:01.840739012 CET	50330	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:07:01.848434925 CET	445	50330	220.134.191.3	192.168.2.7
Jan 15, 2025 14:07:01.935650110 CET	50331	445	192.168.2.7	200.15.2.213
Jan 15, 2025 14:07:01.940553904 CET	445	50331	200.15.2.213	192.168.2.7
Jan 15, 2025 14:07:01.940682888 CET	50331	445	192.168.2.7	200.15.2.213
Jan 15, 2025 14:07:01.940773010 CET	50331	445	192.168.2.7	200.15.2.213
Jan 15, 2025 14:07:01.940979004 CET	50332	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:01.945826054 CET	445	50331	200.15.2.213	192.168.2.7
Jan 15, 2025 14:07:01.945863008 CET	445	50332	200.15.2.1	192.168.2.7
Jan 15, 2025 14:07:01.945988894 CET	50331	445	192.168.2.7	200.15.2.213
Jan 15, 2025 14:07:01.946033001 CET	50332	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:01.946140051 CET	50332	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:01.946429014 CET	50333	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:01.951234102 CET	445	50332	200.15.2.1	192.168.2.7
Jan 15, 2025 14:07:01.951332092 CET	50332	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:01.951383114 CET	445	50333	200.15.2.1	192.168.2.7
Jan 15, 2025 14:07:01.951440096 CET	50333	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:01.952568054 CET	50333	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:01.958486080 CET	445	50333	200.15.2.1	192.168.2.7
Jan 15, 2025 14:07:03.353687048 CET	50334	445	192.168.2.7	208.183.42.193
Jan 15, 2025 14:07:03.359807968 CET	445	50334	208.183.42.193	192.168.2.7
Jan 15, 2025 14:07:03.363116980 CET	50334	445	192.168.2.7	208.183.42.193
Jan 15, 2025 14:07:03.363183975 CET	50334	445	192.168.2.7	208.183.42.193
Jan 15, 2025 14:07:03.363379955 CET	50335	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:03.368424892 CET	445	50334	208.183.42.193	192.168.2.7
Jan 15, 2025 14:07:03.368469954 CET	445	50335	208.183.42.1	192.168.2.7
Jan 15, 2025 14:07:03.368558884 CET	50334	445	192.168.2.7	208.183.42.193
Jan 15, 2025 14:07:03.368566036 CET	50335	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:03.368711948 CET	50335	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:03.369085073 CET	50336	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:03.373692989 CET	445	50335	208.183.42.1	192.168.2.7
Jan 15, 2025 14:07:03.373994112 CET	445	50336	208.183.42.1	192.168.2.7
Jan 15, 2025 14:07:03.374049902 CET	50335	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:03.374077082 CET	50336	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:03.374135017 CET	50336	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:03.379031897 CET	445	50336	208.183.42.1	192.168.2.7
Jan 15, 2025 14:07:03.431258917 CET	50337	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:03.436325073 CET	445	50337	36.202.180.1	192.168.2.7
Jan 15, 2025 14:07:03.436399937 CET	50337	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:03.436438084 CET	50337	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:03.441354036 CET	445	50337	36.202.180.1	192.168.2.7
Jan 15, 2025 14:07:04.423858881 CET	445	50151	206.93.182.1	192.168.2.7
Jan 15, 2025 14:07:04.424082041 CET	50151	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:07:04.424082041 CET	50151	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:07:04.424129009 CET	50151	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:07:04.429035902 CET	445	50151	206.93.182.1	192.168.2.7
Jan 15, 2025 14:07:04.429064989 CET	445	50151	206.93.182.1	192.168.2.7
Jan 15, 2025 14:07:04.691365004 CET	50338	445	192.168.2.7	189.17.0.168
Jan 15, 2025 14:07:04.696466923 CET	445	50338	189.17.0.168	192.168.2.7
Jan 15, 2025 14:07:04.696620941 CET	50338	445	192.168.2.7	189.17.0.168
Jan 15, 2025 14:07:04.699861050 CET	50338	445	192.168.2.7	189.17.0.168
Jan 15, 2025 14:07:04.700043917 CET	50339	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:04.704734087 CET	445	50338	189.17.0.168	192.168.2.7
Jan 15, 2025 14:07:04.704804897 CET	50338	445	192.168.2.7	189.17.0.168
Jan 15, 2025 14:07:04.704932928 CET	445	50339	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:04.705003023 CET	50339	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:04.708108902 CET	50339	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:04.713037014 CET	445	50339	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:04.713207960 CET	50339	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:04.718483925 CET	50340	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:04.723400116 CET	445	50340	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:04.723467112 CET	50340	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:04.730606079 CET	50340	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:04.735440969 CET	445	50340	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:05.931778908 CET	50341	445	192.168.2.7	144.248.14.104
Jan 15, 2025 14:07:05.936650038 CET	445	50341	144.248.14.104	192.168.2.7
Jan 15, 2025 14:07:05.936738968 CET	50341	445	192.168.2.7	144.248.14.104
Jan 15, 2025 14:07:05.936788082 CET	50341	445	192.168.2.7	144.248.14.104
Jan 15, 2025 14:07:05.936942101 CET	50342	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:05.941762924 CET	445	50342	144.248.14.1	192.168.2.7
Jan 15, 2025 14:07:05.941778898 CET	445	50341	144.248.14.104	192.168.2.7
Jan 15, 2025 14:07:05.941842079 CET	50342	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:05.941868067 CET	50341	445	192.168.2.7	144.248.14.104
Jan 15, 2025 14:07:05.941946030 CET	50342	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:05.942383051 CET	50343	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:05.946854115 CET	445	50342	144.248.14.1	192.168.2.7
Jan 15, 2025 14:07:05.946921110 CET	50342	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:05.947216034 CET	445	50343	144.248.14.1	192.168.2.7
Jan 15, 2025 14:07:05.947267056 CET	50343	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:05.947297096 CET	50343	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:05.952104092 CET	445	50343	144.248.14.1	192.168.2.7
Jan 15, 2025 14:07:06.472707987 CET	445	50191	9.170.56.1	192.168.2.7
Jan 15, 2025 14:07:06.472899914 CET	50191	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:07:06.473000050 CET	50191	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:07:06.473001003 CET	50191	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:07:06.477929115 CET	445	50191	9.170.56.1	192.168.2.7
Jan 15, 2025 14:07:06.477940083 CET	445	50191	9.170.56.1	192.168.2.7
Jan 15, 2025 14:07:06.506345987 CET	445	50340	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:06.506454945 CET	50340	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:06.506495953 CET	50340	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:06.506530046 CET	50340	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:06.511694908 CET	445	50340	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:06.511725903 CET	445	50340	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:06.787528992 CET	445	50194	162.93.121.1	192.168.2.7
Jan 15, 2025 14:07:06.787633896 CET	50194	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:07:06.787698984 CET	50194	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:07:06.787784100 CET	50194	445	192.168.2.7	162.93.121.1
Jan 15, 2025 14:07:06.793303967 CET	445	50194	162.93.121.1	192.168.2.7
Jan 15, 2025 14:07:06.793334007 CET	445	50194	162.93.121.1	192.168.2.7
Jan 15, 2025 14:07:06.853410959 CET	50344	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:06.859443903 CET	445	50344	162.93.121.2	192.168.2.7
Jan 15, 2025 14:07:06.859584093 CET	50344	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:06.859613895 CET	50344	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:06.861594915 CET	50345	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:06.865528107 CET	445	50344	162.93.121.2	192.168.2.7
Jan 15, 2025 14:07:06.865596056 CET	50344	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:06.867064953 CET	445	50345	162.93.121.2	192.168.2.7
Jan 15, 2025 14:07:06.867136955 CET	50345	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:06.867181063 CET	50345	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:06.872595072 CET	445	50345	162.93.121.2	192.168.2.7
Jan 15, 2025 14:07:07.088538885 CET	50346	445	192.168.2.7	183.99.84.26
Jan 15, 2025 14:07:07.093493938 CET	445	50346	183.99.84.26	192.168.2.7
Jan 15, 2025 14:07:07.093579054 CET	50346	445	192.168.2.7	183.99.84.26
Jan 15, 2025 14:07:07.093744993 CET	50346	445	192.168.2.7	183.99.84.26
Jan 15, 2025 14:07:07.094149113 CET	50347	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:07.098740101 CET	445	50346	183.99.84.26	192.168.2.7
Jan 15, 2025 14:07:07.098944902 CET	50346	445	192.168.2.7	183.99.84.26
