Edit tour

Windows Analysis Report
zgAMfHzvZN.dll

Overview

General Information

Sample name:	zgAMfHzvZN.dll renamed because original name is a hash value
Original sample name:	3c3591eb1df1f5f60cc846685303fb58.dll
Analysis ID:	1591879
MD5:	3c3591eb1df1f5f60cc846685303fb58
SHA1:	d0c3fd09e35ca27aa28099dd5c28f2f0b3f28e2b
SHA256:	92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Connects to several IPs in different countries

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7484 cmdline: loaddll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7536 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7568 cmdline: rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7552 cmdline: rundll32.exe C:\Users\user\Desktop\zgAMfHzvZN.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7624 cmdline: C:\WINDOWS\mssecsvc.exe MD5: D21D12114F36CB9CD7AF57659151D441)

tasksche.exe (PID: 7784 cmdline: C:\WINDOWS\tasksche.exe /i MD5: D7F2C9304928C99E1D6856FDF2E75F5F)

rundll32.exe (PID: 7904 cmdline: rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 7924 cmdline: C:\WINDOWS\mssecsvc.exe MD5: D21D12114F36CB9CD7AF57659151D441)

tasksche.exe (PID: 7988 cmdline: C:\WINDOWS\tasksche.exe /i MD5: D7F2C9304928C99E1D6856FDF2E75F5F)

mssecsvc.exe (PID: 7716 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: D21D12114F36CB9CD7AF57659151D441)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
zgAMfHzvZN.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
zgAMfHzvZN.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$ 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
zgAMfHzvZN.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000000.1462996462.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1431412188.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000C.00000002.1463916151.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000002.1464405629.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000009.00000000.1442084897.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1437702648.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.1460455923.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1431540630.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000000.1431540630.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000002.1464568997.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000002.1464568997.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.1437906578.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000000.1437906578.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000000B.00000000.1460672967.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000B.00000000.1460672967.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2082920782.0000000001B10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2082920782.0000000001B10000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.2083173264.000000000203A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000008.00000002.2083173264.000000000203A000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 7624	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7716	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 7924	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 24 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.mssecsvc.exe.1b01084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.1b01084.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
8.2.mssecsvc.exe.202b8c8.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.202b8c8.7.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
8.2.mssecsvc.exe.1b33128.5.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1b33128.5.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1b33128.5.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1b33128.5.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.203a948.9.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.203a948.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.203a948.9.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.203a948.9.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1b10104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1b10104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1b10104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1b10104.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.205d96c.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.205d96c.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.205d96c.6.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.205d96c.6.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
12.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
12.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
12.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
12.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.205d96c.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.205d96c.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.205d96c.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.205d96c.6.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
9.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
9.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
9.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
9.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
6.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1b33128.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1b33128.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1b33128.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1b33128.5.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.202b8c8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.202b8c8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
8.2.mssecsvc.exe.202b8c8.7.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.202b8c8.7.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
6.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
6.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.20368e8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.20368e8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.20368e8.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1b01084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1b01084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x28dde4:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x27dbb0:$x3: tasksche.exe 0x28ddc0:$x3: tasksche.exe 0x28dd9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x28de14:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x24826c:$x7: mssecsvc.exe 0x263b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x27db88:$x8: C:\%s\qeriuwjhrf 0x28dde4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x248254:$s1: C:\%s\%s 0x263b7c:$s1: C:\%s\%s 0x27db9c:$s1: C:\%s\%s 0x28dd14:$s3: cmd.exe /c "%s" 0x2c0268:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x27aed0:$s5: \\192.168.56.20\IPC$
8.2.mssecsvc.exe.1b01084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
8.2.mssecsvc.exe.1b01084.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x28ddc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x28dde8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1b01084.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2808fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x254984:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2548d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x25625a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2860a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
11.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x34780:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x3436c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
11.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
11.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
11.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.203a948.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.203a948.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.203a948.9.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.mssecsvc.exe.1b0c0a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1b0c0a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1b0c0a4.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
6.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
6.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
6.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.mssecsvc.exe.1b10104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.mssecsvc.exe.1b10104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.mssecsvc.exe.1b10104.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 138 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: zgAMfHzvZN.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\tasksche.exe

Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 97%
Source: C:\WINDOWS\qeriuwjhrf (copy)	Virustotal: Detection: 93%	Perma Link
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 97%
Source: C:\Windows\tasksche.exe	Virustotal: Detection: 93%	Perma Link

Multi AV Scanner detection for submitted file

Source: zgAMfHzvZN.dll	ReversingLabs: Detection: 94%
Source: zgAMfHzvZN.dll	Virustotal: Detection: 93%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: zgAMfHzvZN.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe

Code function: 9_2_004018B9 CryptReleaseContext,

9_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: zgAMfHzvZN.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

Network traffic detected: IP country count 10

Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45
Source: unknown	TCP traffic detected without corresponding DNS query: 13.107.253.45

Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe

Code function: CreateFileA,GetFileSizeEx,memcmp,GlobalAlloc,_local_unwind2, WANACRY!

9_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: zgAMfHzvZN.dll, type: SAMPLE
Source: Yara match	File source: 8.2.mssecsvc.exe.1b33128.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.203a948.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1b10104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.205d96c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.205d96c.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1b33128.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.202b8c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.20368e8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.203a948.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1b0c0a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mssecsvc.exe.1b10104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1431412188.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1464405629.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1437702648.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1460455923.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.1431540630.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1464568997.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000000.1437906578.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1460672967.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2082920782.0000000001B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2083173264.000000000203A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 7924, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: zgAMfHzvZN.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: zgAMfHzvZN.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1b01084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1b01084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.202b8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.202b8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1b33128.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1b33128.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1b33128.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.203a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.203a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.203a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1b10104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1b10104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1b10104.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.205d96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.205d96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.205d96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.205d96c.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.205d96c.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.205d96c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1b33128.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1b33128.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1b33128.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.202b8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.202b8c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.202b8c8.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.20368e8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.20368e8.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.203a948.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.203a948.9.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.mssecsvc.exe.1b0c0a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1b0c0a4.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.mssecsvc.exe.1b10104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.mssecsvc.exe.1b10104.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000000.1462996462.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000C.00000002.1463916151.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000000.1442084897.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000000.1431540630.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000002.1464568997.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.1437906578.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000B.00000000.1460672967.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2082920782.0000000001B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.2083173264.000000000203A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 9_2_00406C40	9_2_00406C40
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402A76	9_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 9_2_00402E7E	9_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040350F	9_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00404C19	9_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 9_2_0040541F	9_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 9_2_00403797	9_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 9_2_004043B7	9_2_004043B7
Source: C:\Windows\tasksche.exe	Code function: 9_2_004031BC	9_2_004031BC

Source: tasksche.exe.6.dr

Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: zgAMfHzvZN.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: zgAMfHzvZN.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: zgAMfHzvZN.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1b01084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1b01084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.202b8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.202b8c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1b33128.5.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1b33128.5.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1b33128.5.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.203a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.203a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.203a948.9.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1b10104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1b10104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1b10104.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.205d96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.205d96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.205d96c.6.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 12.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.205d96c.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.205d96c.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.205d96c.6.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 9.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1b33128.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1b33128.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1b33128.5.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.202b8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.202b8c8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.202b8c8.7.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.20368e8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.20368e8.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1b01084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 11.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.203a948.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.203a948.9.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.mssecsvc.exe.1b0c0a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1b0c0a4.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 6.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.mssecsvc.exe.1b10104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.mssecsvc.exe.1b10104.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000000.1462996462.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000C.00000002.1463916151.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000000.1442084897.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000000.1431540630.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000002.1464568997.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.1437906578.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000B.00000000.1460672967.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2082920782.0000000001B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.2083173264.000000000203A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe, 00000009.00000000.1442084897.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000C.00000000.1462996462.000000000040E000.00000008.00000001.01000000.00000007.sdmp, zgAMfHzvZN.dll, tasksche.exe.6.dr

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@20/2@0/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	8_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	9_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

6_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		6_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		8_2_00408090

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7492:120:WilError_03

Source: zgAMfHzvZN.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zgAMfHzvZN.dll,PlayGame

Source: zgAMfHzvZN.dll	ReversingLabs: Detection: 94%
Source: zgAMfHzvZN.dll	Virustotal: Detection: 93%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zgAMfHzvZN.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\zgAMfHzvZN.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: zgAMfHzvZN.dll

Static file information: File size 5267459 > 1048576

Source: zgAMfHzvZN.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe

Code function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 9_2_00407710 push eax; ret		9_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 9_2_004076C8 push eax; ret		9_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

6_2_00407C40

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 7748	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7748	Thread sleep time: -184000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7756	Thread sleep count: 131 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7756	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 7748	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: mssecsvc.exe, 0000000B.00000002.1464894307.0000000000D84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
Source: mssecsvc.exe, 00000006.00000002.1446975766.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000008.00000002.2082619210.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\tasksche.exe

Code function: 9_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

9_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 9_2_004029CC free,GetProcessHeap,HeapFree,

9_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1

Jump to behavior

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
zgAMfHzvZN.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
zgAMfHzvZN.dll	93%	Virustotal		Browse
zgAMfHzvZN.dll	100%	Avira	TR/AD.WannaCry.pskpy
zgAMfHzvZN.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\WINDOWS\qeriuwjhrf (copy)	98%	ReversingLabs	Win32.Ransomware.WannaCry
C:\WINDOWS\qeriuwjhrf (copy)	93%	Virustotal		Browse
C:\Windows\tasksche.exe	98%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	93%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.99.112.1	unknown	Kazakhstan	21299	KAR-TEL-ASAlmatyRepublicofKazakhstanKZ	false
160.31.57.154	unknown	United States	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
40.138.142.52	unknown	United States	32196	DIRECTINSUS	false
35.6.2.1	unknown	United States	36375	UMICH-AS-5US	false
131.92.83.97	unknown	United States	213	DNIC-AS-00213US	false
125.89.6.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
131.92.83.1	unknown	United States	213	DNIC-AS-00213US	false
220.126.220.22	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	false
11.78.48.141	unknown	United States	3356	LEVEL3US	false
153.113.213.1	unknown	United States	1906	NORTHROP-GRUMMANUS	false
178.220.235.2	unknown	Serbia	8400	TELEKOM-ASRS	false
178.220.235.1	unknown	Serbia	8400	TELEKOM-ASRS	false
212.113.42.154	unknown	Ukraine	6849	UKRTELNETUA	false
38.136.20.66	unknown	United States	174	COGENT-174US	false
81.106.104.11	unknown	United Kingdom	5089	NTLGB	false
35.134.115.1	unknown	United States	20115	CHARTER-20115US	false
35.134.115.2	unknown	United States	20115	CHARTER-20115US	false
98.103.218.167	unknown	United States	10796	TWC-10796-MIDWESTUS	false
78.12.175.207	unknown	Italy	8612	TISCALI-IT	false
181.142.212.2	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229
192.168.2.109
192.168.2.106
192.168.2.227
192.168.2.107
192.168.2.228

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591879
Start date and time:	2025-01-15 15:13:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	zgAMfHzvZN.dll renamed because original name is a hash value
Original Sample Name:	3c3591eb1df1f5f60cc846685303fb58.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@20/2@0/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target tasksche.exe, PID 7784 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:14:12	API Interceptor	1x Sleep call for process: loaddll32.exe modified
09:14:45	API Interceptor	112x Sleep call for process: mssecsvc.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DNIC-AS-00213US	XPK8NKw7Jv.elf	Get hash	malicious	Mirai, Moobot	Browse	131.92.109.248
	XUlSYmwgTV.elf	Get hash	malicious	Mirai	Browse	131.92.49.127
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	131.92.49.117
	Cj1mRQdRCL.elf	Get hash	malicious	Mirai, Moobot	Browse	131.92.109.250
	R8c6sZLVQi.elf	Get hash	malicious	Mirai, Moobot	Browse	131.92.109.254
	KOfIj1NrBu.elf	Get hash	malicious	Mirai	Browse	131.92.49.125
	zZMmONZWnO.dll	Get hash	malicious	Wannacry	Browse	131.92.102.118
SINET-ASResearchOrganizationofInformationandSystemsN	bC61G18iPf.dll	Get hash	malicious	Wannacry	Browse	163.149.244.2
	mips.elf	Get hash	malicious	Mirai	Browse	157.111.123.159
	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	133.222.94.93
	meth10.elf	Get hash	malicious	Mirai	Browse	157.84.108.126
	m68k.elf	Get hash	malicious	Unknown	Browse	133.14.26.229
	arm5.elf	Get hash	malicious	Unknown	Browse	202.35.222.61
	meth14.elf	Get hash	malicious	Mirai	Browse	157.115.3.97
	meth2.elf	Get hash	malicious	Mirai	Browse	157.102.206.240
	arm7.elf	Get hash	malicious	Mirai	Browse	160.31.170.63
	meth7.elf	Get hash	malicious	Mirai	Browse	157.114.152.229
UMICH-AS-5US	6qqWn6eIGG.dll	Get hash	malicious	Wannacry	Browse	35.61.65.8
	res.mpsl.elf	Get hash	malicious	Unknown	Browse	35.12.3.218
	6.elf	Get hash	malicious	Unknown	Browse	35.60.28.137
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	35.30.35.134
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	35.37.42.19
	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	35.7.96.26
	sora.ppc.elf	Get hash	malicious	Unknown	Browse	35.18.165.47
	sora.sh4.elf	Get hash	malicious	Unknown	Browse	35.45.178.140
	6.elf	Get hash	malicious	Unknown	Browse	35.36.174.107
	sora.spc.elf	Get hash	malicious	Mirai	Browse	35.24.43.28
KAR-TEL-ASAlmatyRepublicofKazakhstanKZ	loligang.x86.elf	Get hash	malicious	Mirai	Browse	31.132.84.94
	armv5l.elf	Get hash	malicious	Mirai	Browse	37.99.8.155
	hmips.elf	Get hash	malicious	Mirai	Browse	92.49.241.175
	nshkarm7.elf	Get hash	malicious	Mirai	Browse	92.49.241.187
	la.bot.arm7.elf	Get hash	malicious	Mirai	Browse	85.29.150.107
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	176.124.83.185
	bot.spc.elf	Get hash	malicious	Mirai	Browse	85.29.150.126
	armv5l.elf	Get hash	malicious	Mirai	Browse	5.34.81.103
	newtpp.exe	Get hash	malicious	Xmrig	Browse	37.99.52.150
	nuklear.arm.elf	Get hash	malicious	Mirai, Moobot	Browse	91.244.109.17