Jan 15, 2025 14:07:07.099004030 CET	445	50347	183.99.84.1	192.168.2.7
Jan 15, 2025 14:07:07.099064112 CET	50347	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:07.099076986 CET	50347	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:07.099338055 CET	50348	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:07.103895903 CET	445	50347	183.99.84.1	192.168.2.7
Jan 15, 2025 14:07:07.104093075 CET	445	50348	183.99.84.1	192.168.2.7
Jan 15, 2025 14:07:07.104137897 CET	50348	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:07.104147911 CET	445	50347	183.99.84.1	192.168.2.7
Jan 15, 2025 14:07:07.104177952 CET	50347	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:07.104216099 CET	50348	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:07.109262943 CET	445	50348	183.99.84.1	192.168.2.7
Jan 15, 2025 14:07:07.431281090 CET	50349	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:07:07.436135054 CET	445	50349	206.93.182.1	192.168.2.7
Jan 15, 2025 14:07:07.436206102 CET	50349	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:07:07.436259031 CET	50349	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:07:07.441060066 CET	445	50349	206.93.182.1	192.168.2.7
Jan 15, 2025 14:07:08.166147947 CET	50350	445	192.168.2.7	134.154.76.92
Jan 15, 2025 14:07:08.171148062 CET	445	50350	134.154.76.92	192.168.2.7
Jan 15, 2025 14:07:08.171245098 CET	50350	445	192.168.2.7	134.154.76.92
Jan 15, 2025 14:07:08.171319962 CET	50350	445	192.168.2.7	134.154.76.92
Jan 15, 2025 14:07:08.171447039 CET	50351	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:08.176240921 CET	445	50351	134.154.76.1	192.168.2.7
Jan 15, 2025 14:07:08.176273108 CET	445	50350	134.154.76.92	192.168.2.7
Jan 15, 2025 14:07:08.176347971 CET	50351	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:08.176366091 CET	50351	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:08.176379919 CET	50350	445	192.168.2.7	134.154.76.92
Jan 15, 2025 14:07:08.176811934 CET	50352	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:08.181303978 CET	445	50351	134.154.76.1	192.168.2.7
Jan 15, 2025 14:07:08.181355953 CET	50351	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:08.181622982 CET	445	50352	134.154.76.1	192.168.2.7
Jan 15, 2025 14:07:08.181682110 CET	50352	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:08.181710005 CET	50352	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:08.186527014 CET	445	50352	134.154.76.1	192.168.2.7
Jan 15, 2025 14:07:08.453680038 CET	445	50213	81.92.82.1	192.168.2.7
Jan 15, 2025 14:07:08.453960896 CET	50213	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:07:08.453960896 CET	50213	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:07:08.454102993 CET	50213	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:07:08.458796024 CET	445	50213	81.92.82.1	192.168.2.7
Jan 15, 2025 14:07:08.458885908 CET	445	50213	81.92.82.1	192.168.2.7
Jan 15, 2025 14:07:09.181814909 CET	50353	445	192.168.2.7	121.87.8.223
Jan 15, 2025 14:07:09.186784983 CET	445	50353	121.87.8.223	192.168.2.7
Jan 15, 2025 14:07:09.186891079 CET	50353	445	192.168.2.7	121.87.8.223
Jan 15, 2025 14:07:09.186989069 CET	50353	445	192.168.2.7	121.87.8.223
Jan 15, 2025 14:07:09.187186003 CET	50354	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:09.191901922 CET	445	50353	121.87.8.223	192.168.2.7
Jan 15, 2025 14:07:09.192035913 CET	445	50354	121.87.8.1	192.168.2.7
Jan 15, 2025 14:07:09.192114115 CET	50354	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:09.192204952 CET	50354	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:09.192325115 CET	445	50353	121.87.8.223	192.168.2.7
Jan 15, 2025 14:07:09.192374945 CET	50353	445	192.168.2.7	121.87.8.223
Jan 15, 2025 14:07:09.192653894 CET	50355	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:09.197156906 CET	445	50354	121.87.8.1	192.168.2.7
Jan 15, 2025 14:07:09.197228909 CET	50354	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:09.197455883 CET	445	50355	121.87.8.1	192.168.2.7
Jan 15, 2025 14:07:09.197521925 CET	50355	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:09.197559118 CET	50355	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:09.202364922 CET	445	50355	121.87.8.1	192.168.2.7
Jan 15, 2025 14:07:09.478162050 CET	50356	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:07:09.483088970 CET	445	50356	9.170.56.1	192.168.2.7
Jan 15, 2025 14:07:09.483165979 CET	50356	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:07:09.483202934 CET	50356	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:07:09.488095999 CET	445	50356	9.170.56.1	192.168.2.7
Jan 15, 2025 14:07:09.509465933 CET	50357	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:09.514368057 CET	445	50357	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:09.514455080 CET	50357	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:09.514476061 CET	50357	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:09.519321918 CET	445	50357	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:10.119275093 CET	50358	445	192.168.2.7	79.188.242.251
Jan 15, 2025 14:07:10.124789000 CET	445	50358	79.188.242.251	192.168.2.7
Jan 15, 2025 14:07:10.124896049 CET	50358	445	192.168.2.7	79.188.242.251
Jan 15, 2025 14:07:10.124924898 CET	50358	445	192.168.2.7	79.188.242.251
Jan 15, 2025 14:07:10.125310898 CET	50359	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:10.130089998 CET	445	50358	79.188.242.251	192.168.2.7
Jan 15, 2025 14:07:10.130148888 CET	50358	445	192.168.2.7	79.188.242.251
Jan 15, 2025 14:07:10.130239010 CET	445	50359	79.188.242.1	192.168.2.7
Jan 15, 2025 14:07:10.130322933 CET	50359	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:10.130323887 CET	50359	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:10.130585909 CET	50360	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:10.135376930 CET	445	50359	79.188.242.1	192.168.2.7
Jan 15, 2025 14:07:10.135442019 CET	50359	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:10.135528088 CET	445	50360	79.188.242.1	192.168.2.7
Jan 15, 2025 14:07:10.135601997 CET	50360	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:10.135647058 CET	50360	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:10.140481949 CET	445	50360	79.188.242.1	192.168.2.7
Jan 15, 2025 14:07:10.498136997 CET	445	50229	94.245.226.1	192.168.2.7
Jan 15, 2025 14:07:10.498251915 CET	50229	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:07:10.498317957 CET	50229	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:07:10.498378992 CET	50229	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:07:10.503261089 CET	445	50229	94.245.226.1	192.168.2.7
Jan 15, 2025 14:07:10.503292084 CET	445	50229	94.245.226.1	192.168.2.7
Jan 15, 2025 14:07:10.680480957 CET	445	50231	3.129.41.1	192.168.2.7
Jan 15, 2025 14:07:10.680598021 CET	50231	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:07:10.680685997 CET	50231	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:07:10.680754900 CET	50231	445	192.168.2.7	3.129.41.1
Jan 15, 2025 14:07:10.685592890 CET	445	50231	3.129.41.1	192.168.2.7
Jan 15, 2025 14:07:10.685647964 CET	445	50231	3.129.41.1	192.168.2.7
Jan 15, 2025 14:07:10.744074106 CET	50361	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:10.749293089 CET	445	50361	3.129.41.2	192.168.2.7
Jan 15, 2025 14:07:10.749382019 CET	50361	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:10.749562979 CET	50361	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:10.749844074 CET	50362	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:10.754637957 CET	445	50361	3.129.41.2	192.168.2.7
Jan 15, 2025 14:07:10.754693985 CET	445	50362	3.129.41.2	192.168.2.7
Jan 15, 2025 14:07:10.754699945 CET	50361	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:10.754776001 CET	50362	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:10.754802942 CET	50362	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:10.759612083 CET	445	50362	3.129.41.2	192.168.2.7
Jan 15, 2025 14:07:10.994210958 CET	50363	445	192.168.2.7	13.34.249.4
Jan 15, 2025 14:07:10.999367952 CET	445	50363	13.34.249.4	192.168.2.7
Jan 15, 2025 14:07:10.999459028 CET	50363	445	192.168.2.7	13.34.249.4
Jan 15, 2025 14:07:10.999533892 CET	50363	445	192.168.2.7	13.34.249.4
Jan 15, 2025 14:07:10.999644041 CET	50364	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:11.004547119 CET	445	50364	13.34.249.1	192.168.2.7
Jan 15, 2025 14:07:11.004605055 CET	445	50363	13.34.249.4	192.168.2.7
Jan 15, 2025 14:07:11.004646063 CET	50364	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:11.004677057 CET	50363	445	192.168.2.7	13.34.249.4
Jan 15, 2025 14:07:11.004765987 CET	50364	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:11.005091906 CET	50365	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:11.009746075 CET	445	50364	13.34.249.1	192.168.2.7
Jan 15, 2025 14:07:11.009808064 CET	50364	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:11.009955883 CET	445	50365	13.34.249.1	192.168.2.7
Jan 15, 2025 14:07:11.010009050 CET	50365	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:11.010040045 CET	50365	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:11.014859915 CET	445	50365	13.34.249.1	192.168.2.7
Jan 15, 2025 14:07:11.283642054 CET	445	50357	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:11.283891916 CET	50357	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:11.283891916 CET	50357	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:11.283891916 CET	50357	445	192.168.2.7	189.17.0.1
Jan 15, 2025 14:07:11.288930893 CET	445	50357	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:11.288964033 CET	445	50357	189.17.0.1	192.168.2.7
Jan 15, 2025 14:07:11.337893009 CET	50367	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:11.343086004 CET	445	50367	189.17.0.2	192.168.2.7
Jan 15, 2025 14:07:11.343213081 CET	50367	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:11.343256950 CET	50367	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:11.343697071 CET	50368	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:11.348419905 CET	445	50367	189.17.0.2	192.168.2.7
Jan 15, 2025 14:07:11.348468065 CET	445	50368	189.17.0.2	192.168.2.7
Jan 15, 2025 14:07:11.348491907 CET	50367	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:11.348547935 CET	50368	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:11.348577976 CET	50368	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:11.353367090 CET	445	50368	189.17.0.2	192.168.2.7
Jan 15, 2025 14:07:11.462738037 CET	50369	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:07:11.467755079 CET	445	50369	81.92.82.1	192.168.2.7
Jan 15, 2025 14:07:11.467834949 CET	50369	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:07:11.467864037 CET	50369	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:07:11.472651958 CET	445	50369	81.92.82.1	192.168.2.7
Jan 15, 2025 14:07:11.822223902 CET	50370	445	192.168.2.7	73.32.183.92
Jan 15, 2025 14:07:11.827244043 CET	445	50370	73.32.183.92	192.168.2.7
Jan 15, 2025 14:07:11.827333927 CET	50370	445	192.168.2.7	73.32.183.92
Jan 15, 2025 14:07:11.827369928 CET	50370	445	192.168.2.7	73.32.183.92
Jan 15, 2025 14:07:11.827522993 CET	50371	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:11.832381964 CET	445	50371	73.32.183.1	192.168.2.7
Jan 15, 2025 14:07:11.832448006 CET	50371	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:11.832515001 CET	445	50370	73.32.183.92	192.168.2.7
Jan 15, 2025 14:07:11.832523108 CET	50371	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:11.832564116 CET	50370	445	192.168.2.7	73.32.183.92
Jan 15, 2025 14:07:11.832909107 CET	50372	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:11.837590933 CET	445	50371	73.32.183.1	192.168.2.7
Jan 15, 2025 14:07:11.837655067 CET	50371	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:11.837866068 CET	445	50372	73.32.183.1	192.168.2.7
Jan 15, 2025 14:07:11.837934017 CET	50372	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:11.837969065 CET	50372	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:11.842884064 CET	445	50372	73.32.183.1	192.168.2.7
Jan 15, 2025 14:07:12.498605013 CET	445	50248	158.21.165.1	192.168.2.7
Jan 15, 2025 14:07:12.498753071 CET	50248	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:07:12.498809099 CET	50248	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:07:12.498862028 CET	50248	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:07:12.503746033 CET	445	50248	158.21.165.1	192.168.2.7
Jan 15, 2025 14:07:12.503778934 CET	445	50248	158.21.165.1	192.168.2.7
Jan 15, 2025 14:07:12.588514090 CET	50373	445	192.168.2.7	136.162.19.212
Jan 15, 2025 14:07:12.594120979 CET	445	50373	136.162.19.212	192.168.2.7
Jan 15, 2025 14:07:12.594197035 CET	50373	445	192.168.2.7	136.162.19.212
Jan 15, 2025 14:07:12.594438076 CET	50373	445	192.168.2.7	136.162.19.212
Jan 15, 2025 14:07:12.594681978 CET	50374	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:12.599941015 CET	445	50373	136.162.19.212	192.168.2.7
Jan 15, 2025 14:07:12.599997044 CET	50373	445	192.168.2.7	136.162.19.212
Jan 15, 2025 14:07:12.600222111 CET	445	50374	136.162.19.1	192.168.2.7
Jan 15, 2025 14:07:12.600281000 CET	50374	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:12.600373983 CET	50374	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:12.600986004 CET	50375	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:12.606206894 CET	445	50374	136.162.19.1	192.168.2.7
Jan 15, 2025 14:07:12.606266022 CET	50374	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:12.606483936 CET	445	50375	136.162.19.1	192.168.2.7
Jan 15, 2025 14:07:12.606547117 CET	50375	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:12.606718063 CET	50375	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:12.612158060 CET	445	50375	136.162.19.1	192.168.2.7
Jan 15, 2025 14:07:12.920449972 CET	445	50249	203.77.176.1	192.168.2.7
Jan 15, 2025 14:07:12.920536995 CET	50249	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:07:12.920591116 CET	50249	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:07:12.920656919 CET	50249	445	192.168.2.7	203.77.176.1
Jan 15, 2025 14:07:12.925468922 CET	445	50249	203.77.176.1	192.168.2.7
Jan 15, 2025 14:07:12.925483942 CET	445	50249	203.77.176.1	192.168.2.7
Jan 15, 2025 14:07:12.979340076 CET	50376	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:12.984246016 CET	445	50376	203.77.176.2	192.168.2.7
Jan 15, 2025 14:07:12.984314919 CET	50376	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:12.984358072 CET	50376	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:12.984729052 CET	50377	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:12.989375114 CET	445	50376	203.77.176.2	192.168.2.7
Jan 15, 2025 14:07:12.989435911 CET	50376	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:12.989567995 CET	445	50377	203.77.176.2	192.168.2.7
Jan 15, 2025 14:07:12.989625931 CET	50377	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:12.989672899 CET	50377	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:12.994537115 CET	445	50377	203.77.176.2	192.168.2.7
Jan 15, 2025 14:07:13.509546041 CET	50379	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:07:13.515383959 CET	445	50379	94.245.226.1	192.168.2.7
Jan 15, 2025 14:07:13.515511036 CET	50379	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:07:13.515561104 CET	50379	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:07:13.521015882 CET	445	50379	94.245.226.1	192.168.2.7
Jan 15, 2025 14:07:14.514137983 CET	445	50263	19.99.222.1	192.168.2.7
Jan 15, 2025 14:07:14.514281988 CET	50263	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:07:14.514323950 CET	50263	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:07:14.514372110 CET	50263	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:07:14.519149065 CET	445	50263	19.99.222.1	192.168.2.7
Jan 15, 2025 14:07:14.519165039 CET	445	50263	19.99.222.1	192.168.2.7
Jan 15, 2025 14:07:14.752250910 CET	445	50265	210.217.39.1	192.168.2.7
Jan 15, 2025 14:07:14.752315998 CET	50265	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:07:14.752382994 CET	50265	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:07:14.752454042 CET	50265	445	192.168.2.7	210.217.39.1
Jan 15, 2025 14:07:14.757119894 CET	445	50265	210.217.39.1	192.168.2.7
Jan 15, 2025 14:07:14.757355928 CET	445	50265	210.217.39.1	192.168.2.7
Jan 15, 2025 14:07:14.806442976 CET	50383	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:14.811309099 CET	445	50383	210.217.39.2	192.168.2.7
Jan 15, 2025 14:07:14.811418056 CET	50383	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:14.811510086 CET	50383	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:14.816458941 CET	445	50383	210.217.39.2	192.168.2.7
Jan 15, 2025 14:07:14.816535950 CET	50383	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:14.834227085 CET	50384	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:14.839071035 CET	445	50384	210.217.39.2	192.168.2.7
Jan 15, 2025 14:07:14.839158058 CET	50384	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:14.839193106 CET	50384	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:14.843960047 CET	445	50384	210.217.39.2	192.168.2.7
Jan 15, 2025 14:07:15.509668112 CET	50387	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:07:15.514976978 CET	445	50387	158.21.165.1	192.168.2.7
Jan 15, 2025 14:07:15.515114069 CET	50387	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:07:15.515157938 CET	50387	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:07:15.520040035 CET	445	50387	158.21.165.1	192.168.2.7