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	5.999910067849817
Encrypted:	false
SSDEEP:	49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:QqPoBhz1aRxcSUDk36SAEdhvxWa9
MD5:	D7F2C9304928C99E1D6856FDF2E75F5F
SHA1:	1B2BD87F52C95FA4E129B1EF25C8538D5D4BE7B5
SHA-256:	26213E7FE08C90F11ED7E38C9BE6A50D3FC4EADF884F4F06E51D7F20F71676B7
SHA-512:	091D342951D2C029E9F4C571EEA9C58D27F092CA2B913EC8DECAF4C823AD4AF5E1A04FDF3B53B1A7DDA2352B26E8A610B14E7C0BF03D46712E19E6A067E72D1F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 98% Antivirus: Virustotal, Detection: 93%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	5.999910067849817
Encrypted:	false
SSDEEP:	49152:nQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:QqPoBhz1aRxcSUDk36SAEdhvxWa9
MD5:	D7F2C9304928C99E1D6856FDF2E75F5F
SHA1:	1B2BD87F52C95FA4E129B1EF25C8538D5D4BE7B5
SHA-256:	26213E7FE08C90F11ED7E38C9BE6A50D3FC4EADF884F4F06E51D7F20F71676B7
SHA-512:	091D342951D2C029E9F4C571EEA9C58D27F092CA2B913EC8DECAF4C823AD4AF5E1A04FDF3B53B1A7DDA2352B26E8A610B14E7C0BF03D46712E19E6A067E72D1F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 98% Antivirus: Virustotal, Detection: 93%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.591509329976976
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	zgAMfHzvZN.dll
File size:	5'267'459 bytes
MD5:	3c3591eb1df1f5f60cc846685303fb58
SHA1:	d0c3fd09e35ca27aa28099dd5c28f2f0b3f28e2b
SHA256:	92e19d8feec6650171bd8d60954fc3af2d253002b64547ad22e4761ad74fdb90
SHA512:	f23a38cd00a83bb35a707fd821fd7dd3b706c77fe36b1e03819c0a1cf61424b54163aae0741b7ae6cd14f8a0399c34738500eca897390baa04c102525099eaea
SSDEEP:	49152:JnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:d8qPoBhz1aRxcSUDk36SAEdhvxWa9
TLSH:	7E363358717CD5FCD10A19B804A7CA57E6B33C6666FE6A0F8F408A661D03B19FB90B43
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F5210AD714Bh
cmp dword ptr [10003140h], 00000000h
jmp 00007F5210AD7168h
cmp esi, 01h
je 00007F5210AD7147h
cmp esi, 02h
jne 00007F5210AD7164h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F5210AD714Bh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F5210AD714Eh
push edi
push esi
push ebx
call 00007F5210AD705Ah
test eax, eax
jne 00007F5210AD7146h
xor eax, eax
jmp 00007F5210AD7190h
push edi
push esi
push ebx
call 00007F5210AD6F0Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F5210AD714Eh
test eax, eax
jne 00007F5210AD7179h
push edi
push eax
push ebx
call 00007F5210AD7036h
test esi, esi
je 00007F5210AD7147h
cmp esi, 03h
jne 00007F5210AD7168h
push edi
push esi
push ebx
call 00007F5210AD7025h
test eax, eax
jne 00007F5210AD7145h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F5210AD7153h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F5210AD714Ah
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	ea6a8a64c34e0d3f676bb8d8d889deca	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8770351409912109

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 15:14:02.812803984 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.815522909 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.841501951 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.841547012 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.841629028 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.844141006 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.844242096 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.851584911 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.861150026 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.863358021 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.907408953 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.910259962 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.927357912 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.929657936 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.948460102 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.948489904 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:02.948544025 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.950330019 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.950385094 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:02.955334902 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.002087116 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.004590988 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.023808956 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.025933981 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.037184000 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.039330006 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.059818029 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.059880972 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.059951067 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.062751055 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.062751055 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.068547964 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.117609978 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.120479107 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.131002903 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.133083105 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.143729925 CET	49676	443	192.168.2.8	52.182.143.211
Jan 15, 2025 15:14:03.145787001 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.147746086 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.164007902 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.164031029 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.164187908 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.166140079 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.166313887 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.171098948 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.224776030 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.227186918 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.239547968 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.241744041 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.250730038 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.252749920 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.274544001 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.274584055 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.274691105 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.280497074 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.281735897 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.286602020 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.333375931 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.335989952 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.345233917 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.347851038 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.362423897 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.364939928 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.389858007 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.389897108 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.390002966 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.393112898 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.394082069 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.398876905 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.440834045 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.443530083 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.457648039 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.459867954 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.477588892 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.479626894 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.502512932 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.502552032 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.502640009 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.505637884 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.506351948 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.511229038 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.551558018 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.554092884 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.571499109 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.573965073 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.589210987 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.591686964 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.613878965 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.613919020 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.614025116 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.617242098 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.617866993 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.622823000 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.681394100 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.684067965 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.691751957 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.693694115 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.711827040 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.713978052 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.753360987 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.753381014 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.753395081 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.753483057 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.756539106 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.757159948 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.761918068 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.795130014 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.795162916 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.795217037 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.838748932 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.840318918 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.840409994 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.843331099 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.845093012 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.868709087 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.868725061 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.868782043 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.871673107 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.872700930 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.877465963 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.956698895 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.959317923 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.962935925 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.962954998 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.962970018 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.963001966 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.963033915 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.965740919 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.966129065 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.978521109 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.991754055 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.991811991 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.991825104 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:03.991889000 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:03.993910074 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.040271997 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.049616098 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.052881002 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.057713032 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.060725927 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.060739040 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.060750961 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.060784101 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.062686920 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.075459957 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.075475931 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.075508118 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.075545073 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.078417063 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.078829050 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.083580971 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.144594908 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.146982908 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.154376984 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.156111956 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.170022964 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.171849966 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.192895889 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.192917109 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.192962885 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.195174932 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.244209051 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.247980118 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.263515949 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.263592005 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.279486895 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.331214905 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.350799084 CET	443	49705	13.107.253.45	192.168.2.8
Jan 15, 2025 15:14:04.393692970 CET	49705	443	192.168.2.8	13.107.253.45
Jan 15, 2025 15:14:04.409368038 CET	49671	443	192.168.2.8	204.79.197.203
Jan 15, 2025 15:14:04.753132105 CET	49677	80	192.168.2.8	192.229.211.108
Jan 15, 2025 15:14:05.643735886 CET	49673	443	192.168.2.8	23.206.229.226
Jan 15, 2025 15:14:05.893718958 CET	49672	443	192.168.2.8	23.206.229.226
Jan 15, 2025 15:14:11.399597883 CET	49706	445	192.168.2.8	220.126.220.22
Jan 15, 2025 15:14:11.405410051 CET	445	49706	220.126.220.22	192.168.2.8
Jan 15, 2025 15:14:11.405534029 CET	49706	445	192.168.2.8	220.126.220.22
Jan 15, 2025 15:14:11.406297922 CET	49706	445	192.168.2.8	220.126.220.22
Jan 15, 2025 15:14:11.406506062 CET	49707	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:11.412240028 CET	445	49706	220.126.220.22	192.168.2.8
Jan 15, 2025 15:14:11.412421942 CET	445	49707	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:11.412496090 CET	49706	445	192.168.2.8	220.126.220.22
Jan 15, 2025 15:14:11.412504911 CET	49707	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:11.412619114 CET	49707	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:11.418546915 CET	445	49707	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:11.418952942 CET	49707	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:11.423101902 CET	49708	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:11.429081917 CET	445	49708	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:11.429198980 CET	49708	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:11.429286003 CET	49708	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:11.435108900 CET	445	49708	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:12.753099918 CET	49676	443	192.168.2.8	52.182.143.211
Jan 15, 2025 15:14:13.364610910 CET	49730	445	192.168.2.8	35.134.115.30
Jan 15, 2025 15:14:13.369508028 CET	445	49730	35.134.115.30	192.168.2.8
Jan 15, 2025 15:14:13.369581938 CET	49730	445	192.168.2.8	35.134.115.30
Jan 15, 2025 15:14:13.369636059 CET	49730	445	192.168.2.8	35.134.115.30
Jan 15, 2025 15:14:13.369972944 CET	49731	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:13.375910997 CET	445	49730	35.134.115.30	192.168.2.8
Jan 15, 2025 15:14:13.375929117 CET	445	49731	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:13.375961065 CET	49730	445	192.168.2.8	35.134.115.30
Jan 15, 2025 15:14:13.376092911 CET	49731	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:13.376092911 CET	49731	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:13.378562927 CET	49732	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:13.382456064 CET	445	49731	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:13.382551908 CET	49731	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:13.383398056 CET	445	49732	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:13.383474112 CET	49732	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:13.383544922 CET	49732	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:13.388953924 CET	445	49732	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:15.253156900 CET	49673	443	192.168.2.8	23.206.229.226
Jan 15, 2025 15:14:15.378273010 CET	49677	80	192.168.2.8	192.229.211.108
Jan 15, 2025 15:14:15.379904985 CET	49753	445	192.168.2.8	160.31.57.154
Jan 15, 2025 15:14:15.384808064 CET	445	49753	160.31.57.154	192.168.2.8
Jan 15, 2025 15:14:15.384886026 CET	49753	445	192.168.2.8	160.31.57.154
Jan 15, 2025 15:14:15.384922028 CET	49753	445	192.168.2.8	160.31.57.154
Jan 15, 2025 15:14:15.385221958 CET	49754	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:15.389976978 CET	445	49753	160.31.57.154	192.168.2.8
Jan 15, 2025 15:14:15.390027046 CET	49753	445	192.168.2.8	160.31.57.154
Jan 15, 2025 15:14:15.390043020 CET	445	49754	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:15.390093088 CET	49754	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:15.390119076 CET	49754	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:15.391161919 CET	49755	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:15.395334959 CET	445	49754	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:15.395389080 CET	49754	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:15.395983934 CET	445	49755	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:15.396039963 CET	49755	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:15.396083117 CET	49755	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:15.400892019 CET	445	49755	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:15.503093004 CET	49672	443	192.168.2.8	23.206.229.226
Jan 15, 2025 15:14:17.170125008 CET	443	49704	23.206.229.226	192.168.2.8
Jan 15, 2025 15:14:17.170221090 CET	49704	443	192.168.2.8	23.206.229.226
Jan 15, 2025 15:14:17.406186104 CET	49778	445	192.168.2.8	76.33.192.61
Jan 15, 2025 15:14:17.411218882 CET	445	49778	76.33.192.61	192.168.2.8
Jan 15, 2025 15:14:17.411334038 CET	49778	445	192.168.2.8	76.33.192.61
Jan 15, 2025 15:14:17.411406994 CET	49778	445	192.168.2.8	76.33.192.61
Jan 15, 2025 15:14:17.411674976 CET	49779	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:17.419224024 CET	445	49778	76.33.192.61	192.168.2.8
Jan 15, 2025 15:14:17.419236898 CET	445	49778	76.33.192.61	192.168.2.8
Jan 15, 2025 15:14:17.419250011 CET	445	49779	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:17.419301033 CET	49778	445	192.168.2.8	76.33.192.61
Jan 15, 2025 15:14:17.419329882 CET	49779	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:17.419435978 CET	49779	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:17.420607090 CET	49780	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:17.425365925 CET	445	49779	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:17.425379992 CET	445	49779	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:17.425426960 CET	49779	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:17.426489115 CET	445	49780	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:17.426578999 CET	49780	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:17.426625967 CET	49780	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:17.431355000 CET	445	49780	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:19.410432100 CET	49803	445	192.168.2.8	181.142.212.105
Jan 15, 2025 15:14:19.415255070 CET	445	49803	181.142.212.105	192.168.2.8
Jan 15, 2025 15:14:19.415366888 CET	49803	445	192.168.2.8	181.142.212.105
Jan 15, 2025 15:14:19.415406942 CET	49803	445	192.168.2.8	181.142.212.105
Jan 15, 2025 15:14:19.415558100 CET	49804	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:19.420209885 CET	445	49803	181.142.212.105	192.168.2.8
Jan 15, 2025 15:14:19.420275927 CET	445	49803	181.142.212.105	192.168.2.8
Jan 15, 2025 15:14:19.420289040 CET	445	49804	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:19.420486927 CET	49803	445	192.168.2.8	181.142.212.105
Jan 15, 2025 15:14:19.420521975 CET	49804	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:19.420663118 CET	49804	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:19.421552896 CET	49805	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:19.425478935 CET	445	49804	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:19.425642967 CET	49804	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:19.426305056 CET	445	49805	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:19.426422119 CET	49805	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:19.426517963 CET	49805	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:19.431250095 CET	445	49805	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:21.426135063 CET	49827	445	192.168.2.8	210.164.90.226
Jan 15, 2025 15:14:21.431040049 CET	445	49827	210.164.90.226	192.168.2.8
Jan 15, 2025 15:14:21.431164026 CET	49827	445	192.168.2.8	210.164.90.226
Jan 15, 2025 15:14:21.431225061 CET	49827	445	192.168.2.8	210.164.90.226
Jan 15, 2025 15:14:21.431463003 CET	49828	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:21.436173916 CET	445	49827	210.164.90.226	192.168.2.8
Jan 15, 2025 15:14:21.436242104 CET	49827	445	192.168.2.8	210.164.90.226
Jan 15, 2025 15:14:21.436295033 CET	445	49828	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:21.436356068 CET	49828	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:21.436392069 CET	49828	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:21.437223911 CET	49829	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:21.441298962 CET	445	49828	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:21.441361904 CET	49828	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:21.442002058 CET	445	49829	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:21.442066908 CET	49829	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:21.442118883 CET	49829	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:21.446850061 CET	445	49829	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:23.441365004 CET	49851	445	192.168.2.8	81.154.25.155
Jan 15, 2025 15:14:23.446157932 CET	445	49851	81.154.25.155	192.168.2.8
Jan 15, 2025 15:14:23.446238041 CET	49851	445	192.168.2.8	81.154.25.155
Jan 15, 2025 15:14:23.446271896 CET	49851	445	192.168.2.8	81.154.25.155
Jan 15, 2025 15:14:23.446417093 CET	49852	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:23.451220036 CET	445	49852	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:23.451239109 CET	445	49851	81.154.25.155	192.168.2.8
Jan 15, 2025 15:14:23.451332092 CET	49852	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:23.451334000 CET	49851	445	192.168.2.8	81.154.25.155
Jan 15, 2025 15:14:23.451435089 CET	49852	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:23.451723099 CET	49853	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:23.456899881 CET	445	49853	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:23.456963062 CET	49853	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:23.456993103 CET	49853	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:23.457051039 CET	445	49852	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:23.457098961 CET	49852	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:23.461882114 CET	445	49853	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:25.456820965 CET	49877	445	192.168.2.8	178.220.235.16
Jan 15, 2025 15:14:25.461730957 CET	445	49877	178.220.235.16	192.168.2.8
Jan 15, 2025 15:14:25.461833954 CET	49877	445	192.168.2.8	178.220.235.16
Jan 15, 2025 15:14:25.461874962 CET	49877	445	192.168.2.8	178.220.235.16
Jan 15, 2025 15:14:25.462016106 CET	49878	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:25.466810942 CET	445	49878	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:25.466891050 CET	49878	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:25.466902971 CET	445	49877	178.220.235.16	192.168.2.8
Jan 15, 2025 15:14:25.466913939 CET	49878	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:25.466962099 CET	49877	445	192.168.2.8	178.220.235.16
Jan 15, 2025 15:14:25.467236996 CET	49879	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:25.472054958 CET	445	49879	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:25.472121000 CET	49879	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:25.472182035 CET	49879	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:25.472332954 CET	445	49878	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:25.472393036 CET	49878	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:25.477035046 CET	445	49879	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:27.472646952 CET	49900	445	192.168.2.8	146.108.83.92
Jan 15, 2025 15:14:27.477519989 CET	445	49900	146.108.83.92	192.168.2.8
Jan 15, 2025 15:14:27.477634907 CET	49900	445	192.168.2.8	146.108.83.92
Jan 15, 2025 15:14:27.477653027 CET	49900	445	192.168.2.8	146.108.83.92
Jan 15, 2025 15:14:27.477809906 CET	49901	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:27.482568026 CET	445	49901	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:27.482642889 CET	49901	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:27.482672930 CET	445	49900	146.108.83.92	192.168.2.8
Jan 15, 2025 15:14:27.482731104 CET	49900	445	192.168.2.8	146.108.83.92
Jan 15, 2025 15:14:27.482827902 CET	49901	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:27.483112097 CET	49902	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:27.487889051 CET	445	49901	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:27.487901926 CET	445	49902	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:27.487958908 CET	49901	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:27.487977028 CET	49902	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:27.487998009 CET	49902	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:27.492808104 CET	445	49902	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:29.488476992 CET	49925	445	192.168.2.8	38.136.20.66
Jan 15, 2025 15:14:29.493391037 CET	445	49925	38.136.20.66	192.168.2.8
Jan 15, 2025 15:14:29.493499994 CET	49925	445	192.168.2.8	38.136.20.66
Jan 15, 2025 15:14:29.493516922 CET	49925	445	192.168.2.8	38.136.20.66
Jan 15, 2025 15:14:29.493680000 CET	49926	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:29.498611927 CET	445	49926	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:29.498794079 CET	49926	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:29.498861074 CET	49926	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:29.498898029 CET	445	49925	38.136.20.66	192.168.2.8
Jan 15, 2025 15:14:29.498955965 CET	49925	445	192.168.2.8	38.136.20.66
Jan 15, 2025 15:14:29.499218941 CET	49927	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:29.504120111 CET	445	49927	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:29.504194021 CET	49927	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:29.504225016 CET	49927	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:29.504244089 CET	445	49926	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:29.509087086 CET	445	49927	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:29.511596918 CET	445	49926	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:29.511662006 CET	49926	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:31.503539085 CET	49950	445	192.168.2.8	40.138.142.52
Jan 15, 2025 15:14:31.508819103 CET	445	49950	40.138.142.52	192.168.2.8
Jan 15, 2025 15:14:31.508903980 CET	49950	445	192.168.2.8	40.138.142.52
Jan 15, 2025 15:14:31.508949041 CET	49950	445	192.168.2.8	40.138.142.52
Jan 15, 2025 15:14:31.509063959 CET	49951	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:31.513983965 CET	445	49951	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:31.514045000 CET	49951	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:31.514075994 CET	49951	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:31.514076948 CET	445	49950	40.138.142.52	192.168.2.8
Jan 15, 2025 15:14:31.514146090 CET	49950	445	192.168.2.8	40.138.142.52
Jan 15, 2025 15:14:31.514411926 CET	49952	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:31.519282103 CET	445	49952	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:31.519345999 CET	49952	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:31.519423962 CET	49952	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:31.520248890 CET	445	49951	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:31.524338007 CET	445	49952	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:31.524795055 CET	445	49951	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:31.524840117 CET	49951	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:32.810535908 CET	445	49708	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:32.810703993 CET	49708	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:32.810703993 CET	49708	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:32.810754061 CET	49708	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:32.815582991 CET	445	49708	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:32.815593958 CET	445	49708	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:33.519447088 CET	49975	445	192.168.2.8	212.113.42.154
Jan 15, 2025 15:14:33.525645018 CET	445	49975	212.113.42.154	192.168.2.8
Jan 15, 2025 15:14:33.525762081 CET	49975	445	192.168.2.8	212.113.42.154
Jan 15, 2025 15:14:33.525794029 CET	49975	445	192.168.2.8	212.113.42.154
Jan 15, 2025 15:14:33.525899887 CET	49976	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:33.531774044 CET	445	49976	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:33.531845093 CET	49976	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:33.531861067 CET	49976	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:33.531951904 CET	445	49975	212.113.42.154	192.168.2.8
Jan 15, 2025 15:14:33.532028913 CET	49975	445	192.168.2.8	212.113.42.154
Jan 15, 2025 15:14:33.532198906 CET	49977	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:33.537059069 CET	445	49977	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:33.537159920 CET	49977	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:33.537467957 CET	445	49976	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:33.537560940 CET	49976	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:33.538958073 CET	49977	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:33.543793917 CET	445	49977	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:34.764437914 CET	445	49732	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:34.764518976 CET	49732	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:34.764599085 CET	49732	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:34.764688015 CET	49732	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:34.769362926 CET	445	49732	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:34.769423008 CET	445	49732	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:35.557185888 CET	49999	445	192.168.2.8	60.183.236.33
Jan 15, 2025 15:14:35.562098980 CET	445	49999	60.183.236.33	192.168.2.8
Jan 15, 2025 15:14:35.562220097 CET	49999	445	192.168.2.8	60.183.236.33
Jan 15, 2025 15:14:35.564008951 CET	49999	445	192.168.2.8	60.183.236.33
Jan 15, 2025 15:14:35.564143896 CET	50001	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:35.568927050 CET	445	50001	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:35.569032907 CET	50001	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:35.569276094 CET	445	49999	60.183.236.33	192.168.2.8
Jan 15, 2025 15:14:35.569324017 CET	49999	445	192.168.2.8	60.183.236.33
Jan 15, 2025 15:14:35.570614100 CET	50001	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:35.574268103 CET	50002	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:35.575418949 CET	445	50001	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:35.575481892 CET	50001	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:35.579122066 CET	445	50002	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:35.579200983 CET	50002	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:35.579216003 CET	50002	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:35.583990097 CET	445	50002	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:35.817178011 CET	50003	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:35.822105885 CET	445	50003	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:35.822201967 CET	50003	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:35.822282076 CET	50003	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:35.827033043 CET	445	50003	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:36.784857988 CET	445	49755	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:36.785084963 CET	49755	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:36.785183907 CET	49755	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:36.785263062 CET	49755	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:36.790020943 CET	445	49755	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:36.790029049 CET	445	49755	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:37.566246033 CET	50005	445	192.168.2.8	125.89.6.41