Jan 15, 2025 14:07:16.545388937 CET	445	50284	213.138.21.1	192.168.2.7
Jan 15, 2025 14:07:16.545465946 CET	50284	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:07:16.545533895 CET	50284	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:07:16.545594931 CET	50284	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:07:16.550816059 CET	445	50284	213.138.21.1	192.168.2.7
Jan 15, 2025 14:07:16.551343918 CET	445	50284	213.138.21.1	192.168.2.7
Jan 15, 2025 14:07:16.752507925 CET	445	50285	213.225.108.1	192.168.2.7
Jan 15, 2025 14:07:16.752686977 CET	50285	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:07:16.752779007 CET	50285	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:07:16.752872944 CET	50285	445	192.168.2.7	213.225.108.1
Jan 15, 2025 14:07:16.754185915 CET	443	49970	104.98.116.138	192.168.2.7
Jan 15, 2025 14:07:16.754414082 CET	49970	443	192.168.2.7	104.98.116.138
Jan 15, 2025 14:07:16.757751942 CET	445	50285	213.225.108.1	192.168.2.7
Jan 15, 2025 14:07:16.757797003 CET	445	50285	213.225.108.1	192.168.2.7
Jan 15, 2025 14:07:16.806709051 CET	50396	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:16.811695099 CET	445	50396	213.225.108.2	192.168.2.7
Jan 15, 2025 14:07:16.811804056 CET	50396	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:16.811824083 CET	50396	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:16.812324047 CET	50397	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:16.816891909 CET	445	50396	213.225.108.2	192.168.2.7
Jan 15, 2025 14:07:16.817003012 CET	50396	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:16.817284107 CET	445	50397	213.225.108.2	192.168.2.7
Jan 15, 2025 14:07:16.817363977 CET	50397	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:16.817410946 CET	50397	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:16.822225094 CET	445	50397	213.225.108.2	192.168.2.7
Jan 15, 2025 14:07:17.525109053 CET	50404	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:07:17.530138969 CET	445	50404	19.99.222.1	192.168.2.7
Jan 15, 2025 14:07:17.530237913 CET	50404	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:07:17.530284882 CET	50404	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:07:17.536947966 CET	445	50404	19.99.222.1	192.168.2.7
Jan 15, 2025 14:07:18.392467022 CET	445	50296	32.149.7.1	192.168.2.7
Jan 15, 2025 14:07:18.392585039 CET	50296	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:07:18.392616034 CET	50296	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:07:18.392672062 CET	50296	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:07:18.398905993 CET	445	50296	32.149.7.1	192.168.2.7
Jan 15, 2025 14:07:18.398927927 CET	445	50296	32.149.7.1	192.168.2.7
Jan 15, 2025 14:07:18.770052910 CET	445	50299	140.204.240.1	192.168.2.7
Jan 15, 2025 14:07:18.770169020 CET	50299	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:07:18.770304918 CET	50299	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:07:18.770304918 CET	50299	445	192.168.2.7	140.204.240.1
Jan 15, 2025 14:07:18.775192022 CET	445	50299	140.204.240.1	192.168.2.7
Jan 15, 2025 14:07:18.775207996 CET	445	50299	140.204.240.1	192.168.2.7
Jan 15, 2025 14:07:18.822000980 CET	50418	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:18.826848984 CET	445	50418	140.204.240.2	192.168.2.7
Jan 15, 2025 14:07:18.826950073 CET	50418	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:18.826982975 CET	50418	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:18.827470064 CET	50419	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:18.832030058 CET	445	50418	140.204.240.2	192.168.2.7
Jan 15, 2025 14:07:18.832390070 CET	445	50419	140.204.240.2	192.168.2.7
Jan 15, 2025 14:07:18.832474947 CET	50419	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:18.832504034 CET	50419	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:18.833126068 CET	445	50418	140.204.240.2	192.168.2.7
Jan 15, 2025 14:07:18.833184004 CET	50418	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:18.837302923 CET	445	50419	140.204.240.2	192.168.2.7
Jan 15, 2025 14:07:19.556427956 CET	50429	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:07:19.561651945 CET	445	50429	213.138.21.1	192.168.2.7
Jan 15, 2025 14:07:19.561758041 CET	50429	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:07:19.561841965 CET	50429	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:07:19.567605972 CET	445	50429	213.138.21.1	192.168.2.7
Jan 15, 2025 14:07:20.170605898 CET	445	50309	97.105.73.1	192.168.2.7
Jan 15, 2025 14:07:20.170689106 CET	50309	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:07:20.170779943 CET	50309	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:07:20.170811892 CET	50309	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:07:20.176073074 CET	445	50309	97.105.73.1	192.168.2.7
Jan 15, 2025 14:07:20.176570892 CET	445	50309	97.105.73.1	192.168.2.7
Jan 15, 2025 14:07:20.750776052 CET	445	50313	30.216.192.1	192.168.2.7
Jan 15, 2025 14:07:20.750912905 CET	50313	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:07:20.751035929 CET	50313	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:07:20.751086950 CET	50313	445	192.168.2.7	30.216.192.1
Jan 15, 2025 14:07:20.755892992 CET	445	50313	30.216.192.1	192.168.2.7
Jan 15, 2025 14:07:20.755909920 CET	445	50313	30.216.192.1	192.168.2.7
Jan 15, 2025 14:07:20.806514978 CET	50454	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:20.811598063 CET	445	50454	30.216.192.2	192.168.2.7
Jan 15, 2025 14:07:20.811711073 CET	50454	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:20.811729908 CET	50454	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:20.812148094 CET	50455	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:20.817006111 CET	445	50454	30.216.192.2	192.168.2.7
Jan 15, 2025 14:07:20.817071915 CET	50454	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:20.817116022 CET	445	50455	30.216.192.2	192.168.2.7
Jan 15, 2025 14:07:20.817186117 CET	50455	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:20.817270994 CET	50455	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:20.822139978 CET	445	50455	30.216.192.2	192.168.2.7
Jan 15, 2025 14:07:21.400072098 CET	50469	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:07:21.405086040 CET	445	50469	32.149.7.1	192.168.2.7
Jan 15, 2025 14:07:21.405272007 CET	50469	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:07:21.405272007 CET	50469	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:07:21.410099983 CET	445	50469	32.149.7.1	192.168.2.7
Jan 15, 2025 14:07:21.798027992 CET	445	50323	157.157.97.4	192.168.2.7
Jan 15, 2025 14:07:21.798069000 CET	445	50321	222.186.55.1	192.168.2.7
Jan 15, 2025 14:07:21.798166990 CET	50321	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:21.798217058 CET	50321	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:21.798233986 CET	50323	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:21.798233986 CET	50323	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:21.798264027 CET	50321	445	192.168.2.7	222.186.55.1
Jan 15, 2025 14:07:21.798274994 CET	50323	445	192.168.2.7	157.157.97.4
Jan 15, 2025 14:07:21.803177118 CET	445	50321	222.186.55.1	192.168.2.7
Jan 15, 2025 14:07:21.803208113 CET	445	50321	222.186.55.1	192.168.2.7
Jan 15, 2025 14:07:21.803342104 CET	445	50323	157.157.97.4	192.168.2.7
Jan 15, 2025 14:07:21.803370953 CET	445	50323	157.157.97.4	192.168.2.7
Jan 15, 2025 14:07:22.779866934 CET	445	50329	89.74.77.1	192.168.2.7
Jan 15, 2025 14:07:22.780014038 CET	50329	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:07:22.780101061 CET	50329	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:07:22.780172110 CET	50329	445	192.168.2.7	89.74.77.1
Jan 15, 2025 14:07:22.787250042 CET	445	50329	89.74.77.1	192.168.2.7
Jan 15, 2025 14:07:22.787744999 CET	445	50329	89.74.77.1	192.168.2.7
Jan 15, 2025 14:07:22.837867975 CET	50514	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:22.842885017 CET	445	50514	89.74.77.2	192.168.2.7
Jan 15, 2025 14:07:22.843045950 CET	50514	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:22.843089104 CET	50514	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:22.843708992 CET	50516	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:22.848228931 CET	445	50514	89.74.77.2	192.168.2.7
Jan 15, 2025 14:07:22.848330975 CET	50514	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:22.848572969 CET	445	50516	89.74.77.2	192.168.2.7
Jan 15, 2025 14:07:22.848634958 CET	50516	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:22.848658085 CET	50516	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:22.853775978 CET	445	50516	89.74.77.2	192.168.2.7
Jan 15, 2025 14:07:23.181734085 CET	50532	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:07:23.186736107 CET	445	50532	97.105.73.1	192.168.2.7
Jan 15, 2025 14:07:23.186832905 CET	50532	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:07:23.186877012 CET	50532	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:07:23.191721916 CET	445	50532	97.105.73.1	192.168.2.7
Jan 15, 2025 14:07:23.221790075 CET	445	50330	220.134.191.3	192.168.2.7
Jan 15, 2025 14:07:23.221863985 CET	50330	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:07:23.221935034 CET	50330	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:07:23.222016096 CET	50330	445	192.168.2.7	220.134.191.3
Jan 15, 2025 14:07:23.226718903 CET	445	50330	220.134.191.3	192.168.2.7
Jan 15, 2025 14:07:23.226830959 CET	445	50330	220.134.191.3	192.168.2.7
Jan 15, 2025 14:07:23.275661945 CET	50540	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:07:23.280667067 CET	445	50540	220.134.191.4	192.168.2.7
Jan 15, 2025 14:07:23.280843019 CET	50540	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:07:23.280879021 CET	50540	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:07:23.281409025 CET	50541	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:07:23.286186934 CET	445	50540	220.134.191.4	192.168.2.7
Jan 15, 2025 14:07:23.286247015 CET	50540	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:07:23.286319971 CET	445	50541	220.134.191.4	192.168.2.7
Jan 15, 2025 14:07:23.286386013 CET	50541	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:07:23.286423922 CET	50541	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:07:23.291220903 CET	445	50541	220.134.191.4	192.168.2.7
Jan 15, 2025 14:07:23.520170927 CET	445	50333	200.15.2.1	192.168.2.7
Jan 15, 2025 14:07:23.520303965 CET	50333	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:23.520391941 CET	50333	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:23.520482063 CET	50333	445	192.168.2.7	200.15.2.1
Jan 15, 2025 14:07:23.525279045 CET	445	50333	200.15.2.1	192.168.2.7
Jan 15, 2025 14:07:23.525311947 CET	445	50333	200.15.2.1	192.168.2.7
Jan 15, 2025 14:07:24.787955046 CET	445	50336	208.183.42.1	192.168.2.7
Jan 15, 2025 14:07:24.788047075 CET	50336	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:24.811274052 CET	445	50337	36.202.180.1	192.168.2.7
Jan 15, 2025 14:07:24.811341047 CET	50337	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:25.242471933 CET	50377	445	192.168.2.7	203.77.176.2
Jan 15, 2025 14:07:25.242568016 CET	50419	445	192.168.2.7	140.204.240.2
Jan 15, 2025 14:07:25.242665052 CET	50379	445	192.168.2.7	94.245.226.1
Jan 15, 2025 14:07:25.242681980 CET	50455	445	192.168.2.7	30.216.192.2
Jan 15, 2025 14:07:25.242717981 CET	50336	445	192.168.2.7	208.183.42.1
Jan 15, 2025 14:07:25.242746115 CET	50337	445	192.168.2.7	36.202.180.1
Jan 15, 2025 14:07:25.242772102 CET	50369	445	192.168.2.7	81.92.82.1
Jan 15, 2025 14:07:25.242801905 CET	50345	445	192.168.2.7	162.93.121.2
Jan 15, 2025 14:07:25.242877960 CET	50349	445	192.168.2.7	206.93.182.1
Jan 15, 2025 14:07:25.242903948 CET	50352	445	192.168.2.7	134.154.76.1
Jan 15, 2025 14:07:25.242912054 CET	50343	445	192.168.2.7	144.248.14.1
Jan 15, 2025 14:07:25.242912054 CET	50348	445	192.168.2.7	183.99.84.1
Jan 15, 2025 14:07:25.242927074 CET	50355	445	192.168.2.7	121.87.8.1
Jan 15, 2025 14:07:25.242948055 CET	50356	445	192.168.2.7	9.170.56.1
Jan 15, 2025 14:07:25.242986917 CET	50360	445	192.168.2.7	79.188.242.1
Jan 15, 2025 14:07:25.243019104 CET	50362	445	192.168.2.7	3.129.41.2
Jan 15, 2025 14:07:25.243074894 CET	50365	445	192.168.2.7	13.34.249.1
Jan 15, 2025 14:07:25.243097067 CET	50368	445	192.168.2.7	189.17.0.2
Jan 15, 2025 14:07:25.243145943 CET	50372	445	192.168.2.7	73.32.183.1
Jan 15, 2025 14:07:25.243149996 CET	50375	445	192.168.2.7	136.162.19.1
Jan 15, 2025 14:07:25.243170023 CET	50387	445	192.168.2.7	158.21.165.1
Jan 15, 2025 14:07:25.243192911 CET	50384	445	192.168.2.7	210.217.39.2
Jan 15, 2025 14:07:25.243218899 CET	50397	445	192.168.2.7	213.225.108.2
Jan 15, 2025 14:07:25.243279934 CET	50429	445	192.168.2.7	213.138.21.1
Jan 15, 2025 14:07:25.243331909 CET	50404	445	192.168.2.7	19.99.222.1
Jan 15, 2025 14:07:25.243439913 CET	50516	445	192.168.2.7	89.74.77.2
Jan 15, 2025 14:07:25.243508101 CET	50469	445	192.168.2.7	32.149.7.1
Jan 15, 2025 14:07:25.243650913 CET	50532	445	192.168.2.7	97.105.73.1
Jan 15, 2025 14:07:25.243735075 CET	50541	445	192.168.2.7	220.134.191.4
Jan 15, 2025 14:08:25.283488035 CET	50633	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:08:25.288537025 CET	80	50633	104.16.167.228	192.168.2.7
Jan 15, 2025 14:08:25.288644075 CET	50633	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:08:25.288758993 CET	50633	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:08:25.293551922 CET	80	50633	104.16.167.228	192.168.2.7
Jan 15, 2025 14:08:25.768774033 CET	80	50633	104.16.167.228	192.168.2.7
Jan 15, 2025 14:08:25.769104958 CET	80	50633	104.16.167.228	192.168.2.7
Jan 15, 2025 14:08:25.770153999 CET	50633	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:08:25.770153999 CET	50633	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:08:25.770153999 CET	50633	80	192.168.2.7	104.16.167.228
Jan 15, 2025 14:08:25.775554895 CET	80	50633	104.16.167.228	192.168.2.7
Jan 15, 2025 14:08:25.777539968 CET	50634	445	192.168.2.7	128.94.152.36
Jan 15, 2025 14:08:25.784315109 CET	445	50634	128.94.152.36	192.168.2.7
Jan 15, 2025 14:08:25.784415007 CET	50634	445	192.168.2.7	128.94.152.36
Jan 15, 2025 14:08:25.784454107 CET	50634	445	192.168.2.7	128.94.152.36
Jan 15, 2025 14:08:25.784589052 CET	50636	445	192.168.2.7	128.94.152.1
Jan 15, 2025 14:08:25.789927959 CET	445	50636	128.94.152.1	192.168.2.7
Jan 15, 2025 14:08:25.789988041 CET	50636	445	192.168.2.7	128.94.152.1
Jan 15, 2025 14:08:25.790018082 CET	50636	445	192.168.2.7	128.94.152.1
Jan 15, 2025 14:08:25.790074110 CET	445	50634	128.94.152.36	192.168.2.7
Jan 15, 2025 14:08:25.790213108 CET	50638	445	192.168.2.7	128.94.152.1
Jan 15, 2025 14:08:25.790247917 CET	50634	445	192.168.2.7	128.94.152.36
Jan 15, 2025 14:08:25.795578957 CET	445	50636	128.94.152.1	192.168.2.7
Jan 15, 2025 14:08:25.795595884 CET	445	50638	128.94.152.1	192.168.2.7
Jan 15, 2025 14:08:25.795638084 CET	50636	445	192.168.2.7	128.94.152.1
Jan 15, 2025 14:08:25.795666933 CET	50638	445	192.168.2.7	128.94.152.1
Jan 15, 2025 14:08:25.795687914 CET	50638	445	192.168.2.7	128.94.152.1
Jan 15, 2025 14:08:25.801076889 CET	445	50638	128.94.152.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 14:06:17.470355034 CET	123	123	192.168.2.7	20.101.57.9
Jan 15, 2025 14:06:18.054145098 CET	123	123	20.101.57.9	192.168.2.7
Jan 15, 2025 14:06:19.377535105 CET	52337	53	192.168.2.7	1.1.1.1
Jan 15, 2025 14:06:19.418138027 CET	53	52337	1.1.1.1	192.168.2.7
Jan 15, 2025 14:07:11.753750086 CET	138	138	192.168.2.7	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 14:06:19.377535105 CET	192.168.2.7	1.1.1.1	0xf80	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 14:06:19.418138027 CET	1.1.1.1	192.168.2.7	0xf80	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.167.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 14:06:19.418138027 CET	1.1.1.1	192.168.2.7	0xf80	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com	104.16.166.228	A (IP address)	IN (0x0001)	false
Jan 15, 2025 14:06:24.689796925 CET	1.1.1.1	192.168.2.7	0xbc57	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 15, 2025 14:06:24.689796925 CET	1.1.1.1	192.168.2.7	0xbc57	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49711	104.16.167.228	80	7476	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 14:06:19.428608894 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 14:06:19.916870117 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 13:06:19 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 9026151a0a7d4326-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49715	104.16.167.228	80	7572	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 14:06:20.296495914 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 14:06:20.787223101 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 13:06:20 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 9026151f795c19b6-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49744	104.16.167.228	80	7800	C:\Windows\mssecsvc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 14:06:22.009947062 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 14:06:22.504756927 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 13:06:22 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 9026152a3dd50cbe-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.7	50633	104.16.167.228	80