Jan 15, 2025 15:14:37.571398973 CET	445	50005	125.89.6.41	192.168.2.8
Jan 15, 2025 15:14:37.575105906 CET	50005	445	192.168.2.8	125.89.6.41
Jan 15, 2025 15:14:37.575105906 CET	50005	445	192.168.2.8	125.89.6.41
Jan 15, 2025 15:14:37.575264931 CET	50006	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:37.580116987 CET	445	50006	125.89.6.1	192.168.2.8
Jan 15, 2025 15:14:37.580209970 CET	445	50005	125.89.6.41	192.168.2.8
Jan 15, 2025 15:14:37.580293894 CET	50006	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:37.580363035 CET	50005	445	192.168.2.8	125.89.6.41
Jan 15, 2025 15:14:37.580423117 CET	50006	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:37.580661058 CET	50007	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:37.585978985 CET	445	50006	125.89.6.1	192.168.2.8
Jan 15, 2025 15:14:37.586025000 CET	445	50007	125.89.6.1	192.168.2.8
Jan 15, 2025 15:14:37.586083889 CET	50006	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:37.586102962 CET	50007	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:37.586152077 CET	50007	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:37.591206074 CET	445	50007	125.89.6.1	192.168.2.8
Jan 15, 2025 15:14:37.769237995 CET	50008	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:37.774370909 CET	445	50008	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:37.775044918 CET	50008	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:37.775110006 CET	50008	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:37.780242920 CET	445	50008	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:38.794797897 CET	445	49780	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:38.794905901 CET	49780	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:38.795217037 CET	49780	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:38.799940109 CET	445	49780	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:39.582022905 CET	50009	445	192.168.2.8	66.246.170.93
Jan 15, 2025 15:14:39.586920977 CET	445	50009	66.246.170.93	192.168.2.8
Jan 15, 2025 15:14:39.587017059 CET	50009	445	192.168.2.8	66.246.170.93
Jan 15, 2025 15:14:39.587218046 CET	50009	445	192.168.2.8	66.246.170.93
Jan 15, 2025 15:14:39.587404966 CET	50010	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:14:39.592180967 CET	445	50010	66.246.170.1	192.168.2.8
Jan 15, 2025 15:14:39.592284918 CET	445	50009	66.246.170.93	192.168.2.8
Jan 15, 2025 15:14:39.592375040 CET	50009	445	192.168.2.8	66.246.170.93
Jan 15, 2025 15:14:39.592396021 CET	50010	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:14:39.592470884 CET	50010	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:14:39.592770100 CET	50011	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:14:39.597405910 CET	445	50010	66.246.170.1	192.168.2.8
Jan 15, 2025 15:14:39.597456932 CET	50010	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:14:39.597532988 CET	445	50011	66.246.170.1	192.168.2.8
Jan 15, 2025 15:14:39.597630024 CET	50011	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:14:39.597630024 CET	50011	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:14:39.602453947 CET	445	50011	66.246.170.1	192.168.2.8
Jan 15, 2025 15:14:39.800681114 CET	50012	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:39.805550098 CET	445	50012	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:39.805696011 CET	50012	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:39.805814981 CET	50012	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:14:39.810570002 CET	445	50012	160.31.57.1	192.168.2.8
Jan 15, 2025 15:14:40.783256054 CET	445	49805	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:40.785135984 CET	49805	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:40.785136938 CET	49805	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:40.785248041 CET	49805	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:40.789894104 CET	445	49805	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:40.789956093 CET	445	49805	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:41.597553968 CET	50013	445	192.168.2.8	202.1.124.140
Jan 15, 2025 15:14:41.602412939 CET	445	50013	202.1.124.140	192.168.2.8
Jan 15, 2025 15:14:41.602541924 CET	50013	445	192.168.2.8	202.1.124.140
Jan 15, 2025 15:14:41.602582932 CET	50013	445	192.168.2.8	202.1.124.140
Jan 15, 2025 15:14:41.602824926 CET	50014	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:14:41.607631922 CET	445	50014	202.1.124.1	192.168.2.8
Jan 15, 2025 15:14:41.607713938 CET	50014	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:14:41.607741117 CET	50014	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:14:41.608100891 CET	50015	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:14:41.608203888 CET	445	50013	202.1.124.140	192.168.2.8
Jan 15, 2025 15:14:41.608257055 CET	50013	445	192.168.2.8	202.1.124.140
Jan 15, 2025 15:14:41.612674952 CET	445	50014	202.1.124.1	192.168.2.8
Jan 15, 2025 15:14:41.612735033 CET	50014	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:14:41.612967014 CET	445	50015	202.1.124.1	192.168.2.8
Jan 15, 2025 15:14:41.613039017 CET	50015	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:14:41.613091946 CET	50015	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:14:41.617919922 CET	445	50015	202.1.124.1	192.168.2.8
Jan 15, 2025 15:14:41.825615883 CET	50016	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:41.830527067 CET	445	50016	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:41.830600977 CET	50016	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:41.830666065 CET	50016	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:14:41.835433006 CET	445	50016	76.33.192.1	192.168.2.8
Jan 15, 2025 15:14:42.814342022 CET	445	49829	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:42.814496994 CET	49829	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:42.814558983 CET	49829	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:42.814639091 CET	49829	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:42.819453001 CET	445	49829	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:42.819489002 CET	445	49829	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:43.613121033 CET	50017	445	192.168.2.8	37.99.112.18
Jan 15, 2025 15:14:43.617932081 CET	445	50017	37.99.112.18	192.168.2.8
Jan 15, 2025 15:14:43.618083000 CET	50017	445	192.168.2.8	37.99.112.18
Jan 15, 2025 15:14:43.618083000 CET	50017	445	192.168.2.8	37.99.112.18
Jan 15, 2025 15:14:43.618324995 CET	50018	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:14:43.623073101 CET	445	50018	37.99.112.1	192.168.2.8
Jan 15, 2025 15:14:43.623123884 CET	50018	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:14:43.623142958 CET	445	50017	37.99.112.18	192.168.2.8
Jan 15, 2025 15:14:43.623162031 CET	50018	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:14:43.623313904 CET	50017	445	192.168.2.8	37.99.112.18
Jan 15, 2025 15:14:43.623470068 CET	50019	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:14:43.628051996 CET	445	50018	37.99.112.1	192.168.2.8
Jan 15, 2025 15:14:43.628102064 CET	50018	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:14:43.628206968 CET	445	50019	37.99.112.1	192.168.2.8
Jan 15, 2025 15:14:43.628307104 CET	50019	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:14:43.628307104 CET	50019	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:14:43.633095980 CET	445	50019	37.99.112.1	192.168.2.8
Jan 15, 2025 15:14:43.800565958 CET	50020	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:43.805422068 CET	445	50020	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:43.805600882 CET	50020	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:43.805600882 CET	50020	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:14:43.810502052 CET	445	50020	181.142.212.1	192.168.2.8
Jan 15, 2025 15:14:44.828109026 CET	445	49853	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:44.828196049 CET	49853	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:44.828237057 CET	49853	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:44.828299046 CET	49853	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:44.833061934 CET	445	49853	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:44.833091974 CET	445	49853	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:45.660183907 CET	50021	445	192.168.2.8	81.106.104.11
Jan 15, 2025 15:14:45.665091038 CET	445	50021	81.106.104.11	192.168.2.8
Jan 15, 2025 15:14:45.665183067 CET	50021	445	192.168.2.8	81.106.104.11
Jan 15, 2025 15:14:45.665278912 CET	50021	445	192.168.2.8	81.106.104.11
Jan 15, 2025 15:14:45.665386915 CET	50022	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:45.670273066 CET	445	50022	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:45.670372963 CET	50022	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:45.674514055 CET	50022	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:45.674833059 CET	50023	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:45.676266909 CET	445	50021	81.106.104.11	192.168.2.8
Jan 15, 2025 15:14:45.679665089 CET	445	50023	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:45.679744005 CET	50023	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:45.680280924 CET	445	50022	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:45.681396008 CET	50023	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:45.682651997 CET	445	50021	81.106.104.11	192.168.2.8
Jan 15, 2025 15:14:45.682751894 CET	50021	445	192.168.2.8	81.106.104.11
Jan 15, 2025 15:14:45.682972908 CET	445	50022	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:45.683027983 CET	50022	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:45.686142921 CET	445	50023	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:45.816047907 CET	50024	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:45.820826054 CET	445	50024	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:45.820949078 CET	50024	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:45.824975967 CET	50024	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:14:45.829726934 CET	445	50024	210.164.90.1	192.168.2.8
Jan 15, 2025 15:14:46.828528881 CET	445	49879	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:46.828591108 CET	49879	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:46.828643084 CET	49879	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:46.828672886 CET	49879	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:46.833489895 CET	445	49879	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:46.833508968 CET	445	49879	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:47.402761936 CET	445	50023	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:47.402863979 CET	50023	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:47.402863979 CET	50023	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:47.402960062 CET	50023	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:47.407862902 CET	445	50023	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:47.407876968 CET	445	50023	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:47.535064936 CET	50025	445	192.168.2.8	66.182.74.238
Jan 15, 2025 15:14:47.539846897 CET	445	50025	66.182.74.238	192.168.2.8
Jan 15, 2025 15:14:47.539938927 CET	50025	445	192.168.2.8	66.182.74.238
Jan 15, 2025 15:14:47.539966106 CET	50025	445	192.168.2.8	66.182.74.238
Jan 15, 2025 15:14:47.540096998 CET	50026	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:47.544974089 CET	445	50026	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:47.545002937 CET	445	50025	66.182.74.238	192.168.2.8
Jan 15, 2025 15:14:47.545025110 CET	50026	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:47.545049906 CET	50025	445	192.168.2.8	66.182.74.238
Jan 15, 2025 15:14:47.545139074 CET	50026	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:47.545484066 CET	50027	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:47.550069094 CET	445	50026	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:47.550117970 CET	50026	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:47.550199986 CET	445	50027	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:47.550259113 CET	50027	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:47.550308943 CET	50027	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:47.555027962 CET	445	50027	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:47.831531048 CET	50028	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:47.836477041 CET	445	50028	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:47.836618900 CET	50028	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:47.839037895 CET	50028	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:14:47.843883991 CET	445	50028	81.154.25.1	192.168.2.8
Jan 15, 2025 15:14:48.842200041 CET	445	49902	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:48.842320919 CET	49902	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:48.842366934 CET	49902	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:48.842411041 CET	49902	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:48.847913027 CET	445	49902	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:48.847929955 CET	445	49902	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:49.145145893 CET	445	50027	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:49.145250082 CET	50027	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:49.165209055 CET	50027	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:49.165249109 CET	50027	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:49.170025110 CET	445	50027	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:49.170041084 CET	445	50027	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:49.284872055 CET	50029	445	192.168.2.8	35.6.2.63
Jan 15, 2025 15:14:49.289755106 CET	445	50029	35.6.2.63	192.168.2.8
Jan 15, 2025 15:14:49.289844036 CET	50029	445	192.168.2.8	35.6.2.63
Jan 15, 2025 15:14:49.289938927 CET	50029	445	192.168.2.8	35.6.2.63
Jan 15, 2025 15:14:49.290056944 CET	50030	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:14:49.294918060 CET	445	50029	35.6.2.63	192.168.2.8
Jan 15, 2025 15:14:49.294951916 CET	445	50030	35.6.2.1	192.168.2.8
Jan 15, 2025 15:14:49.294979095 CET	50029	445	192.168.2.8	35.6.2.63
Jan 15, 2025 15:14:49.295021057 CET	50030	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:14:49.295085907 CET	50030	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:14:49.295305014 CET	50031	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:14:49.301340103 CET	445	50030	35.6.2.1	192.168.2.8
Jan 15, 2025 15:14:49.301372051 CET	445	50031	35.6.2.1	192.168.2.8
Jan 15, 2025 15:14:49.301398039 CET	50030	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:14:49.301439047 CET	50031	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:14:49.301455021 CET	50031	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:14:49.307513952 CET	445	50031	35.6.2.1	192.168.2.8
Jan 15, 2025 15:14:49.831531048 CET	50032	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:49.836505890 CET	445	50032	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:49.836585045 CET	50032	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:49.836621046 CET	50032	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:14:49.841491938 CET	445	50032	178.220.235.1	192.168.2.8
Jan 15, 2025 15:14:50.409723043 CET	50033	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:50.414557934 CET	445	50033	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:50.414659977 CET	50033	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:50.414707899 CET	50033	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:50.419481993 CET	445	50033	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:50.875135899 CET	445	49927	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:50.875245094 CET	49927	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:50.875328064 CET	49927	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:50.875389099 CET	49927	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:50.880079031 CET	445	49927	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:50.880198956 CET	445	49927	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:50.927938938 CET	50034	445	192.168.2.8	11.78.48.141
Jan 15, 2025 15:14:50.932852030 CET	445	50034	11.78.48.141	192.168.2.8
Jan 15, 2025 15:14:50.932945013 CET	50034	445	192.168.2.8	11.78.48.141
Jan 15, 2025 15:14:50.933016062 CET	50034	445	192.168.2.8	11.78.48.141
Jan 15, 2025 15:14:50.933310986 CET	50035	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:14:50.938066959 CET	445	50034	11.78.48.141	192.168.2.8
Jan 15, 2025 15:14:50.938126087 CET	445	50035	11.78.48.1	192.168.2.8
Jan 15, 2025 15:14:50.938133001 CET	50034	445	192.168.2.8	11.78.48.141
Jan 15, 2025 15:14:50.938237906 CET	50035	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:14:50.938292980 CET	50035	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:14:50.938747883 CET	50036	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:14:50.943300009 CET	445	50035	11.78.48.1	192.168.2.8
Jan 15, 2025 15:14:50.943377018 CET	50035	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:14:50.943564892 CET	445	50036	11.78.48.1	192.168.2.8
Jan 15, 2025 15:14:50.943628073 CET	50036	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:14:50.943675041 CET	50036	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:14:50.948548079 CET	445	50036	11.78.48.1	192.168.2.8
Jan 15, 2025 15:14:51.847429991 CET	50037	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:51.852437019 CET	445	50037	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:51.852555990 CET	50037	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:51.852591038 CET	50037	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:14:51.857454062 CET	445	50037	146.108.83.1	192.168.2.8
Jan 15, 2025 15:14:52.011102915 CET	445	50033	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:52.011198044 CET	50033	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:52.011368990 CET	50033	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:52.011409998 CET	50033	445	192.168.2.8	81.106.104.1
Jan 15, 2025 15:14:52.016184092 CET	445	50033	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:52.016195059 CET	445	50033	81.106.104.1	192.168.2.8
Jan 15, 2025 15:14:52.065937042 CET	50038	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:14:52.071046114 CET	445	50038	81.106.104.2	192.168.2.8
Jan 15, 2025 15:14:52.071213007 CET	50038	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:14:52.071213007 CET	50038	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:14:52.071600914 CET	50039	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:14:52.076356888 CET	445	50038	81.106.104.2	192.168.2.8
Jan 15, 2025 15:14:52.076652050 CET	445	50039	81.106.104.2	192.168.2.8
Jan 15, 2025 15:14:52.076713085 CET	50039	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:14:52.076736927 CET	50039	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:14:52.076914072 CET	445	50038	81.106.104.2	192.168.2.8
Jan 15, 2025 15:14:52.076970100 CET	50038	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:14:52.081602097 CET	445	50039	81.106.104.2	192.168.2.8
Jan 15, 2025 15:14:52.175338030 CET	50040	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:52.180598021 CET	445	50040	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:52.180737972 CET	50040	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:52.180761099 CET	50040	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:52.185599089 CET	445	50040	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:52.457056999 CET	50041	445	192.168.2.8	200.95.54.223
Jan 15, 2025 15:14:52.462084055 CET	445	50041	200.95.54.223	192.168.2.8
Jan 15, 2025 15:14:52.462188005 CET	50041	445	192.168.2.8	200.95.54.223
Jan 15, 2025 15:14:52.462201118 CET	50041	445	192.168.2.8	200.95.54.223
Jan 15, 2025 15:14:52.462378979 CET	50042	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:14:52.467236996 CET	445	50042	200.95.54.1	192.168.2.8
Jan 15, 2025 15:14:52.467319965 CET	50042	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:14:52.467356920 CET	50042	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:14:52.467495918 CET	445	50041	200.95.54.223	192.168.2.8
Jan 15, 2025 15:14:52.467560053 CET	50041	445	192.168.2.8	200.95.54.223
Jan 15, 2025 15:14:52.467741013 CET	50043	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:14:52.472342968 CET	445	50042	200.95.54.1	192.168.2.8
Jan 15, 2025 15:14:52.472359896 CET	445	50042	200.95.54.1	192.168.2.8
Jan 15, 2025 15:14:52.472409964 CET	50042	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:14:52.472656012 CET	445	50043	200.95.54.1	192.168.2.8
Jan 15, 2025 15:14:52.472718000 CET	50043	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:14:52.472755909 CET	50043	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:14:52.477552891 CET	445	50043	200.95.54.1	192.168.2.8
Jan 15, 2025 15:14:52.982649088 CET	445	49952	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:52.982726097 CET	49952	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:52.982767105 CET	49952	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:52.982810974 CET	49952	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:52.987528086 CET	445	49952	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:52.987538099 CET	445	49952	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:53.752376080 CET	445	50040	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:53.752475977 CET	50040	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:53.752885103 CET	50040	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:53.752914906 CET	50040	445	192.168.2.8	66.182.74.1
Jan 15, 2025 15:14:53.757771015 CET	445	50040	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:53.757788897 CET	445	50040	66.182.74.1	192.168.2.8
Jan 15, 2025 15:14:53.844688892 CET	50044	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:14:53.849500895 CET	445	50044	66.182.74.2	192.168.2.8
Jan 15, 2025 15:14:53.849579096 CET	50044	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:14:53.849667072 CET	50044	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:14:53.854564905 CET	445	50044	66.182.74.2	192.168.2.8
Jan 15, 2025 15:14:53.854644060 CET	50044	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:14:53.892544985 CET	50045	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:53.897449017 CET	445	50045	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:53.897516966 CET	50045	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:53.901063919 CET	50045	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:14:53.905898094 CET	445	50045	38.136.20.1	192.168.2.8
Jan 15, 2025 15:14:53.920582056 CET	50046	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:14:53.925637960 CET	445	50046	66.182.74.2	192.168.2.8
Jan 15, 2025 15:14:53.925702095 CET	50046	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:14:53.930403948 CET	50046	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:14:53.935276031 CET	445	50046	66.182.74.2	192.168.2.8
Jan 15, 2025 15:14:54.158879995 CET	50047	445	192.168.2.8	198.38.143.183
Jan 15, 2025 15:14:54.164513111 CET	445	50047	198.38.143.183	192.168.2.8
Jan 15, 2025 15:14:54.164594889 CET	50047	445	192.168.2.8	198.38.143.183
Jan 15, 2025 15:14:54.164690018 CET	50047	445	192.168.2.8	198.38.143.183
Jan 15, 2025 15:14:54.164855003 CET	50048	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:14:54.169681072 CET	445	50048	198.38.143.1	192.168.2.8
Jan 15, 2025 15:14:54.169745922 CET	50048	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:14:54.169773102 CET	50048	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:14:54.169795036 CET	445	50047	198.38.143.183	192.168.2.8
Jan 15, 2025 15:14:54.169845104 CET	50047	445	192.168.2.8	198.38.143.183
Jan 15, 2025 15:14:54.170458078 CET	50049	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:14:54.174689054 CET	445	50048	198.38.143.1	192.168.2.8
Jan 15, 2025 15:14:54.174748898 CET	50048	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:14:54.175235033 CET	445	50049	198.38.143.1	192.168.2.8
Jan 15, 2025 15:14:54.175297022 CET	50049	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:14:54.175328970 CET	50049	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:14:54.180139065 CET	445	50049	198.38.143.1	192.168.2.8
Jan 15, 2025 15:14:54.801273108 CET	49703	80	192.168.2.8	199.232.210.172
Jan 15, 2025 15:14:54.806533098 CET	80	49703	199.232.210.172	192.168.2.8
Jan 15, 2025 15:14:54.806592941 CET	49703	80	192.168.2.8	199.232.210.172
Jan 15, 2025 15:14:54.904867887 CET	445	49977	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:54.907001019 CET	49977	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:54.907001019 CET	49977	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:54.907001019 CET	49977	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:54.912895918 CET	445	49977	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:54.912908077 CET	445	49977	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:55.379458904 CET	50050	445	192.168.2.8	78.12.175.207
Jan 15, 2025 15:14:55.386059046 CET	445	50050	78.12.175.207	192.168.2.8
Jan 15, 2025 15:14:55.386158943 CET	50050	445	192.168.2.8	78.12.175.207
Jan 15, 2025 15:14:55.386198044 CET	50050	445	192.168.2.8	78.12.175.207
Jan 15, 2025 15:14:55.386357069 CET	50051	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:14:55.395085096 CET	445	50051	78.12.175.1	192.168.2.8
Jan 15, 2025 15:14:55.395097017 CET	445	50050	78.12.175.207	192.168.2.8
Jan 15, 2025 15:14:55.395159006 CET	50050	445	192.168.2.8	78.12.175.207
Jan 15, 2025 15:14:55.395164967 CET	50051	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:14:55.395256042 CET	50051	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:14:55.395576954 CET	50052	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:14:55.401165009 CET	445	50051	78.12.175.1	192.168.2.8
Jan 15, 2025 15:14:55.401175022 CET	445	50051	78.12.175.1	192.168.2.8
Jan 15, 2025 15:14:55.401185036 CET	445	50052	78.12.175.1	192.168.2.8
Jan 15, 2025 15:14:55.401326895 CET	50051	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:14:55.401356936 CET	50052	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:14:55.401376009 CET	50052	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:14:55.406301022 CET	445	50052	78.12.175.1	192.168.2.8
Jan 15, 2025 15:14:55.987927914 CET	50053	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:55.992911100 CET	445	50053	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:55.992999077 CET	50053	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:55.993043900 CET	50053	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:14:55.997826099 CET	445	50053	40.138.142.1	192.168.2.8
Jan 15, 2025 15:14:56.634835958 CET	50054	445	192.168.2.8	153.113.213.174
Jan 15, 2025 15:14:56.639853001 CET	445	50054	153.113.213.174	192.168.2.8
Jan 15, 2025 15:14:56.641066074 CET	50054	445	192.168.2.8	153.113.213.174
Jan 15, 2025 15:14:56.642296076 CET	50054	445	192.168.2.8	153.113.213.174
Jan 15, 2025 15:14:56.642468929 CET	50055	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:14:56.647171021 CET	445	50054	153.113.213.174	192.168.2.8
Jan 15, 2025 15:14:56.647258997 CET	50054	445	192.168.2.8	153.113.213.174
Jan 15, 2025 15:14:56.647275925 CET	445	50055	153.113.213.1	192.168.2.8
Jan 15, 2025 15:14:56.650054932 CET	50055	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:14:56.650135994 CET	50055	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:14:56.654057980 CET	50056	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:14:56.654968023 CET	445	50055	153.113.213.1	192.168.2.8
Jan 15, 2025 15:14:56.655039072 CET	50055	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:14:56.659991026 CET	445	50056	153.113.213.1	192.168.2.8
Jan 15, 2025 15:14:56.660890102 CET	50056	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:14:56.660928011 CET	50056	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:14:56.666222095 CET	445	50056	153.113.213.1	192.168.2.8
Jan 15, 2025 15:14:56.968162060 CET	445	50002	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:56.968489885 CET	50002	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:56.968590975 CET	50002	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:56.968590975 CET	50002	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:56.973550081 CET	445	50002	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:56.973566055 CET	445	50002	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:57.205928087 CET	445	50003	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:57.206120014 CET	50003	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:57.206120968 CET	50003	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:57.206183910 CET	50003	445	192.168.2.8	220.126.220.1
Jan 15, 2025 15:14:57.211103916 CET	445	50003	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:57.211131096 CET	445	50003	220.126.220.1	192.168.2.8
Jan 15, 2025 15:14:57.269134998 CET	50057	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:14:57.274159908 CET	445	50057	220.126.220.2	192.168.2.8