Timestamp	Bytes transferred	Direction	Data
Jan 15, 2025 14:08:25.288758993 CET	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Cache-Control: no-cache
Jan 15, 2025 14:08:25.768774033 CET	778	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 13:08:25 GMT Content-Type: text/html Content-Length: 607 Connection: close Server: cloudflare CF-RAY: 9026182caad10cc0-EWR Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 53 69 6e 6b 68 6f 6c 65 64 20 62 79 20 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 72 79 70 74 6f 73 20 4c 6f 67 69 63 20 53 69 6e 6b 68 6f 6c 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 6b 72 79 70 74 6f 73 6c 6f 67 69 63 73 69 6e 6b 68 6f 6c 65 2e 63 6f 6d 2f 73 74 79 6c 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 2f 3e 3c 2f [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en-us" class="no-js"><head><meta charset="utf-8"><title>Sinkholed by Kryptos Logic</title><meta name="description" content="Kryptos Logic Sinkhole"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link href="//static.kryptoslogicsinkhole.com/style.css" rel="stylesheet" type="text/css"/></head><body class="flat"><div class="content"><div class="content-box"><div class="big-content"><div class="clear"></div></div><h1>Sinkholed!</h1><p>This domain has been sinkholed by <a href="https://www.kryptoslogic.com">Kryptos Logic</a>.</p></div></div></body></html>

Target ID:	0
Start time:	08:06:17
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll"
Imagebase:	0x910000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:06:17
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:06:17
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:06:17
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\alN48K3xcD.dll,PlayGame
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:06:17
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",#1
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:06:17
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	25E8BF1FF6B34D9ACC77B9991F68409A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1340886302.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:06:18
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	25E8BF1FF6B34D9ACC77B9991F68409A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1351302945.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1996236950.00000000023E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.1995899155.0000000001EB5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	08:06:19
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	A848C62D74569AFFBA05EE92D4033A36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:06:19
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:06:19
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7660 -ip 7660
Imagebase:	0xec0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	08:06:20
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7660 -s 228
Imagebase:	0xec0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	08:06:20
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\alN48K3xcD.dll",PlayGame
Imagebase:	0xf90000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	08:06:20
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	25E8BF1FF6B34D9ACC77B9991F68409A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000E.00000000.1369474007.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000E.00000002.1379301697.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	08:06:21
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	A848C62D74569AFFBA05EE92D4033A36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	08:06:21
Start date:	15/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	08:06:21
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7908 -ip 7908
Imagebase:	0xec0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	08:06:21
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7908 -s 196
Imagebase:	0xec0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	71.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	64.9%
Total number of Nodes:	37
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FBD0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

C:\%s\%s, xrefs: 00407DFB
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
C:\%s\qeriuwjhrf, xrefs: 00407E12
kernel32.dll, xrefs: 00407CEA
WINDOWS, xrefs: 00407DF2, 00407E0D
CloseHandle, xrefs: 00407D29
D, xrefs: 00407ED3
/i, xrefs: 00407E8D
tasksche.exe, xrefs: 00407DEA
CreateProcessA, xrefs: 00407D07

Memory Dump Source

Source File: 00000006.00000002.1361828809.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1361809761.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361848389.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361920593.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1361828809.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1361809761.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361848389.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361920593.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000006.00000002.1361828809.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1361809761.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361848389.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361920593.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FBD0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000006.00000002.1361828809.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1361809761.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361848389.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361920593.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6FBD0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1361828809.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1361809761.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361848389.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361870527.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1361920593.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1362011835.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 7572, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	34.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	35
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6FBD0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.1995022871.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1995008353.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995038054.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995104820.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995121177.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000008.00000002.1995022871.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1995008353.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995038054.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995104820.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995121177.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
API String ID: 774561529-2942426231
Opcode ID: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction ID: cdf7c9b464921ed547f6e9cf97b0948ff8b518ee0850ecae1f57fc3afa3cefd0
Opcode Fuzzy Hash: 4b6db363f3c2a0039692f7716f941ccdaf41bdcfad687f466c5e8bce3354d2d7
Instruction Fuzzy Hash: D20186719543106EE310DF348C05B6BBBE9EF85710F01082EF984F7280E6B59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6FBD0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50
Microsoft Security Center (2.0) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000008.00000002.1995022871.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1995008353.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995038054.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995104820.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995121177.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6FBD0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CreateProcessA, xrefs: 00407D07
/i, xrefs: 00407E8D
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA
D, xrefs: 00407ED3
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F
WINDOWS, xrefs: 00407DF2, 00407E0D
WriteFile, xrefs: 00407D1C
C:\%s\%s, xrefs: 00407DFB

Memory Dump Source

Source File: 00000008.00000002.1995022871.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1995008353.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995038054.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995104820.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995121177.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.1995022871.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1995008353.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995038054.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995052642.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995089244.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995104820.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995121177.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.1995210936.0000000000787000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 7660, Parent PID: 7476COMMON

Execution Graph

Execution Coverage:	0.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	100%
Total number of Nodes:	2
Total number of Limit Nodes:	0

Executed Functions

Function 004077BA Relevance: 1.6, APIs: 1, Instructions: 111
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000002), ref: 004077E7

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: dfd8e3bc251a609b923ee84314f981157ecd194afd53806702bb476cb8b66a50
Instruction ID: 57d92ca68de9f17921d1a12c15d34c329a61f20750848fe313e479baa5e7fd82
Opcode Fuzzy Hash: dfd8e3bc251a609b923ee84314f981157ecd194afd53806702bb476cb8b66a50
Instruction Fuzzy Hash: 10418DB1D04344AFDB20AFA4DE49A697BB8AB09710F20413FE581B72E1C7786841CB59

Non-executed Functions

Function 0040350F Relevance: 2.7, Strings: 2, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Q;@, xrefs: 004036E2, 004035FD
, xrefs: 004036AE

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID: $Q;@
API String ID: 0-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00402A76 Relevance: 1.6, Strings: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 00404C19 Relevance: 1.6, Strings: 1, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

WG@, xrefs: 00404C26

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID: WG@
API String ID: 0-1599502709
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 00403797 Relevance: 1.5, Strings: 1, Instructions: 214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004043B6 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5062141294976e9a15f3d534513453e835868338a667c563a394678185a2e0ae
Instruction ID: 507edf943f6954747fb652e063bbb54c6dd3cd628c171472844fae73eabc1576
Opcode Fuzzy Hash: 5062141294976e9a15f3d534513453e835868338a667c563a394678185a2e0ae
Instruction Fuzzy Hash: A6520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 00406C40 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a4aa03407b4b886905fa73947b5e66cb56c06cbdc47549cb14339d3dddfd134
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 9a4aa03407b4b886905fa73947b5e66cb56c06cbdc47549cb14339d3dddfd134
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00402E7E Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1565004681.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1564982670.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.1565085674.0000000000477000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report alN48K3xcD.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_58356131876c03b70c1bf657eebb55c2c5868ff_34a83304_1a0d97d8-772a-4217-87d7-45f838ee0189\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tasksche.exe_58356131876c03b70c1bf657eebb55c2c5868ff_34a83304_554de4e3-cce4-4d08-9bed-45610759fa3b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F5B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4334.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4364.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4372.tmp.csv

C:\ProgramData\Microsoft\Windows\WER\Temp\WER43E0.tmp.txt

C:\ProgramData\Microsoft\Windows\WER\Temp\WER45B4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B43.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B72.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B82.tmp.csv

Windows Analysis Report
alN48K3xcD.dll