Jan 15, 2025 15:14:57.274241924 CET	50057	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:14:57.274279118 CET	50057	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:14:57.274612904 CET	50058	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:14:57.279395103 CET	445	50057	220.126.220.2	192.168.2.8
Jan 15, 2025 15:14:57.279436111 CET	445	50058	220.126.220.2	192.168.2.8
Jan 15, 2025 15:14:57.279448032 CET	50057	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:14:57.279520035 CET	50058	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:14:57.279556990 CET	50058	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:14:57.284395933 CET	445	50058	220.126.220.2	192.168.2.8
Jan 15, 2025 15:14:57.785227060 CET	50059	445	192.168.2.8	18.165.209.184
Jan 15, 2025 15:14:57.795191050 CET	445	50059	18.165.209.184	192.168.2.8
Jan 15, 2025 15:14:57.795305014 CET	50059	445	192.168.2.8	18.165.209.184
Jan 15, 2025 15:14:57.797629118 CET	50059	445	192.168.2.8	18.165.209.184
Jan 15, 2025 15:14:57.797951937 CET	50060	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:14:57.808175087 CET	445	50059	18.165.209.184	192.168.2.8
Jan 15, 2025 15:14:57.808262110 CET	50059	445	192.168.2.8	18.165.209.184
Jan 15, 2025 15:14:57.808655977 CET	445	50060	18.165.209.1	192.168.2.8
Jan 15, 2025 15:14:57.808725119 CET	50060	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:14:57.808773994 CET	50060	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:14:57.809138060 CET	50061	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:14:57.819436073 CET	445	50061	18.165.209.1	192.168.2.8
Jan 15, 2025 15:14:57.819449902 CET	445	50060	18.165.209.1	192.168.2.8
Jan 15, 2025 15:14:57.819509029 CET	50060	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:14:57.819519043 CET	50061	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:14:57.819571972 CET	50061	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:14:57.830240011 CET	445	50061	18.165.209.1	192.168.2.8
Jan 15, 2025 15:14:57.909826994 CET	50062	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:57.918591976 CET	445	50062	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:57.918704987 CET	50062	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:57.918796062 CET	50062	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:14:57.927505016 CET	445	50062	212.113.42.1	192.168.2.8
Jan 15, 2025 15:14:58.863213062 CET	50063	445	192.168.2.8	38.110.111.12
Jan 15, 2025 15:14:58.868292093 CET	445	50063	38.110.111.12	192.168.2.8
Jan 15, 2025 15:14:58.868417025 CET	50063	445	192.168.2.8	38.110.111.12
Jan 15, 2025 15:14:58.868499041 CET	50063	445	192.168.2.8	38.110.111.12
Jan 15, 2025 15:14:58.868815899 CET	50064	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:14:58.873624086 CET	445	50064	38.110.111.1	192.168.2.8
Jan 15, 2025 15:14:58.873712063 CET	50064	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:14:58.873756886 CET	50064	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:14:58.873769045 CET	445	50063	38.110.111.12	192.168.2.8
Jan 15, 2025 15:14:58.873833895 CET	50063	445	192.168.2.8	38.110.111.12
Jan 15, 2025 15:14:58.875016928 CET	50065	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:14:58.878988028 CET	445	50064	38.110.111.1	192.168.2.8
Jan 15, 2025 15:14:58.879059076 CET	50064	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:14:58.879805088 CET	445	50065	38.110.111.1	192.168.2.8
Jan 15, 2025 15:14:58.879929066 CET	50065	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:14:58.879929066 CET	50065	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:14:58.884689093 CET	445	50065	38.110.111.1	192.168.2.8
Jan 15, 2025 15:14:58.968106985 CET	445	50007	125.89.6.1	192.168.2.8
Jan 15, 2025 15:14:58.968252897 CET	50007	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:58.968442917 CET	50007	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:58.968503952 CET	50007	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:14:58.973181009 CET	445	50007	125.89.6.1	192.168.2.8
Jan 15, 2025 15:14:58.973237991 CET	445	50007	125.89.6.1	192.168.2.8
Jan 15, 2025 15:14:59.175935030 CET	445	50008	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:59.176009893 CET	50008	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:59.176166058 CET	50008	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:59.176233053 CET	50008	445	192.168.2.8	35.134.115.1
Jan 15, 2025 15:14:59.180988073 CET	445	50008	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:59.181068897 CET	445	50008	35.134.115.1	192.168.2.8
Jan 15, 2025 15:14:59.237983942 CET	50066	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:14:59.242856026 CET	445	50066	35.134.115.2	192.168.2.8
Jan 15, 2025 15:14:59.242937088 CET	50066	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:14:59.242985010 CET	50066	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:14:59.243278027 CET	50067	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:14:59.247992992 CET	445	50066	35.134.115.2	192.168.2.8
Jan 15, 2025 15:14:59.248049021 CET	50066	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:14:59.248116970 CET	445	50067	35.134.115.2	192.168.2.8
Jan 15, 2025 15:14:59.248168945 CET	50067	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:14:59.248191118 CET	50067	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:14:59.253705025 CET	445	50067	35.134.115.2	192.168.2.8
Jan 15, 2025 15:14:59.893064022 CET	50068	445	192.168.2.8	144.8.93.82
Jan 15, 2025 15:14:59.898061037 CET	445	50068	144.8.93.82	192.168.2.8
Jan 15, 2025 15:14:59.898138046 CET	50068	445	192.168.2.8	144.8.93.82
Jan 15, 2025 15:14:59.898262024 CET	50068	445	192.168.2.8	144.8.93.82
Jan 15, 2025 15:14:59.898669004 CET	50069	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:14:59.903173923 CET	445	50068	144.8.93.82	192.168.2.8
Jan 15, 2025 15:14:59.903243065 CET	50068	445	192.168.2.8	144.8.93.82
Jan 15, 2025 15:14:59.903489113 CET	445	50069	144.8.93.1	192.168.2.8
Jan 15, 2025 15:14:59.903558016 CET	50069	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:14:59.903628111 CET	50069	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:14:59.903928995 CET	50070	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:14:59.908612013 CET	445	50069	144.8.93.1	192.168.2.8
Jan 15, 2025 15:14:59.908675909 CET	50069	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:14:59.908742905 CET	445	50070	144.8.93.1	192.168.2.8
Jan 15, 2025 15:14:59.908797979 CET	50070	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:14:59.917870045 CET	50070	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:14:59.922790051 CET	445	50070	144.8.93.1	192.168.2.8
Jan 15, 2025 15:14:59.972194910 CET	50071	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:59.977164030 CET	445	50071	60.183.236.1	192.168.2.8
Jan 15, 2025 15:14:59.977233887 CET	50071	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:59.977293015 CET	50071	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:14:59.982209921 CET	445	50071	60.183.236.1	192.168.2.8
Jan 15, 2025 15:15:00.832129002 CET	50072	445	192.168.2.8	98.103.218.167
Jan 15, 2025 15:15:00.837069035 CET	445	50072	98.103.218.167	192.168.2.8
Jan 15, 2025 15:15:00.837146997 CET	50072	445	192.168.2.8	98.103.218.167
Jan 15, 2025 15:15:00.837243080 CET	50072	445	192.168.2.8	98.103.218.167
Jan 15, 2025 15:15:00.837399006 CET	50073	445	192.168.2.8	98.103.218.1
Jan 15, 2025 15:15:00.842170000 CET	445	50072	98.103.218.167	192.168.2.8
Jan 15, 2025 15:15:00.842220068 CET	50072	445	192.168.2.8	98.103.218.167
Jan 15, 2025 15:15:00.842242002 CET	445	50073	98.103.218.1	192.168.2.8
Jan 15, 2025 15:15:00.842417002 CET	50073	445	192.168.2.8	98.103.218.1
Jan 15, 2025 15:15:00.842700005 CET	50074	445	192.168.2.8	98.103.218.1
Jan 15, 2025 15:15:00.847371101 CET	445	50073	98.103.218.1	192.168.2.8
Jan 15, 2025 15:15:00.847466946 CET	445	50074	98.103.218.1	192.168.2.8
Jan 15, 2025 15:15:00.847517967 CET	50073	445	192.168.2.8	98.103.218.1
Jan 15, 2025 15:15:00.847548962 CET	50074	445	192.168.2.8	98.103.218.1
Jan 15, 2025 15:15:00.847587109 CET	50074	445	192.168.2.8	98.103.218.1
Jan 15, 2025 15:15:00.852375984 CET	445	50074	98.103.218.1	192.168.2.8
Jan 15, 2025 15:15:01.096112967 CET	445	50011	66.246.170.1	192.168.2.8
Jan 15, 2025 15:15:01.096743107 CET	50011	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:15:01.096849918 CET	50011	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:15:01.096896887 CET	50011	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:15:01.101727962 CET	445	50011	66.246.170.1	192.168.2.8
Jan 15, 2025 15:15:01.101741076 CET	445	50011	66.246.170.1	192.168.2.8
Jan 15, 2025 15:15:01.249850988 CET	445	50012	160.31.57.1	192.168.2.8
Jan 15, 2025 15:15:01.251121998 CET	50012	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:15:01.251337051 CET	50012	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:15:01.251337051 CET	50012	445	192.168.2.8	160.31.57.1
Jan 15, 2025 15:15:01.256217957 CET	445	50012	160.31.57.1	192.168.2.8
Jan 15, 2025 15:15:01.256231070 CET	445	50012	160.31.57.1	192.168.2.8
Jan 15, 2025 15:15:01.326225042 CET	50075	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:01.331217051 CET	445	50075	160.31.57.2	192.168.2.8
Jan 15, 2025 15:15:01.331422091 CET	50075	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:01.331443071 CET	50075	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:01.336245060 CET	50076	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:01.336663008 CET	445	50075	160.31.57.2	192.168.2.8
Jan 15, 2025 15:15:01.336740017 CET	50075	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:01.341124058 CET	445	50076	160.31.57.2	192.168.2.8
Jan 15, 2025 15:15:01.341202021 CET	50076	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:01.341244936 CET	50076	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:01.346124887 CET	445	50076	160.31.57.2	192.168.2.8
Jan 15, 2025 15:15:01.707114935 CET	50078	445	192.168.2.8	131.92.83.97
Jan 15, 2025 15:15:01.712115049 CET	445	50078	131.92.83.97	192.168.2.8
Jan 15, 2025 15:15:01.712217093 CET	50078	445	192.168.2.8	131.92.83.97
Jan 15, 2025 15:15:01.712389946 CET	50078	445	192.168.2.8	131.92.83.97
Jan 15, 2025 15:15:01.712819099 CET	50079	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:01.717228889 CET	445	50078	131.92.83.97	192.168.2.8
Jan 15, 2025 15:15:01.717323065 CET	50078	445	192.168.2.8	131.92.83.97
Jan 15, 2025 15:15:01.717600107 CET	445	50079	131.92.83.1	192.168.2.8
Jan 15, 2025 15:15:01.717689991 CET	50079	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:01.717776060 CET	50079	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:01.718363047 CET	50080	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:01.722655058 CET	445	50079	131.92.83.1	192.168.2.8
Jan 15, 2025 15:15:01.722726107 CET	50079	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:01.723190069 CET	445	50080	131.92.83.1	192.168.2.8
Jan 15, 2025 15:15:01.723268986 CET	50080	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:01.723326921 CET	50080	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:01.728193045 CET	445	50080	131.92.83.1	192.168.2.8
Jan 15, 2025 15:15:01.975709915 CET	50081	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:15:01.980704069 CET	445	50081	125.89.6.1	192.168.2.8
Jan 15, 2025 15:15:01.980807066 CET	50081	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:15:01.980850935 CET	50081	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:15:01.985682964 CET	445	50081	125.89.6.1	192.168.2.8
Jan 15, 2025 15:15:02.589878082 CET	50082	445	192.168.2.8	56.106.84.171
Jan 15, 2025 15:15:02.594707012 CET	445	50082	56.106.84.171	192.168.2.8
Jan 15, 2025 15:15:02.594774961 CET	50082	445	192.168.2.8	56.106.84.171
Jan 15, 2025 15:15:02.594860077 CET	50082	445	192.168.2.8	56.106.84.171
Jan 15, 2025 15:15:02.595000982 CET	50083	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:02.599770069 CET	445	50083	56.106.84.1	192.168.2.8
Jan 15, 2025 15:15:02.599791050 CET	445	50082	56.106.84.171	192.168.2.8
Jan 15, 2025 15:15:02.599828959 CET	50083	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:02.599849939 CET	50082	445	192.168.2.8	56.106.84.171
Jan 15, 2025 15:15:02.599929094 CET	50083	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:02.601018906 CET	50084	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:02.604809999 CET	445	50083	56.106.84.1	192.168.2.8
Jan 15, 2025 15:15:02.604876041 CET	50083	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:02.605885983 CET	445	50084	56.106.84.1	192.168.2.8
Jan 15, 2025 15:15:02.605954885 CET	50084	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:02.605997086 CET	50084	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:02.610819101 CET	445	50084	56.106.84.1	192.168.2.8
Jan 15, 2025 15:15:02.967371941 CET	445	50015	202.1.124.1	192.168.2.8
Jan 15, 2025 15:15:02.967426062 CET	50015	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:15:02.967487097 CET	50015	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:15:02.967526913 CET	50015	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:15:02.972335100 CET	445	50015	202.1.124.1	192.168.2.8
Jan 15, 2025 15:15:02.972346067 CET	445	50015	202.1.124.1	192.168.2.8
Jan 15, 2025 15:15:03.222923994 CET	445	50016	76.33.192.1	192.168.2.8
Jan 15, 2025 15:15:03.222992897 CET	50016	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:15:03.223026991 CET	50016	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:15:03.223090887 CET	50016	445	192.168.2.8	76.33.192.1
Jan 15, 2025 15:15:03.229274988 CET	445	50016	76.33.192.1	192.168.2.8
Jan 15, 2025 15:15:03.229293108 CET	445	50016	76.33.192.1	192.168.2.8
Jan 15, 2025 15:15:03.284787893 CET	50085	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:03.289681911 CET	445	50085	76.33.192.2	192.168.2.8
Jan 15, 2025 15:15:03.291096926 CET	50085	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:03.291110992 CET	50085	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:03.291457891 CET	50086	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:03.296206951 CET	445	50085	76.33.192.2	192.168.2.8
Jan 15, 2025 15:15:03.296236992 CET	445	50086	76.33.192.2	192.168.2.8
Jan 15, 2025 15:15:03.296295881 CET	50085	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:03.296324968 CET	50086	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:03.296360970 CET	50086	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:03.301115036 CET	445	50086	76.33.192.2	192.168.2.8
Jan 15, 2025 15:15:03.373990059 CET	50087	445	192.168.2.8	206.65.244.128
Jan 15, 2025 15:15:03.378981113 CET	445	50087	206.65.244.128	192.168.2.8
Jan 15, 2025 15:15:03.381124973 CET	50087	445	192.168.2.8	206.65.244.128
Jan 15, 2025 15:15:03.381167889 CET	50087	445	192.168.2.8	206.65.244.128
Jan 15, 2025 15:15:03.381342888 CET	50088	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:03.386169910 CET	445	50088	206.65.244.1	192.168.2.8
Jan 15, 2025 15:15:03.386205912 CET	445	50087	206.65.244.128	192.168.2.8
Jan 15, 2025 15:15:03.386288881 CET	50088	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:03.386305094 CET	50088	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:03.386686087 CET	50087	445	192.168.2.8	206.65.244.128
Jan 15, 2025 15:15:03.386687040 CET	50089	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:03.391500950 CET	445	50088	206.65.244.1	192.168.2.8
Jan 15, 2025 15:15:03.391539097 CET	445	50089	206.65.244.1	192.168.2.8
Jan 15, 2025 15:15:03.391606092 CET	50088	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:03.391635895 CET	50089	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:03.391669035 CET	50089	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:03.396471977 CET	445	50089	206.65.244.1	192.168.2.8
Jan 15, 2025 15:15:04.112962008 CET	50091	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:15:04.118074894 CET	445	50091	66.246.170.1	192.168.2.8
Jan 15, 2025 15:15:04.119110107 CET	50091	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:15:04.121124983 CET	50091	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:15:04.125941038 CET	445	50091	66.246.170.1	192.168.2.8
Jan 15, 2025 15:15:04.983105898 CET	445	50019	37.99.112.1	192.168.2.8
Jan 15, 2025 15:15:04.983197927 CET	50019	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:15:04.983247995 CET	50019	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:15:04.983272076 CET	50019	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:15:04.988177061 CET	445	50019	37.99.112.1	192.168.2.8
Jan 15, 2025 15:15:04.988192081 CET	445	50019	37.99.112.1	192.168.2.8
Jan 15, 2025 15:15:05.191765070 CET	445	50020	181.142.212.1	192.168.2.8
Jan 15, 2025 15:15:05.191863060 CET	50020	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:15:05.193666935 CET	50020	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:15:05.193877935 CET	50020	445	192.168.2.8	181.142.212.1
Jan 15, 2025 15:15:05.198421955 CET	445	50020	181.142.212.1	192.168.2.8
Jan 15, 2025 15:15:05.198612928 CET	445	50020	181.142.212.1	192.168.2.8
Jan 15, 2025 15:15:05.263689041 CET	50094	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:05.268613100 CET	445	50094	181.142.212.2	192.168.2.8
Jan 15, 2025 15:15:05.268672943 CET	50094	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:05.271948099 CET	50094	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:05.272290945 CET	50095	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:05.276926041 CET	445	50094	181.142.212.2	192.168.2.8
Jan 15, 2025 15:15:05.276995897 CET	50094	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:05.277071953 CET	445	50095	181.142.212.2	192.168.2.8
Jan 15, 2025 15:15:05.277137041 CET	50095	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:05.277432919 CET	50095	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:05.282195091 CET	445	50095	181.142.212.2	192.168.2.8
Jan 15, 2025 15:15:05.972184896 CET	50098	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:15:05.977137089 CET	445	50098	202.1.124.1	192.168.2.8
Jan 15, 2025 15:15:05.977225065 CET	50098	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:15:05.977272987 CET	50098	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:15:05.982116938 CET	445	50098	202.1.124.1	192.168.2.8
Jan 15, 2025 15:15:07.172604084 CET	445	50024	210.164.90.1	192.168.2.8
Jan 15, 2025 15:15:07.172677994 CET	50024	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:15:07.172744036 CET	50024	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:15:07.172810078 CET	50024	445	192.168.2.8	210.164.90.1
Jan 15, 2025 15:15:07.177505016 CET	445	50024	210.164.90.1	192.168.2.8
Jan 15, 2025 15:15:07.177526951 CET	445	50024	210.164.90.1	192.168.2.8
Jan 15, 2025 15:15:07.237904072 CET	50106	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:07.244234085 CET	445	50106	210.164.90.2	192.168.2.8
Jan 15, 2025 15:15:07.244317055 CET	50106	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:07.244381905 CET	50106	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:07.244730949 CET	50107	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:07.249438047 CET	445	50106	210.164.90.2	192.168.2.8
Jan 15, 2025 15:15:07.249505043 CET	50106	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:07.249563932 CET	445	50107	210.164.90.2	192.168.2.8
Jan 15, 2025 15:15:07.249758005 CET	50107	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:07.249816895 CET	50107	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:07.254570007 CET	445	50107	210.164.90.2	192.168.2.8
Jan 15, 2025 15:15:07.988097906 CET	50112	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:15:07.993165970 CET	445	50112	37.99.112.1	192.168.2.8
Jan 15, 2025 15:15:07.993247986 CET	50112	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:15:07.993295908 CET	50112	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:15:07.998158932 CET	445	50112	37.99.112.1	192.168.2.8
Jan 15, 2025 15:15:09.202539921 CET	445	50028	81.154.25.1	192.168.2.8
Jan 15, 2025 15:15:09.202625036 CET	50028	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:15:09.202665091 CET	50028	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:15:09.202699900 CET	50028	445	192.168.2.8	81.154.25.1
Jan 15, 2025 15:15:09.207492113 CET	445	50028	81.154.25.1	192.168.2.8
Jan 15, 2025 15:15:09.207504034 CET	445	50028	81.154.25.1	192.168.2.8
Jan 15, 2025 15:15:09.253684044 CET	50125	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:09.258701086 CET	445	50125	81.154.25.2	192.168.2.8
Jan 15, 2025 15:15:09.258888006 CET	50125	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:09.262278080 CET	50125	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:09.262821913 CET	50126	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:09.267306089 CET	445	50125	81.154.25.2	192.168.2.8
Jan 15, 2025 15:15:09.267374992 CET	50125	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:09.267873049 CET	445	50126	81.154.25.2	192.168.2.8
Jan 15, 2025 15:15:09.267946959 CET	50126	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:09.268013000 CET	50126	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:09.273138046 CET	445	50126	81.154.25.2	192.168.2.8
Jan 15, 2025 15:15:10.674372911 CET	445	50031	35.6.2.1	192.168.2.8
Jan 15, 2025 15:15:10.674493074 CET	50031	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:15:10.674539089 CET	50031	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:15:10.674563885 CET	50031	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:15:10.679368973 CET	445	50031	35.6.2.1	192.168.2.8
Jan 15, 2025 15:15:10.679382086 CET	445	50031	35.6.2.1	192.168.2.8
Jan 15, 2025 15:15:11.203573942 CET	445	50032	178.220.235.1	192.168.2.8
Jan 15, 2025 15:15:11.203669071 CET	50032	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:15:11.204231024 CET	50032	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:15:11.204271078 CET	50032	445	192.168.2.8	178.220.235.1
Jan 15, 2025 15:15:11.209052086 CET	445	50032	178.220.235.1	192.168.2.8
Jan 15, 2025 15:15:11.209063053 CET	445	50032	178.220.235.1	192.168.2.8
Jan 15, 2025 15:15:11.270514011 CET	50155	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:11.275440931 CET	445	50155	178.220.235.2	192.168.2.8
Jan 15, 2025 15:15:11.275537968 CET	50155	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:11.275599003 CET	50155	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:11.276038885 CET	50156	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:11.280502081 CET	445	50155	178.220.235.2	192.168.2.8
Jan 15, 2025 15:15:11.280567884 CET	50155	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:11.280859947 CET	445	50156	178.220.235.2	192.168.2.8
Jan 15, 2025 15:15:11.280914068 CET	50156	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:11.280946016 CET	50156	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:11.285695076 CET	445	50156	178.220.235.2	192.168.2.8
Jan 15, 2025 15:15:12.295625925 CET	445	50036	11.78.48.1	192.168.2.8
Jan 15, 2025 15:15:12.295949936 CET	50036	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:15:12.295950890 CET	50036	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:15:12.295950890 CET	50036	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:15:12.300837040 CET	445	50036	11.78.48.1	192.168.2.8
Jan 15, 2025 15:15:12.300899982 CET	445	50036	11.78.48.1	192.168.2.8
Jan 15, 2025 15:15:13.221393108 CET	445	50037	146.108.83.1	192.168.2.8
Jan 15, 2025 15:15:13.222121000 CET	50037	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:15:13.222163916 CET	50037	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:15:13.222209930 CET	50037	445	192.168.2.8	146.108.83.1
Jan 15, 2025 15:15:13.226985931 CET	445	50037	146.108.83.1	192.168.2.8
Jan 15, 2025 15:15:13.226994991 CET	445	50037	146.108.83.1	192.168.2.8
Jan 15, 2025 15:15:13.285069942 CET	50205	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:13.289977074 CET	445	50205	146.108.83.2	192.168.2.8
Jan 15, 2025 15:15:13.290349007 CET	50206	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:13.290404081 CET	50205	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:13.290404081 CET	50205	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:13.295203924 CET	445	50206	146.108.83.2	192.168.2.8
Jan 15, 2025 15:15:13.295278072 CET	50206	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:13.295958996 CET	445	50205	146.108.83.2	192.168.2.8
Jan 15, 2025 15:15:13.295986891 CET	50206	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:13.296214104 CET	50205	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:13.300749063 CET	445	50206	146.108.83.2	192.168.2.8
Jan 15, 2025 15:15:13.451884031 CET	445	50039	81.106.104.2	192.168.2.8
Jan 15, 2025 15:15:13.451997042 CET	50039	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:15:13.452106953 CET	50039	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:15:13.452146053 CET	50039	445	192.168.2.8	81.106.104.2
Jan 15, 2025 15:15:13.456851006 CET	445	50039	81.106.104.2	192.168.2.8
Jan 15, 2025 15:15:13.456899881 CET	445	50039	81.106.104.2	192.168.2.8
Jan 15, 2025 15:15:13.675245047 CET	50220	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:15:13.680223942 CET	445	50220	35.6.2.1	192.168.2.8
Jan 15, 2025 15:15:13.680412054 CET	50220	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:15:13.680440903 CET	50220	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:15:13.685213089 CET	445	50220	35.6.2.1	192.168.2.8
Jan 15, 2025 15:15:13.826906919 CET	445	50043	200.95.54.1	192.168.2.8
Jan 15, 2025 15:15:13.827027082 CET	50043	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:15:13.827074051 CET	50043	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:15:13.827133894 CET	50043	445	192.168.2.8	200.95.54.1
Jan 15, 2025 15:15:13.831896067 CET	445	50043	200.95.54.1	192.168.2.8
Jan 15, 2025 15:15:13.831909895 CET	445	50043	200.95.54.1	192.168.2.8
Jan 15, 2025 15:15:15.299849033 CET	445	50046	66.182.74.2	192.168.2.8
Jan 15, 2025 15:15:15.300043106 CET	50046	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:15:15.300043106 CET	50046	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:15:15.300043106 CET	50046	445	192.168.2.8	66.182.74.2
Jan 15, 2025 15:15:15.300431967 CET	50337	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:15:15.301213980 CET	445	50045	38.136.20.1	192.168.2.8
Jan 15, 2025 15:15:15.301331043 CET	50045	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:15:15.301435947 CET	50045	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:15:15.301435947 CET	50045	445	192.168.2.8	38.136.20.1
Jan 15, 2025 15:15:15.304894924 CET	445	50046	66.182.74.2	192.168.2.8
Jan 15, 2025 15:15:15.304903984 CET	445	50046	66.182.74.2	192.168.2.8
Jan 15, 2025 15:15:15.305216074 CET	445	50337	11.78.48.1	192.168.2.8
Jan 15, 2025 15:15:15.305274010 CET	50337	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:15:15.305325031 CET	50337	445	192.168.2.8	11.78.48.1
Jan 15, 2025 15:15:15.306298018 CET	445	50045	38.136.20.1	192.168.2.8
Jan 15, 2025 15:15:15.306318045 CET	445	50045	38.136.20.1	192.168.2.8
Jan 15, 2025 15:15:15.310086012 CET	445	50337	11.78.48.1	192.168.2.8
Jan 15, 2025 15:15:15.362854958 CET	50343	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:15.367810011 CET	445	50343	38.136.20.2	192.168.2.8
Jan 15, 2025 15:15:15.367886066 CET	50343	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:15.367947102 CET	50343	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:15.368181944 CET	50344	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:15.372996092 CET	445	50343	38.136.20.2	192.168.2.8
Jan 15, 2025 15:15:15.373007059 CET	445	50344	38.136.20.2	192.168.2.8
Jan 15, 2025 15:15:15.373047113 CET	50343	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:15.373070002 CET	50344	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:15.373111963 CET	50344	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:15.377919912 CET	445	50344	38.136.20.2	192.168.2.8
Jan 15, 2025 15:15:15.546670914 CET	445	50049	198.38.143.1	192.168.2.8
Jan 15, 2025 15:15:15.546796083 CET	50049	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:15:16.342607021 CET	50061	445	192.168.2.8	18.165.209.1
Jan 15, 2025 15:15:16.342648983 CET	50126	445	192.168.2.8	81.154.25.2
Jan 15, 2025 15:15:16.342679977 CET	50067	445	192.168.2.8	35.134.115.2
Jan 15, 2025 15:15:16.342737913 CET	50076	445	192.168.2.8	160.31.57.2
Jan 15, 2025 15:15:16.342865944 CET	50206	445	192.168.2.8	146.108.83.2
Jan 15, 2025 15:15:16.342920065 CET	50052	445	192.168.2.8	78.12.175.1
Jan 15, 2025 15:15:16.342948914 CET	50053	445	192.168.2.8	40.138.142.1
Jan 15, 2025 15:15:16.342961073 CET	50049	445	192.168.2.8	198.38.143.1
Jan 15, 2025 15:15:16.342984915 CET	50056	445	192.168.2.8	153.113.213.1
Jan 15, 2025 15:15:16.343010902 CET	50062	445	192.168.2.8	212.113.42.1
Jan 15, 2025 15:15:16.343012094 CET	50058	445	192.168.2.8	220.126.220.2
Jan 15, 2025 15:15:16.343038082 CET	50065	445	192.168.2.8	38.110.111.1
Jan 15, 2025 15:15:16.343075037 CET	50070	445	192.168.2.8	144.8.93.1
Jan 15, 2025 15:15:16.343077898 CET	50071	445	192.168.2.8	60.183.236.1
Jan 15, 2025 15:15:16.343107939 CET	50074	445	192.168.2.8	98.103.218.1
Jan 15, 2025 15:15:16.343137980 CET	50081	445	192.168.2.8	125.89.6.1
Jan 15, 2025 15:15:16.343141079 CET	50080	445	192.168.2.8	131.92.83.1
Jan 15, 2025 15:15:16.343169928 CET	50086	445	192.168.2.8	76.33.192.2
Jan 15, 2025 15:15:16.343195915 CET	50084	445	192.168.2.8	56.106.84.1
Jan 15, 2025 15:15:16.343240976 CET	50089	445	192.168.2.8	206.65.244.1
Jan 15, 2025 15:15:16.343277931 CET	50091	445	192.168.2.8	66.246.170.1
Jan 15, 2025 15:15:16.343278885 CET	50112	445	192.168.2.8	37.99.112.1
Jan 15, 2025 15:15:16.343319893 CET	50095	445	192.168.2.8	181.142.212.2
Jan 15, 2025 15:15:16.343334913 CET	50098	445	192.168.2.8	202.1.124.1
Jan 15, 2025 15:15:16.343379974 CET	50107	445	192.168.2.8	210.164.90.2
Jan 15, 2025 15:15:16.343447924 CET	50156	445	192.168.2.8	178.220.235.2
Jan 15, 2025 15:15:16.343589067 CET	50220	445	192.168.2.8	35.6.2.1
Jan 15, 2025 15:15:16.343662024 CET	50344	445	192.168.2.8	38.136.20.2
Jan 15, 2025 15:15:16.344280958 CET	50337	445	192.168.2.8	11.78.48.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 15:14:53.848972082 CET	138	138	192.168.2.8	192.168.2.255

Target ID:	0
Start time:	09:14:09
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll"
Imagebase:	0xad0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:14:09
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:14:09
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:14:09
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\zgAMfHzvZN.dll,PlayGame
Imagebase:	0x700000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:14:09
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",#1
Imagebase:	0x700000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:14:09
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	D21D12114F36CB9CD7AF57659151D441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1431412188.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000000.1431540630.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000000.1431540630.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:14:10
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	D21D12114F36CB9CD7AF57659151D441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1437702648.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000000.1437906578.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.1437906578.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2082920782.0000000001B10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2082920782.0000000001B10000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000008.00000002.2083173264.000000000203A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.2083173264.000000000203A000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:14:10
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	D7F2C9304928C99E1D6856FDF2E75F5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000000.1442084897.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 98%, ReversingLabs Detection: 93%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:14:12
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\zgAMfHzvZN.dll",PlayGame
Imagebase:	0x700000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:14:12
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	D21D12114F36CB9CD7AF57659151D441
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1464405629.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1460455923.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000002.1464568997.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000002.1464568997.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 0000000B.00000000.1460672967.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000B.00000000.1460672967.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:14:13
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	D7F2C9304928C99E1D6856FDF2E75F5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000000.1462996462.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000C.00000002.1463916151.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	77.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F8D0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

WINDOWS, xrefs: 00407DF2, 00407E0D
CreateFileA, xrefs: 00407D0F
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
C:\%s\qeriuwjhrf, xrefs: 00407E12
CloseHandle, xrefs: 00407D29
CreateProcessA, xrefs: 00407D07
tasksche.exe, xrefs: 00407DEA
WriteFile, xrefs: 00407D1C
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000006.00000002.1443502847.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1443483239.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443546361.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443766096.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F8D0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
mssecsvc2.0, xrefs: 00407C95
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000006.00000002.1443502847.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1443483239.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443546361.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443766096.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000006.00000002.1443502847.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1443483239.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443546361.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443766096.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000006.00000002.1443502847.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1443483239.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443546361.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443766096.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F8D0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000006.00000002.1443502847.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.1443483239.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443546361.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443584155.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1443766096.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.1444529361.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 7716, Parent PID: 624COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F8D0EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000008.00000002.2082099757.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2082082188.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082121769.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082192472.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082209421.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000008.00000002.2082099757.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2082082188.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082121769.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082192472.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082209421.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F8D0EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50
mssecsvc2.0, xrefs: 00407C95

Memory Dump Source

Source File: 00000008.00000002.2082099757.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2082082188.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082121769.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082192472.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082209421.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F8D0EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

CloseHandle, xrefs: 00407D29
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3
C:\%s\%s, xrefs: 00407DFB
CreateProcessA, xrefs: 00407D07
CreateFileA, xrefs: 00407D0F
C:\%s\qeriuwjhrf, xrefs: 00407E12
WriteFile, xrefs: 00407D1C
WINDOWS, xrefs: 00407DF2, 00407E0D
/i, xrefs: 00407E8D
kernel32.dll, xrefs: 00407CEA

Memory Dump Source

Source File: 00000008.00000002.2082099757.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2082082188.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082121769.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082192472.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082209421.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000008.00000002.2082099757.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.2082082188.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082121769.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082139018.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082174586.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082192472.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082209421.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000008.00000002.2082285812.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 7784, Parent PID: 7624COMMON

Non-executed Functions

Function 00406C40 Relevance: 30.1, APIs: 13, Strings: 4, Instructions: 365COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,0000012C,?), ref: 00406C91

Strings

/../, xrefs: 00406DF5
\..\, xrefs: 00406DD9
\../, xrefs: 00406DE7
/..\, xrefs: 00406E03

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: /../$/..\$\../$\..\
API String ID: 3510742995-3885502717
Opcode ID: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction ID: 8d35de4500b3f4065ad8a7d009fa2f60231b6be20ed9f01f65d9d1a3966dd706
Opcode Fuzzy Hash: 24419fe79de55b9e050378da4d3ae0875fe08eefc49193e89ac78033597620dd
Instruction Fuzzy Hash: 98D147729082459FDB15CF68C881AEABBF4EF05300F15857FE49AB7381C738A915CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

Strings

CryptDestroyKey, xrefs: 00401A86
advapi32.dll, xrefs: 00401A55
CryptAcquireContextA, xrefs: 00401A71
CryptImportKey, xrefs: 00401A79
CryptGenKey, xrefs: 00401AAD
CryptDecrypt, xrefs: 00401AA0
CryptEncrypt, xrefs: 00401A93

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00401CE8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,0040F8AC,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"
API String ID: 1485051382-955883872
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?,?,?,00000000,00000010,?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570,?,00000000,00000010,?), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 13455132f19fce7ccee5142b200569a1d3dc411a47d032a17fbb22a214c81369
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004014A6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 178filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
_local_unwind2.MSVCRT(?,000000FF), ref: 004016D6

Strings

WANACRY!, xrefs: 00401566

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalSize_local_unwind2memcmp
String ID: WANACRY!
API String ID: 283026544-1240840912
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B51,?,?,?), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 68433a68c8f87a96c4578501cf6b50a347b0c2ca376bc2ea45e1a632b2ad4c4a
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,?,?,00403B9C,?,?,?), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: f4b5f5b39d3fd1fccf69c885608927ed404fa65085bd71c262b9c8f9e9248758
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT(?,00402198,00000000,00000000,0040243C,00000000), ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00403554,00000002,?,?,?,?), ref: 00402EA7

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,?,004037DC,00000002,?,?,?,?), ref: 004031E5

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043B7 Relevance: 1.9, APIs: 1, Instructions: 682COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction ID: 90343a8667ee0670e87e021bba3e221c8adc0c1da1bb1a76252bfdf766af77e9
Opcode Fuzzy Hash: f98d37e25a52c04dcc5b825836114b3c9bed0208ddb816caf6c63d538b842863
Instruction Fuzzy Hash: FB520CB5900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55CF44

Function 004018B9 Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 00404C19 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA,?,?,?,00401711), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey,?,?,?,00401711), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey,?,?,?,00401711), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt,?,?,?,00401711), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt,?,?,?,00401711), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey,?,?,?,00401711), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

CloseHandle, xrefs: 0040178C
WriteFile, xrefs: 0040174B
CreateFileW, xrefs: 00401743
DeleteFileW, xrefs: 0040177F
ReadFile, xrefs: 00401758
MoveFileExW, xrefs: 00401772
MoveFileW, xrefs: 00401765
kernel32.dll, xrefs: 00401727

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 00407136 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 272COMMON

Download Yara Rule

Strings

%s%s%s, xrefs: 004072F6
:, xrefs: 0040736E
\, xrefs: 00407358
%s%s, xrefs: 00407389

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction ID: 622825bbce38b7500016b977d00db7372d85e5c8e1565b3adbba59f792ee02a2
Opcode Fuzzy Hash: fa5f8851d26bf09fdef4e4f1c55e900ad1a47778409aa7a1c0108d1ccba85c9d
Instruction Fuzzy Hash: 42A12A31C082049BDB319F14CC44BEA7BA9AB01314F2445BFF895B62D1D73DBA95CB5A

Function 0040203B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106stringfileCOMMON

Download Yara Rule

APIs

__p___argv.MSVCRT(0040F538), ref: 00402040
strcmp.MSVCRT(?), ref: 0040204B
CopyFileA.KERNEL32(?,tasksche.exe), ref: 0040206F
GetFileAttributesA.KERNEL32(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT(?,0000005C,?,?,00000000), ref: 0040209D
strrchr.MSVCRT(?,0000005C), ref: 004020AE
SetCurrentDirectoryA.KERNEL32(?,00000000), ref: 004020BB

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNEL32(?), ref: 00401C10

Strings

TaskStart, xrefs: 00402145
t.wnry, xrefs: 00402125
tasksche.exe, xrefs: 00402061, 0040206D, 00402075
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
attrib +h ., xrefs: 004020DC

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AttributesDirectorystrrchr$ByteCharCopyCurrentFullMultiNamePathWideWindows__p___argvstrcmpswprintf
String ID: TaskStart$attrib +h .$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1074704982-2844324180
Opcode ID: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction ID: 0f1cc1f94130967d107883c1ee7151828ebb686b55f89e1ef1b9593e139f0a32
Opcode Fuzzy Hash: 89895d8f6934e01f58802458fd3b58e20f5d1862df0252ba7c7124bca42d23be
Instruction Fuzzy Hash: 25318172500319AEDB24B7B19E89E9F376C9F10319F20057FF645F65E2DE788D488A28

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100registrystringCOMMON

Download Yara Rule

APIs

wcscat.MSVCRT(?,WanaCrypt0r,?,0000DDB6), ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT(?), ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

0@, xrefs: 00401157
Software\, xrefs: 0040110A
WanaCrypt0r, xrefs: 00401145

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 00401B5F Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,0040F8AC,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNEL32(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT(?,0000005C), ref: 00401CAC
wcsrchr.MSVCRT(?,0000005C), ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21

Strings

%s\Intel, xrefs: 00401C4D
%s\ProgramData, xrefs: 00401BFE

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData
API String ID: 3806094219-198707228
Opcode ID: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: e04e666ac5ff563214b472014ed4c30e25de200c4a7bf1775954a8b15fda063a
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004021E9 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?!@,00000040,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402463

SetLastError.KERNEL32(000000C1,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,0000DDB6,?,00402185,0040216E,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2), ref: 00402313
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3,004021B2,00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,8328EC83,?,?,?,?,?,?,?,?,?,?,00402185,00402198,004021A3), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT(?,00000000,?), ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

?!@, xrefs: 004021F8
GetNativeSystemInfo, xrefs: 004022A1
kernel32.dll, xrefs: 0040228C

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: ?!@$GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-3657104962
Opcode ID: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 0e24c0e50799aa35dd9f5fcc36a4565fcb8133d83dc7aa1daf15d2422d00f892
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B12
CreateDirectoryW.KERNEL32(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNEL32(?), ref: 00401B21
GetFileAttributesW.KERNEL32(?), ref: 00401B2C
SetFileAttributesW.KERNEL32(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63processsynchronizationCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 004077BA Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT(00000002), ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$__getmainargs__p__commode__p__fmode__set_app_type
String ID:
API String ID: 3626615345-0
Opcode ID: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction ID: 63d29f1c4e41429a3497612c8de1f509d91e94429ea3a2aefb8dc74a018e4fb3
Opcode Fuzzy Hash: bfbd7971593811c7fff28e35bb39fa0d644f96314b868f8e424e213b276a966c
Instruction Fuzzy Hash: 51318BB1D04344AFDB20AFA5DE49F5A7BA8BB05710F10463EF541B72E0CB786805CB59

Function 00407831 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

__setusermatherr.MSVCRT(0040793C), ref: 00407836

Part of subcall function 0040792A: _controlfp.MSVCRT(00010000,00030000,00407842), ref: 00407934

_initterm.MSVCRT(0040E008,0040E00C), ref: 0040784C
__getmainargs.MSVCRT(?,?,?,?,0040E008,0040E00C), ref: 0040786F
_initterm.MSVCRT(0040E000,0040E004), ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.MSVCRT(00000000,00000000,?,?,?,?), ref: 004078F2
_XcptFilter.MSVCRT(?,?,?,?,?,?), ref: 00407904

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__setusermatherr_controlfpexit
String ID:
API String ID: 2141228402-0
Opcode ID: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction ID: 738ed170af38765147f9c33b7b7214e7a7d60aeb9597ff7827fffae83538cc25
Opcode Fuzzy Hash: e2abdc3946810ebb19c889ba728617f0f692a6676515e3c370649a79fa0f1872
Instruction Fuzzy Hash: F52135B2C04258AEEB20AFA5DD48AAD7BB8AF05304F24443FF581B7291D7786841CB59

Function 004027DF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014,00000000,00000001,00000000,?!@,004023F5,00000000), ref: 00402812
realloc.MSVCRT(85000001,317459C0), ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Strings

?!@, xrefs: 004027DF

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID: ?!@
API String ID: 1241503663-708128716
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,0000018F,?,?,00000000), ref: 0040125F
wcslen.MSVCRT(?,?,00000000), ref: 00401279
wcslen.MSVCRT(?,00000000), ref: 00401298
srand.MSVCRT(00000001,00000000), ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74stringCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,?,?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,0000002F,0000002F,?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?,?,?), ref: 004070FB
strcat.MSVCRT(00000000,0000002F,?,?), ref: 0040710A
GetFileAttributesA.KERNEL32(00000000,?,?), ref: 00407118
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: 0838382564994867704b48d197d9141456e9ef10b941a736ac2fad3accdc9566
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35sleepCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT(?,%s%d,Global\MsWinZonesCacheCounterMutexA,00000000), ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNEL32(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

%s%d, xrefs: 00401F10
Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570,?,?,?,?,?,00000001), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574,?,?,?,?,?,00000001), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570,?,?,?,?,00000001), ref: 00403BD1

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 8f0cb0103d3614fdc28d84a5f541c19cbd02f6e6265a1098423f4cf3f0921468
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT(c.wnry,0040E018), ref: 0040101B
fread.MSVCRT(?,0000030C,00000001,00000000), ref: 0040103F
fwrite.MSVCRT(?,0000030C,00000001,00000000), ref: 00401047
fclose.MSVCRT(00000000), ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 004018F9 Relevance: 7.6, APIs: 5, Instructions: 79filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
_local_unwind2.MSVCRT(?,000000FF,?,?,?,?,?,?,00401448,?), ref: 004019A6

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateGlobalReadSize_local_unwind2
String ID:
API String ID: 2811923685-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA,00000000,004020D5,?), ref: 00405C38
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,00000000,00000140,?,00406C12,00000000,00401DFE,00000001,00000000,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00402924 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(P!@,?,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 00402989
SetLastError.KERNEL32(0000007F,?,0000DDB6,?,?,?,00402150,00000000,TaskStart), ref: 004029A7

Strings

P!@, xrefs: 00402951, 00402986, 0040295C

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast_stricmp
String ID: P!@
API String ID: 1278613211-1774101457
Opcode ID: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction ID: aaf1e2d36ba78ebe43aa6e6aad127835d86855a49192f4e92224227a9dbc2408
Opcode Fuzzy Hash: 03c3627be8870cecb91afdd38bef801573c0f783d9791e09bb9b18ce57a97af9
Instruction Fuzzy Hash: 432180B1700605EFDB14CF19DA8486A73F6EF89310B29857AE846EB381D678ED41CB85

Function 00401DFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT(?,c.wnry,?,00000000,?), ref: 00401E5B
GetFileAttributesA.KERNEL32(?), ref: 00401E6E

Strings

c.wnry, xrefs: 00401E55

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFilestrcmp
String ID: c.wnry
API String ID: 3324900478-3240288721
Opcode ID: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction ID: 6f95607eaad4b3b0c5796a2914108af7bfa48759f01996e65d2c9759274caab0
Opcode Fuzzy Hash: cc95b26050e750b8ddedfaa82b6fbbed5bde767aecf08ad1744914d0cf1c8067
Instruction Fuzzy Hash: 3001C872D041142ADB209625DC41FEF336C9B45374F1005B7FA44F11C1E739AA998ADA

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: 95d67fc171dea6c803f2538cd8e9bf2129e8d776d8110548eb6437a9e23f5d7b
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Function 004019E1 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000009.00000002.1442532095.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000009.00000002.1442475771.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1442658037.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443004889.000000000040E000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000009.00000002.1443028456.0000000000410000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$Entermemcpy
String ID:
API String ID: 3435569088-0
Opcode ID: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: fd5125ef58b43d2b94afe930c36afa05085028d191ff952fa05313044055aa85
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report zgAMfHzvZN.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\WINDOWS\qeriuwjhrf (copy)

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
zgAMfHzvZN.dll

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON