Edit tour

Windows Analysis Report
txWVWM8Kx4.dll

Overview

General Information

Sample name:	txWVWM8Kx4.dll renamed because original name is a hash value
Original sample name:	07a5d326b196d166dc0618e7c25ac2b5.dll
Analysis ID:	1592069
MD5:	07a5d326b196d166dc0618e7c25ac2b5
SHA1:	7a23e2ef0682cfb8813a27dc559da187f9e178f5
SHA256:	5d7fa45d2fcb10893ee5bdbfc4b16bdeeffd34aa5791331332a8bbb1015cb63b
Tags:	dllexeuser-mentality
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Drops executables to the windows directory (C:\Windows) and starts them

Found Tor onion address

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses cmd line tools excessively to alter registry or file data

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4856 cmdline: loaddll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3148 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 3816 cmdline: rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 3176 cmdline: C:\WINDOWS\mssecsvc.exe MD5: A75A57A712300662CE3FF1447A0C4805)

tasksche.exe (PID: 3552 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 79409B6F48460807480E4A574312D85F)

tasksche.exe (PID: 2520 cmdline: C:\ProgramData\dsvqhifq359\tasksche.exe MD5: 79409B6F48460807480E4A574312D85F)

attrib.exe (PID: 6512 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 6788 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 3788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 3568 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 2124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 3872 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 6084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 3868 cmdline: rundll32.exe C:\Users\user\Desktop\txWVWM8Kx4.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 1120 cmdline: rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)

mssecsvc.exe (PID: 6332 cmdline: C:\WINDOWS\mssecsvc.exe MD5: A75A57A712300662CE3FF1447A0C4805)

tasksche.exe (PID: 2804 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 79409B6F48460807480E4A574312D85F)

tasksche.exe (PID: 2972 cmdline: C:\ProgramData\dsvqhifq359\tasksche.exe MD5: 79409B6F48460807480E4A574312D85F)

attrib.exe (PID: 6160 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 4824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 6052 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

attrib.exe (PID: 7160 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 7140 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mssecsvc.exe (PID: 616 cmdline: C:\WINDOWS\mssecsvc.exe -m security MD5: A75A57A712300662CE3FF1447A0C4805)

cmd.exe (PID: 320 cmdline: cmd.exe /c "C:\ProgramData\dsvqhifq359\tasksche.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

tasksche.exe (PID: 5268 cmdline: C:\ProgramData\dsvqhifq359\tasksche.exe MD5: 79409B6F48460807480E4A574312D85F)

attrib.exe (PID: 7096 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 7084 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3816 cmdline: cmd.exe /c "C:\ProgramData\dsvqhifq359\tasksche.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

tasksche.exe (PID: 7120 cmdline: C:\ProgramData\dsvqhifq359\tasksche.exe MD5: 79409B6F48460807480E4A574312D85F)

attrib.exe (PID: 1892 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 1016 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
txWVWM8Kx4.dll	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
txWVWM8Kx4.dll	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x45604:$x1: icacls . /grant Everyone:F /T /C /Q 0x38f735:$x2: taskdl.exe 0x353d0:$x3: tasksche.exe 0x455e0:$x3: tasksche.exe 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA 0x45634:$x5: WNcry@2ol7 0x3028:$x7: mssecsvc.exe 0x120ac:$x7: mssecsvc.exe 0x1b3b4:$x7: mssecsvc.exe 0x353a8:$x8: C:\%s\qeriuwjhrf 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q 0x3014:$s1: C:\%s\%s 0x12098:$s1: C:\%s\%s 0x1b39c:$s1: C:\%s\%s 0x353bc:$s1: C:\%s\%s 0x38fe99:$s2: Windows 10 --> 0x45534:$s3: cmd.exe /c "%s" 0x77a88:$s4: msg/m_portuguese.wnry 0x38f307:$s4: msg/m_portuguese.wnry 0x326f0:$s5: \\192.168.56.20\IPC$ 0x1fae5:$s6: \\172.16.99.5\IPC$
txWVWM8Kx4.dll	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

Dropped Files

Source	Rule	Description	Author	Strings
C:\Windows\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x27c:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\ProgramData\dsvqhifq359\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x27c:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\ProgramData\dsvqhifq359\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\ProgramData\dsvqhifq359\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\ProgramData\dsvqhifq359\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\ProgramData\dsvqhifq359\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
C:\Windows\tasksche.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Windows\tasksche.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
C:\Windows\tasksche.exe	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
C:\Windows\tasksche.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 5 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000002.2605730753.000000000040F000.00000004.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000002.2068015450.000000000040F000.00000004.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000000.2056001605.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000000A.00000000.2060906503.000000000040E000.00000008.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000013.00000002.2092835134.000000000040F000.00000004.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000010.00000002.2086246634.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000001A.00000002.2582916598.000000000040F000.00000004.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000013.00000000.2087719412.000000000040E000.00000008.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000008.00000000.2058421206.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0000001A.00000000.2577645149.000000000040E000.00000008.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000011.00000000.2085577185.000000000040E000.00000008.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000000.2053681836.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0000001F.00000000.2599504308.000000000040E000.00000008.00000001.01000000.00000008.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000011.00000002.3127527649.000000000040F000.00000004.00000001.01000000.00000007.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000010.00000000.2082010028.000000000040F000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32600:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32628:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000010.00000000.2082127312.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000010.00000000.2082127312.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x32e44:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32e6c:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf57c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf5a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Process Memory Space: mssecsvc.exe PID: 3176	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 616	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: mssecsvc.exe PID: 6332	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.mssecsvc.exe.1e74084.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.1e74084.3.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
7.2.mssecsvc.exe.23918c8.9.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.23918c8.9.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
7.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
16.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
16.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
16.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
16.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
16.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
16.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
16.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
16.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
26.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
26.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
26.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
26.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
19.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
19.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
19.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
19.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
31.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23c396c.8.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
31.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
31.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
31.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23c396c.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23c396c.8.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23c396c.8.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
17.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
16.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
16.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
16.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
16.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
26.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
26.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
26.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
26.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
10.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
10.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
10.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
10.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
19.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
19.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
19.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
19.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23a0948.7.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23a0948.7.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x37c651:$x2: taskdl.exe 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x37cdb5:$s2: Windows 10 --> 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x37c223:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23a0948.7.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.23a0948.7.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
17.2.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
17.2.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
17.2.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x38b6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x38be35:$s2: Windows 10 --> 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x38b2a3:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
5.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
16.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
16.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x38b6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x38be35:$s2: Windows 10 --> 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x38b2a3:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
16.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
16.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
16.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e83104.4.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e83104.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x32520:$x1: icacls . /grant Everyone:F /T /C /Q 0x37c651:$x2: taskdl.exe 0x222ec:$x3: tasksche.exe 0x324fc:$x3: tasksche.exe 0x324d8:$x4: Global\MsWinZonesCacheCounterMutexA 0x32550:$x5: WNcry@2ol7 0x82d0:$x7: mssecsvc.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x32520:$x9: icacls . /grant Everyone:F /T /C /Q 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x37cdb5:$s2: Windows 10 --> 0x32450:$s3: cmd.exe /c "%s" 0x649a4:$s4: msg/m_portuguese.wnry 0x37c223:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$ 0x25a26:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x25700:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x252ec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1e83104.4.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.1e83104.4.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x324fc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x32524:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1ea6128.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x38b6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x38be35:$s2: Windows 10 --> 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x38b2a3:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
5.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
5.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1ea6128.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1ea6128.2.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1ea6128.2.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
8.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
8.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
8.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
8.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x38b6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x38be35:$s2: Windows 10 --> 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x38b2a3:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
7.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.23918c8.9.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23918c8.9.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xad6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0xade35:$s2: Windows 10 --> 0xad2a3:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.23918c8.9.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.23918c8.9.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ...
31.0.tasksche.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
31.0.tasksche.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
31.0.tasksche.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
31.0.tasksche.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.239c8e8.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.239c8e8.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x3806b1:$x2: taskdl.exe 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x380e15:$s2: Windows 10 --> 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x380283:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.239c8e8.6.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1e7f0a4.5.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e7f0a4.5.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x36580:$x1: icacls . /grant Everyone:F /T /C /Q 0x3806b1:$x2: taskdl.exe 0x2634c:$x3: tasksche.exe 0x3655c:$x3: tasksche.exe 0x36538:$x4: Global\MsWinZonesCacheCounterMutexA 0x365b0:$x5: WNcry@2ol7 0xc330:$x7: mssecsvc.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0x36580:$x9: icacls . /grant Everyone:F /T /C /Q 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x380e15:$s2: Windows 10 --> 0x364b0:$s3: cmd.exe /c "%s" 0x68a04:$s4: msg/m_portuguese.wnry 0x380283:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$ 0x29a86:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x29760:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x2934c:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1e7f0a4.5.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x3655c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x36584:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23a0948.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23a0948.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x377e51:$x2: taskdl.exe 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x3785b5:$s2: Windows 10 --> 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x377a23:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x21226:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x20f00:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x20aec:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23a0948.7.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23c396c.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.23c396c.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.23c396c.8.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.23c396c.8.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
16.2.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
16.2.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
16.2.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
16.2.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
5.0.mssecsvc.exe.7100a4.1.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
5.0.mssecsvc.exe.7100a4.1.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
5.0.mssecsvc.exe.7100a4.1.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
5.0.mssecsvc.exe.7100a4.1.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.7100a4.1.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.7100a4.1.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.7100a4.1.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.7100a4.1.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x38b6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x38be35:$s2: Windows 10 --> 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x38b2a3:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
7.2.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1ea6128.2.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1ea6128.2.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
7.2.mssecsvc.exe.1ea6128.2.raw.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1ea6128.2.raw.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e74084.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e74084.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x280de4:$x1: icacls . /grant Everyone:F /T /C /Q 0xad6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x270bb0:$x3: tasksche.exe 0x280dc0:$x3: tasksche.exe 0x280d9c:$x4: Global\MsWinZonesCacheCounterMutexA 0x280e14:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x23b26c:$x7: mssecsvc.exe 0x256b94:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x270b88:$x8: C:\%s\qeriuwjhrf 0x280de4:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x23b254:$s1: C:\%s\%s 0x256b7c:$s1: C:\%s\%s 0x270b9c:$s1: C:\%s\%s 0xade35:$s2: Windows 10 --> 0x280d14:$s3: cmd.exe /c "%s" 0xad2a3:$s4: msg/m_portuguese.wnry
7.2.mssecsvc.exe.1e74084.3.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
7.2.mssecsvc.exe.1e74084.3.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x280dc0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x280de8:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
7.2.mssecsvc.exe.1e74084.3.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2738fe:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x247984:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x2478d4:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x24925a:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x2790a2:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
16.0.mssecsvc.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
16.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q 0x38b6d1:$x2: taskdl.exe 0x3136c:$x3: tasksche.exe 0x4157c:$x3: tasksche.exe 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA 0x415d0:$x5: WNcry@2ol7 0x17350:$x7: mssecsvc.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x38be35:$s2: Windows 10 --> 0x414d0:$s3: cmd.exe /c "%s" 0x73a24:$s4: msg/m_portuguese.wnry 0x38b2a3:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88 0x34aa6:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C
16.0.mssecsvc.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
16.0.mssecsvc.exe.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4157c:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x415a4:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
16.0.mssecsvc.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x340ba:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x8140:$main_3: 83 EC 50 56 57 B9 0E 00 00 00 BE D0 13 43 00 8D 7C 24 08 33 C0 F3 A5 A4 89 44 24 41 89 44 24 45 89 44 24 49 89 44 24 4D 89 44 24 51 66 89 44 24 55 50 50 50 6A 01 50 88 44 24 6B FF 15 34 A1 40 ... 0x8090:$start_service_3: 83 EC 10 68 04 01 00 00 68 60 F7 70 00 6A 00 FF 15 6C A0 40 00 FF 15 2C A1 40 00 83 38 02 7D 09 E8 6B FE FF FF 83 C4 10 C3 57 68 3F 00 0F 00 6A 00 6A 00 FF 15 10 A0 40 00 8B F8 85 FF 74 32 53 ... 0x9a16:$entrypoint_all: 55 8B EC 6A FF 68 A0 A1 40 00 68 A2 9B 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C0 A0 40 00 59 83 0D 94 F8 70 00 FF 83 0D 98 F8 70 ... 0x3985e:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
7.2.mssecsvc.exe.1e83104.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
7.2.mssecsvc.exe.1e83104.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2dd20:$x1: icacls . /grant Everyone:F /T /C /Q 0x377e51:$x2: taskdl.exe 0x1daec:$x3: tasksche.exe 0x2dcfc:$x3: tasksche.exe 0x2dcd8:$x4: Global\MsWinZonesCacheCounterMutexA 0x2dd50:$x5: WNcry@2ol7 0x76d0:$x7: mssecsvc.exe 0x5059ec:$x7: mssecsvc.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x2dd20:$x9: icacls . /grant Everyone:F /T /C /Q 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x5059d4:$s1: C:\%s\%s 0x3785b5:$s2: Windows 10 --> 0x2dc50:$s3: cmd.exe /c "%s" 0x601a4:$s4: msg/m_portuguese.wnry 0x377a23:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$ 0x50ca3a:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x50b3a9:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
7.2.mssecsvc.exe.1e83104.4.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x2dcfc:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x2dd24:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
Click to see the 170 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: txWVWM8Kx4.dll

Avira: detected

Antivirus detection for dropped file

Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Avira: detection malicious, Label: TR/Ransom.Gen
Source: C:\Windows\tasksche.exe	Avira: detection malicious, Label: TR/Ransom.Gen

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\dsvqhifq359\tasksche.exe	ReversingLabs: Detection: 92%
Source: C:\WINDOWS\qeriuwjhrf (copy)	ReversingLabs: Detection: 92%
Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: txWVWM8Kx4.dll	ReversingLabs: Detection: 94%
Source: txWVWM8Kx4.dll	Virustotal: Detection: 91%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Joe Sandbox ML: detected
Source: C:\Windows\tasksche.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: txWVWM8Kx4.dll

Joe Sandbox ML: detected

Source: C:\Windows\tasksche.exe	Code function: 8_2_00401861 CryptImportKey,	8_2_00401861
Source: C:\Windows\tasksche.exe	Code function: 8_2_0040182C CryptAcquireContextA,	8_2_0040182C
Source: C:\Windows\tasksche.exe	Code function: 8_2_004019E1 EnterCriticalSection,CryptDecrypt,LeaveCriticalSection,LeaveCriticalSection,memcpy,	8_2_004019E1
Source: C:\Windows\tasksche.exe	Code function: 8_2_004018F9 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,	8_2_004018F9
Source: C:\Windows\tasksche.exe	Code function: 8_2_004018B9 CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	8_2_004018B9

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: txWVWM8Kx4.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49903 version: TLS 1.0

Source: C:\Windows\SysWOW64\icacls.exe

Directory queried: number of queries: 1128

Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\NULL	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\NULL	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\NULL	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll	Jump to behavior

Networking

Found Tor onion address

Source: tasksche.exe, 00000008.00000003.3083651538.0000000002458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Cgx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: tasksche.exe, 00000008.00000002.3097641261.0000000002440000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: tasksche.exe, 0000000A.00000002.2069229632.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: tasksche.exe, 00000011.00000002.3129573499.0000000002670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: tasksche.exe, 00000013.00000002.2093470170.0000000001120000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: tasksche.exe, 0000001A.00000002.2583314709.0000000002430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip]
Source: tasksche.exe, 0000001F.00000002.2606203668.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipd
Source: c.wnry.10.dr	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: c.wnry.8.dr	String found in binary or memory: C115p7UMMngoj1pMvkpHijcRdfJNXj6LrLngx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49903 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.23
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.23
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.23
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.23
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.1
Source: unknown	TCP traffic detected without corresponding DNS query: 52.34.64.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.129
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.129
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.129
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.129
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 59.178.161.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.2
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.2
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.2
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.2
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 161.26.121.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.157
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.157
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.157
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.157
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.1
Source: unknown	TCP traffic detected without corresponding DNS query: 133.14.202.1

Source: tasksche.exe, 00000008.00000003.3084436455.0000000002443000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000008.00000003.3084603383.0000000002443000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000011.00000003.3108009351.0000000002673000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000011.00000003.3108370134.0000000002673000.00000004.00000020.00020000.00000000.sdmp, m_czech.wnry.8.dr, m_danish.wnry.8.dr, m_czech.wnry.10.dr, m_danish.wnry.10.dr	String found in binary or memory: http://schemas.micr
Source: m_japanese.wnry.8.dr, m_japanese.wnry.10.dr	String found in binary or memory: http://schemas.microso
Source: m_vietnamese.wnry.8.dr, m_vietnamese.wnry.10.dr	String found in binary or memory: http://schemas.microsoft.
Source: c.wnry.8.dr	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: tasksche.exe, 0000001F.00000002.2606203668.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipd

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Windows\tasksche.exe	Code function: strrchr,CreateFileA,GetFileSizeEx,ReadFile,memcmp,strrchr,ReadFile,ReadFile,ReadFile,ReadFile,GlobalAlloc,ReadFile,_local_unwind2, WANACRY!		8_2_004014B3
Source: C:\Windows\tasksche.exe	Code function: strrchr,CreateFileA,GetFileSizeEx,ReadFile,memcmp,strrchr,ReadFile,ReadFile,ReadFile,ReadFile,GlobalAlloc,ReadFile,_local_unwind2, WANACRY!		8_2_004014A6

Yara detected Wannacry ransomware

Source: Yara match	File source: txWVWM8Kx4.dll, type: SAMPLE
Source: Yara match	File source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23c396c.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23a0948.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e83104.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1ea6128.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23918c8.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.239c8e8.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e7f0a4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23a0948.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.23c396c.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1ea6128.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.mssecsvc.exe.1e83104.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2056001605.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2086246634.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.2053681836.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2082010028.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.2082127312.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 3176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mssecsvc.exe PID: 6332, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\dsvqhifq359\tasksche.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\tasksche.exe, type: DROPPED

Source: C:\Windows\tasksche.exe	Code function: 8_2_00401861 CryptImportKey,		8_2_00401861
Source: C:\Windows\tasksche.exe	Code function: 8_2_004018F9 CreateFileA,GetFileSize,GlobalAlloc,ReadFile,CryptImportKey,_local_unwind2,		8_2_004018F9

System Summary

Malicious sample detected (through community Yara rule)

Source: txWVWM8Kx4.dll, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: txWVWM8Kx4.dll, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1e74084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e74084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23918c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23918c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 26.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 26.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 26.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23c396c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23c396c.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23c396c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 17.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 26.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 26.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 26.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23a0948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23a0948.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.23a0948.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 17.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 17.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e83104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e83104.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.1e83104.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1ea6128.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ea6128.2.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1ea6128.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.23918c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23918c8.9.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.23918c8.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.239c8e8.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.239c8e8.6.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1e7f0a4.5.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e7f0a4.5.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23a0948.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23a0948.7.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23c396c.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.23c396c.8.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.23c396c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1ea6128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1ea6128.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1ea6128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 7.2.mssecsvc.exe.1e83104.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 7.2.mssecsvc.exe.1e83104.4.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000001F.00000002.2605730753.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000002.2068015450.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000000A.00000000.2060906503.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000013.00000002.2092835134.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000001A.00000002.2582916598.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000013.00000000.2087719412.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000008.00000000.2058421206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000001A.00000000.2577645149.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000011.00000000.2085577185.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0000001F.00000000.2599504308.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000011.00000002.3127527649.000000000040F000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000010.00000000.2082127312.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\ProgramData\dsvqhifq359\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\ProgramData\dsvqhifq359\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\ProgramData\dsvqhifq359\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\ProgramData\dsvqhifq359\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\b.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\c.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_bulgarian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_chinese (simplified).wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_chinese (traditional).wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_croatian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_czech.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_danish.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_dutch.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_english.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_filipino.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_finnish.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_french.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_german.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_greek.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_indonesian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_italian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_japanese.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_korean.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_latvian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_norwegian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_polish.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_portuguese.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_romanian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_russian.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_slovak.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_spanish.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_swedish.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_turkish.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\msg\m_vietnamese.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\r.wnry	Jump to behavior
Source: C:\Windows\tasksche.exe	File created: C:\WINDOWS\s.wnry	Jump to behavior
Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\tasksche.exe	Jump to behavior

Source: C:\Windows\tasksche.exe	Code function: 8_2_00402A76	8_2_00402A76
Source: C:\Windows\tasksche.exe	Code function: 8_2_00402E7E	8_2_00402E7E
Source: C:\Windows\tasksche.exe	Code function: 8_2_0040350F	8_2_0040350F
Source: C:\Windows\tasksche.exe	Code function: 8_2_00404C19	8_2_00404C19
Source: C:\Windows\tasksche.exe	Code function: 8_2_0040541F	8_2_0040541F
Source: C:\Windows\tasksche.exe	Code function: 8_2_00406D26	8_2_00406D26
Source: C:\Windows\tasksche.exe	Code function: 8_2_004043D1	8_2_004043D1
Source: C:\Windows\tasksche.exe	Code function: 8_2_00403797	8_2_00403797
Source: C:\Windows\tasksche.exe	Code function: 8_2_004031BC	8_2_004031BC

Source: Joe Sandbox View	Dropped File: C:\ProgramData\dsvqhifq359\tasksche.exe 331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
Source: Joe Sandbox View	Dropped File: C:\WINDOWS\qeriuwjhrf (copy) 331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
Source: Joe Sandbox View	Dropped File: C:\Windows\tasksche.exe 331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A

Source: tasksche.exe.5.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: tasksche.exe.8.dr	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate

Source: txWVWM8Kx4.dll	Binary or memory string: OriginalFilenamediskpart.exej% vs txWVWM8Kx4.dll
Source: txWVWM8Kx4.dll	Binary or memory string: OriginalFilenamelhdfrgui.exej% vs txWVWM8Kx4.dll

Source: txWVWM8Kx4.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Source: txWVWM8Kx4.dll, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: txWVWM8Kx4.dll, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1e74084.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e74084.3.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23918c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23918c8.9.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 16.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 16.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 26.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 26.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 19.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 31.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23c396c.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23c396c.8.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23c396c.8.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 17.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 16.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 26.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 26.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 26.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 10.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 19.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23a0948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23a0948.7.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.23a0948.7.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 17.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 17.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 16.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e83104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e83104.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.1e83104.4.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1ea6128.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ea6128.2.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1ea6128.2.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 8.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.23918c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23918c8.9.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.23918c8.9.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 31.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.239c8e8.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.239c8e8.6.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1e7f0a4.5.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e7f0a4.5.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23a0948.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23a0948.7.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23c396c.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.23c396c.8.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.23c396c.8.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 16.2.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 5.0.mssecsvc.exe.7100a4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.7100a4.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1ea6128.2.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1ea6128.2.raw.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1ea6128.2.raw.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 7.2.mssecsvc.exe.1e74084.3.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 16.0.mssecsvc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 7.2.mssecsvc.exe.1e83104.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 7.2.mssecsvc.exe.1e83104.4.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000001F.00000002.2605730753.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000002.2068015450.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000000A.00000000.2060906503.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000013.00000002.2092835134.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000001A.00000002.2582916598.000000000040F000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000013.00000000.2087719412.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000008.00000000.2058421206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000001A.00000000.2577645149.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000011.00000000.2085577185.000000000040E000.00000008.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0000001F.00000000.2599504308.000000000040E000.00000008.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000011.00000002.3127527649.000000000040F000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000010.00000000.2082127312.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ProgramData\dsvqhifq359\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\ProgramData\dsvqhifq359\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\ProgramData\dsvqhifq359\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\ProgramData\dsvqhifq359\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\Windows\tasksche.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: tasksche.exe.5.dr	Binary string: h\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\MOP030B\American McGee's Alice
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\03edc404e68b95b7e0b07a0416c8e4a7\System.Transactions.ni.dll.auxthp
Source: tasksche.exe.5.dr	Binary string: `\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\FastStone Image ViewerD
Source: tasksche.exe.5.dr	Binary string: I\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\EXCEL.EXEp
Source: tasksche.exe.5.dr	Binary string: {\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.inihip
Source: tasksche.exe.5.dr	Binary string: >\Device\HarddiskVolume1\Program Files\TrueKey\TrueKeyVault.dllty
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\ksuser.dllorp
Source: tasksche.exe.5.dr	Binary string: w\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Harry Potter and the Deathly Hallows - Part 1p
Source: tasksche.exe.5.dr	Binary string: e\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndexp
Source: tasksche.exe.5.dr	Binary string: K\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\WINWORD.EXEd-p
Source: tasksche.exe.5.dr	Binary string: 2\Device\HarddiskVolume1\Windows\System32\wbem\Logsthip
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wsbep
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.widlp
Source: tasksche.exe.5.dr	Binary string: 8\Device\HarddiskVolume1\Program Files\TrueKey\thrift.dllop
Source: tasksche.exe.5.dr	Binary string: y\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\33056cb1c9e7cf51ee0a4168997f0db4p
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\fa881a9dd9820b29ec20e9d90c6a0d99\CustomMarshalers.ni.dll.auxp
Source: tasksche.exe.5.dr	Binary string: S\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll\|\|p
Source: tasksche.exe.5.dr	Binary string: :\Device\HarddiskVolume1\Windows\System32\config\COMPONENTSxyz
Source: tasksche.exe.5.dr	Binary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edbbrep
Source: tasksche.exe.5.dr	Binary string: _\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Yandex
Source: tasksche.exe.5.dr	Binary string: K\Device\HarddiskVolume1\Windows\System32\config\systemprofile\AppData\Localtyp
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\msidle.dllarp
Source: tasksche.exe.5.dr	Binary string: L\Device\HarddiskVolume1\Program Files\TrueKey\providers\deviceIDProvider.dll.p
Source: tasksche.exe.5.dr	Binary string: h\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Skachat Torrent
Source: tasksche.exe.5.dr	Binary string: X\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#ep
Source: tasksche.exe.5.dr	Binary string: N\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllt^$p
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\cf330aa5c9f2a48448933edac5333406\System.DirectoryServices.ni.dll.auxp
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\QAGENT.DLLEtp
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\scrrun.dll@
Source: tasksche.exe.5.dr	Binary string: <\Device\HarddiskVolume1\Windows\System32\ru-RU\tzres.dll.muiap
Source: tasksche.exe.5.dr	Binary string: x\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.001pF
Source: tasksche.exe.5.dr	Binary string: r\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\/
Source: tasksche.exe.5.dr	Binary string: 8\Device\HarddiskVolume1\Windows\System32\mfreadwrite.dll.p
Source: tasksche.exe.5.dr	Binary string: _\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\/
Source: tasksche.exe.5.dr	Binary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\|.
Source: tasksche.exe.5.dr	Binary string: E\Device\HarddiskVolume1\Program Files\TrueKey\logs\Log.2017-05-12.logp
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dllnksp
Source: tasksche.exe.5.dr	Binary string: S\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\PotPlayer
Source: tasksche.exe.5.dr	Binary string: F\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applicationspar
Source: tasksche.exe.5.dr	Binary string: 2\Device\HarddiskVolume1\Windows\System32\adsnt.dll.cop
Source: tasksche.exe.5.dr	Binary string: G\Device\HarddiskVolume1\ProgramData\Bluestacks\Logs\BlueStacksUsers.log.np
Source: tasksche.exe.5.dr	Binary string: Q\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\MOP030B&
Source: tasksche.exe.5.dr	Binary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoreu.
Source: tasksche.exe.5.dr	Binary string: L\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\POWERPNT.EXEk
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\mfplat.dllmgp
Source: tasksche.exe.5.dr	Binary string: K\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\datay
Source: tasksche.exe.5.dr	Binary string: p\Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtxp
Source: tasksche.exe.5.dr	Binary string: e\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Suicide Squad - Special OpsN
Source: tasksche.exe.5.dr	Binary string: 5\Device\HarddiskVolume1\Windows\System32\rundll32.exep
Source: tasksche.exe.5.dr	Binary string: c\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex^$,
Source: tasksche.exe.5.dr	Binary string: P\Device\HarddiskVolume1\Windows\System32\api-ms-win-downlevel-shell32-l1-1-0.dllap
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\cc649e0f5426f48bb9361c159b8e707f\System.Data.ni.dll.aux
Source: tasksche.exe.5.dr	Binary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chkann
Source: tasksche.exe.5.dr	Binary string: W\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactionsro\|
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dllhp
Source: tasksche.exe.5.dr	Binary string: ?\Device\HarddiskVolume1\Windows\System32\ru-RU\WUDFHost.exe.mui
Source: tasksche.exe.5.dr	Binary string: ?\Device\HarddiskVolume1\Windows\System32\config\COMPONENTS.LOG1
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\03edc404e68b95b7e0b07a0416c8e4a7\System.Transactions.ni.dlldi
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.ciy
Source: tasksche.exe.5.dr	Binary string: O\Device\HarddiskVolume1\Program Files\NVIDIA Corporation\Display\nvsmartmax.dll^$p
Source: tasksche.exe.5.dr	Binary string: _\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
Source: tasksche.exe.5.dr	Binary string: T\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalersep
Source: tasksche.exe.5.dr	Binary string: p\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\StarGame\Alice.Madness Returns + 2 DLCp
Source: tasksche.exe.5.dr	Binary string: y\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnkp
Source: tasksche.exe.5.dr	Binary string: L\Device\HarddiskVolume1\Program Files\TrueKey\providers\LocationProvider.dllph
Source: tasksche.exe.5.dr	Binary string: ?\Device\HarddiskVolume1\Windows\System32\drivers\UMDF\WpdFs.dll
Source: tasksche.exe.5.dr	Binary string: z\Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xaml\v4.0_4.0.0.0__b77a5c561934e089\System.Xaml.dllU+
Source: tasksche.exe.5.dr	Binary string: S\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\WinDjView
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\wbem\ru-RU
Source: tasksche.exe.5.dr	Binary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoren.
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\v4.0_4.0.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dllcp
Source: tasksche.exe.5.dr	Binary string: O\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\settingsrd
Source: tasksche.exe.5.dr	Binary string: W\Device\HarddiskVolume1\Program Files\Alice.Madness Returns + 2 DLC\GDFBinary.en-us.dll.cp
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.dir-p
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\netman.dllhip
Source: tasksche.exe.5.dr	Binary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoreeH
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dllp
Source: tasksche.exe.5.dr	Binary string: X\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\World of Tanks
Source: tasksche.exe.5.dr	Binary string: _\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AIDA64@
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dllap
Source: tasksche.exe.5.dr	Binary string: O\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dllsitp
Source: tasksche.exe.5.dr	Binary string: 5\Device\HarddiskVolume1\Windows\System32\bthprops.cplp
Source: tasksche.exe.5.dr	Binary string: x\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000rp
Source: tasksche.exe.5.dr	Binary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.002H
Source: tasksche.exe.5.dr	Binary string: R\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\StarGame
Source: tasksche.exe.5.dr	Binary string: ?\Device\HarddiskVolume1\Windows\System32\config\COMPONENTS.LOG2.cp
Source: tasksche.exe.5.dr	Binary string: E\Device\HarddiskVolume1\Program Files\Bluestacks\HD-Logger-Native.dllp
Source: tasksche.exe.5.dr	Binary string: Q\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\MOP030Bp
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\37523c98ca4b37b2a6d189294e443202\System.Runtime.Serialization.ni.dllp
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\37523c98ca4b37b2a6d189294e443202\System.Runtime.Serialization.ni.dll.auxp
Source: tasksche.exe.5.dr	Binary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001p
Source: tasksche.exe.5.dr	Binary string: k\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMaptyp
Source: tasksche.exe.5.dr	Binary string: l\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStoreg.
Source: tasksche.exe.5.dr	Binary string: H\Device\HarddiskVolume1\Program Files\TrueKey\providers\faceProvider.dllsp
Source: tasksche.exe.5.dr	Binary string: ^\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games
Source: tasksche.exe.5.dr	Binary string: R\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\Logs\bm.logparp
Source: tasksche.exe.5.dr	Binary string: q\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenup
Source: tasksche.exe.5.dr	Binary string: Q\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Nero 11p
Source: tasksche.exe.5.dr	Binary string: T\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\data\settingscp
Source: tasksche.exe.5.dr	Binary string: D\Device\HarddiskVolume1\Windows\assembly\GAC_MSIL\mscorlib.resourcesgp
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\tquery.dlllep
Source: tasksche.exe.5.dr	Binary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edbfirp
Source: tasksche.exe.5.dr	Binary string: \|\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts8
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\winsxs\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.18766_none_0b32a93025b365c1\wcp.dllp
Source: tasksche.exe.5.dr	Binary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.001H
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\FXSAPI.dllcop
Source: tasksche.exe.5.dr	Binary string: 7\Device\HarddiskVolume1\Windows\System32\CertEnroll.dllarp
Source: tasksche.exe.5.dr	Binary string: Y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogsp
Source: tasksche.exe.5.dr	Binary string: /\Device\HarddiskVolume1\Windows\System32\mf.dlly
Source: tasksche.exe.5.dr	Binary string: c\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee Security Scan Plus
Source: tasksche.exe.5.dr	Binary string: 2\Device\HarddiskVolume1\Windows\System32\wshom.ocx
Source: tasksche.exe.5.dr	Binary string: 6\Device\HarddiskVolume1\Windows\System32\srchadmin.dll
Source: tasksche.exe.5.dr	Binary string: 4\Device\HarddiskVolume1\Windows\System32\WMVCORE.DLLip
Source: tasksche.exe.5.dr	Binary string: G\Device\HarddiskVolume1\Program Files\Windows Media Player\wmpnssci.dll
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\cc649e0f5426f48bb9361c159b8e707f\System.Data.ni.dll0
Source: tasksche.exe.5.dr	Binary string: 4\Device\HarddiskVolume1\Windows\servicing\CbsMsg.dllp
Source: tasksche.exe.5.dr	Binary string: x\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.002xp
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.dirmp
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\rasdlg.dllinp
Source: tasksche.exe.5.dr	Binary string: S\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\PotPlayer@
Source: tasksche.exe.5.dr	Binary string: 7\Device\HarddiskVolume1\Windows\System32\CertEnroll.dllku
Source: tasksche.exe.5.dr	Binary string: 9\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Datap
Source: tasksche.exe.5.dr	Binary string: G\Device\HarddiskVolume1\ProgramData\NVIDIA Corporation\Drs\nvdrsdb1.binlip
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Ease of Access.lnkp
Source: tasksche.exe.5.dr	Binary string: m\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.dllp
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\cf330aa5c9f2a48448933edac5333406\System.DirectoryServices.ni.dll
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\fa881a9dd9820b29ec20e9d90c6a0d99\CustomMarshalers.ni.dllx
Source: tasksche.exe.5.dr	Binary string: 7\Device\HarddiskVolume1\Windows\System32\CertEnroll.dllco
Source: tasksche.exe.5.dr	Binary string: H\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Temp\usgthrsvcrp
Source: tasksche.exe.5.dr	Binary string: y\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000H
Source: tasksche.exe.5.dr	Binary string: :\Device\HarddiskVolume1\Windows\System32\wbem\cimwin32.dll
Source: tasksche.exe.5.dr	Binary string: V\Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.logparp
Source: tasksche.exe.5.dr	Binary string: X\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#ep
Source: tasksche.exe.5.dr	Binary string: >\Device\HarddiskVolume1\Windows\System32\en-US\azroles.dll.mui
Source: tasksche.exe.5.dr	Binary string: X\Device\HarddiskVolume1\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#p
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci\|\|p
Source: tasksche.exe.5.dr	Binary string: V\Device\HarddiskVolume1\Users\User\AppData\Local\Yandex\BrowserManager\Crypto.Core.dll\|\|cp
Source: tasksche.exe.5.dr	Binary string: 4\Device\HarddiskVolume1\ProgramData\Microsoft\Searchup
Source: tasksche.exe.5.dr	Binary string: 4\Device\HarddiskVolume1\Windows\System32\mspaint.exejp
Source: tasksche.exe.5.dr	Binary string: 3\Device\HarddiskVolume1\Windows\System32\wscapi.dll.pp
Source: tasksche.exe.5.dr	Binary string: J\Device\HarddiskVolume1\Program Files\Microsoft Office\Office14\MSTORE.EXEes.p
Source: tasksche.exe.5.dr	Binary string: D\Device\HarddiskVolume1\Program Files\TrueKey\system.data.sqlite.dllnp
Source: tasksche.exe.5.dr	Binary string: e\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\Suicide Squad - Special Ops
Source: tasksche.exe.5.dr	Binary string: ;\Device\HarddiskVolume1\Program Files\Skype\Phone\Skype.exeetp
Source: tasksche.exe.5.dr	Binary string: @\Device\HarddiskVolume1\Program Files\TrueKey\sqlite.interop.dllop
Source: tasksche.exe.5.dr	Binary string: \\Device\HarddiskVolume1\ProgramData\Microsoft\Windows\Start Menu\Programs\PRO"
Source: tasksche.exe.5.dr	Binary string: \|\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts$p
Source: tasksche.exe.5.dr	Binary string: 4\Device\HarddiskVolume1\Windows\System32\ieframe.dllnF
Source: tasksche.exe.5.dr	Binary string: ,\Device\HarddiskVolume1\Users\User\Favorites-p
Source: tasksche.exe.5.dr	Binary string: v\Device\HarddiskVolume1\Program Files\Alice.Madness Returns + 2 DLC\Game\Alice2\Binaries\Win32\AliceMadnessReturns.exe\|mop
Source: tasksche.exe.5.dr	Binary string: 5\Device\HarddiskVolume1\Windows\System32\perfproc.dllp
Source: tasksche.exe.5.dr	Binary string: 7\Device\HarddiskVolume1\Windows\System32\framedynos.dll
Source: tasksche.exe.5.dr	Binary string: \Device\HarddiskVolume1\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.SqlXml\v4.0_4.0.0.0__b77a5c561934e089\System.Data.SqlXml.dllp
Source: tasksche.exe.5.dr	Binary string: ~\Device\HarddiskVolume1\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnkT+

Source: mssecsvc.exe, 00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvc.exe, 00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000008.00000000.2058421206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmp, tasksche.exe, 0000000A.00000000.2060906503.000000000040E000.00000008.00000001.01000000.00000008.sdmp, tasksche.exe, 0000000A.00000002.2067985985.000000000040E000.00000008.00000001.01000000.00000008.sdmp, mssecsvc.exe, 00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 00000011.00000002.3127479884.000000000040E000.00000008.00000001.01000000.00000007.sdmp, tasksche.exe, 00000011.00000000.2085577185.000000000040E000.00000008.00000001.01000000.00000007.sdmp

Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.expl.evad.winDLL@66/67@0/100

Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	5_2_00407C40
Source: C:\Windows\mssecsvc.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,	7_2_00407C40
Source: C:\Windows\tasksche.exe	Code function: OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,sprintf,CreateServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	8_2_00401CE8

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,

5_2_00407CE0

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\Windows\mssecsvc.exe	Code function: 5_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		5_2_00408090
Source: C:\Windows\mssecsvc.exe	Code function: 7_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		7_2_00408090

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03

Source: txWVWM8Kx4.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\txWVWM8Kx4.dll,PlayGame

Source: txWVWM8Kx4.dll	ReversingLabs: Detection: 94%
Source: txWVWM8Kx4.dll	Virustotal: Detection: 91%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\txWVWM8Kx4.dll,PlayGame
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: unknown	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe -m security
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "C:\ProgramData\dsvqhifq359\tasksche.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",PlayGame
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /c "C:\ProgramData\dsvqhifq359\tasksche.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\tasksche.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\tasksche.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\txWVWM8Kx4.dll,PlayGame	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",PlayGame	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\tasksche.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe	Jump to behavior
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\mssecsvc.exe C:\WINDOWS\mssecsvc.exe	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Process created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i	Jump to behavior
Source: C:\Windows\tasksche.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe	Jump to behavior
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\Windows\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\mssecsvc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\tasksche.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: txWVWM8Kx4.dll

Static file information: File size 5267459 > 1048576

Source: txWVWM8Kx4.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x501000

Source: C:\Windows\tasksche.exe

Code function: 8_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00401A45

Source: C:\Windows\tasksche.exe	Code function: 8_2_00407710 push eax; ret		8_2_0040773E
Source: C:\Windows\tasksche.exe	Code function: 8_2_004076C8 push eax; ret		8_2_004076E6

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\mssecsvc.exe	Executable created and started: C:\WINDOWS\tasksche.exe			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Executable created and started: C:\WINDOWS\mssecsvc.exe			Jump to behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe
Source: C:\Windows\tasksche.exe	Process created: attrib.exe
Source: C:\Windows\tasksche.exe	Process created: attrib.exe
Source: C:\Windows\tasksche.exe	Process created: attrib.exe	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe	Jump to behavior
Source: C:\Windows\tasksche.exe	Process created: attrib.exe	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe	Jump to behavior
Source: C:\ProgramData\dsvqhifq359\tasksche.exe	Process created: attrib.exe	Jump to behavior

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)	Jump to dropped file
Source: C:\Windows\tasksche.exe	File created: C:\ProgramData\dsvqhifq359\tasksche.exe	Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe	Jump to dropped file

Source: C:\Windows\tasksche.exe

File created: C:\ProgramData\dsvqhifq359\tasksche.exe

Jump to dropped file

Source: C:\Windows\mssecsvc.exe	File created: C:\WINDOWS\qeriuwjhrf (copy)			Jump to dropped file
Source: C:\Windows\mssecsvc.exe	File created: C:\Windows\tasksche.exe			Jump to dropped file

Source: C:\Windows\mssecsvc.exe

Code function: 5_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

5_2_00407C40

Source: C:\ProgramData\dsvqhifq359\tasksche.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\mssecsvc.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Windows\mssecsvc.exe TID: 5440	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 5440	Thread sleep time: -194000s >= -30000s	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2972	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 2972	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Windows\mssecsvc.exe TID: 5440	Thread sleep time: -86400000s >= -30000s	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 3640	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 3640	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 3640	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 3640	Thread sleep time: -59000s >= -30000s	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 5880	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 5880	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 5880	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\tasksche.exe TID: 5880	Thread sleep time: -59000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\mssecsvc.exe	Thread delayed: delay time: 86400000			Jump to behavior

Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\NULL	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\NULL	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\NULL	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	File opened: C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll	Jump to behavior

Source: mssecsvc.exe, 00000005.00000002.2060012832.0000000000AFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: mssecsvc.exe, 00000007.00000002.2693091180.0000000000B38000.00000004.00000020.00020000.00000000.sdmp, mssecsvc.exe, 00000010.00000002.2086826305.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\tasksche.exe

Code function: 8_2_00401A45 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_00401A45

Source: C:\Windows\tasksche.exe

Code function: 8_2_004029CC free,GetProcessHeap,HeapFree,

8_2_004029CC

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\ProgramData\dsvqhifq359\tasksche.exe C:\ProgramData\dsvqhifq359\tasksche.exe

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\mssecsvc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\icacls.exe

Directory queried: number of queries: 1128

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	4 Windows Service	4 Windows Service	12 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	11 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	11 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Service Execution	1 Services File Permissions Weakness	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 DLL Side-Loading	1 Services File Permissions Weakness	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Proxy	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	11 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Services File Permissions Weakness	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
txWVWM8Kx4.dll	95%	ReversingLabs	Win32.Ransomware.WannaCry
txWVWM8Kx4.dll	92%	Virustotal		Browse
txWVWM8Kx4.dll	100%	Avira	TR/Ransom.Gen
txWVWM8Kx4.dll	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\dsvqhifq359\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\Windows\tasksche.exe	100%	Avira	TR/Ransom.Gen
C:\ProgramData\dsvqhifq359\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\ProgramData\dsvqhifq359\tasksche.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\WINDOWS\qeriuwjhrf (copy)	93%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	93%	ReversingLabs	Win32.Ransomware.WannaCry

Source	Detection	Scanner	Label	Link
http://schemas.microso	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.microso	m_japanese.wnry.8.dr, m_japanese.wnry.10.dr	false	Avira URL Cloud: safe	unknown
http://schemas.microsoft.	m_vietnamese.wnry.8.dr, m_vietnamese.wnry.10.dr	false		high
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zipd	tasksche.exe, 0000001F.00000002.2606203668.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micr	tasksche.exe, 00000008.00000003.3084436455.0000000002443000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000008.00000003.3084603383.0000000002443000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000011.00000003.3108009351.0000000002673000.00000004.00000020.00020000.00000000.sdmp, tasksche.exe, 00000011.00000003.3108370134.0000000002673000.00000004.00000020.00020000.00000000.sdmp, m_czech.wnry.8.dr, m_danish.wnry.8.dr, m_czech.wnry.10.dr, m_danish.wnry.10.dr	false		high
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip	c.wnry.8.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
60.171.191.1	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
60.171.191.2	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
152.117.243.51	unknown	United States	11863	PLUUS	false
99.19.50.104	unknown	United States	7018	ATT-INTERNET4US	false
75.48.114.78	unknown	United States	7018	ATT-INTERNET4US	false
95.129.132.1	unknown	Netherlands	42416	COMNET-ASNL	false
21.217.77.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
188.228.236.160	unknown	Italy	28929	ASDASD-ASIT	false
108.182.16.49	unknown	United States	12271	TWC-12271-NYCUS	false
29.147.136.1	unknown	United States	7922	COMCAST-7922US	false
188.228.236.1	unknown	Italy	28929	ASDASD-ASIT	false
180.35.1.114	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
133.14.202.1	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
133.14.202.2	unknown	Japan	2907	SINET-ASResearchOrganizationofInformationandSystemsN	false
52.34.64.2	unknown	United States	16509	AMAZON-02US	false
52.34.64.1	unknown	United States	16509	AMAZON-02US	false
43.89.144.1	unknown	Japan	4249	LILLY-ASUS	false
180.35.1.1	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
43.89.144.111	unknown	Japan	4249	LILLY-ASUS	false
41.167.36.1	unknown	South Africa	36937	Neotel-ASZA	false
74.80.92.140	unknown	United States	715	WOODYNET-2US	false
108.182.16.1	unknown	United States	12271	TWC-12271-NYCUS	false
59.178.161.2	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
59.178.161.1	unknown	India	17813	MTNL-APMahanagarTelephoneNigamLimitedIN	false
29.147.136.127	unknown	United States	7922	COMCAST-7922US	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224
192.168.2.108
192.168.2.229

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592069
Start date and time:	2025-01-15 18:11:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	txWVWM8Kx4.dll renamed because original name is a hash value
Original Sample Name:	07a5d326b196d166dc0618e7c25ac2b5.dll
Detection:	MAL
Classification:	mal100.rans.expl.evad.winDLL@66/67@0/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 58% Number of executed functions: 29 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 84.201.210.39, 2.17.190.73, 217.20.57.36, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:12:04	API Interceptor	1x Sleep call for process: loaddll32.exe modified
12:12:36	API Interceptor	112x Sleep call for process: mssecsvc.exe modified
12:12:36	API Interceptor	112x Sleep call for process: tasksche.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PLUUS	DEMONS.ppc.elf	Get hash	malicious	Unknown	Browse	152.117.203.132
	kkkarm.elf	Get hash	malicious	Unknown	Browse	152.117.115.172
	na.elf	Get hash	malicious	Unknown	Browse	152.117.240.4
	http://webview.unferal.com	Get hash	malicious	Unknown	Browse	152.117.99.199
	DCwYFBy6z7.elf	Get hash	malicious	Mirai, Moobot	Browse	152.117.167.66
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	152.117.115.162
	VOD5Th43fb.elf	Get hash	malicious	Mirai	Browse	152.117.203.110
	5W0nv823TE.elf	Get hash	malicious	Mirai	Browse	152.117.203.139
	mirai.x86.elf	Get hash	malicious	Mirai	Browse	152.117.218.244
	yQWPf8hWfh.elf	Get hash	malicious	Mirai	Browse	152.117.203.148
CHINANET-BACKBONENo31Jin-rongStreetCN	ET6LdJaK54.dll	Get hash	malicious	Wannacry	Browse	106.230.138.178
	bot.x86.elf	Get hash	malicious	Unknown	Browse	220.183.55.11
	bot.spc.elf	Get hash	malicious	Unknown	Browse	14.155.77.28
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	120.37.0.150
	bot.mips.elf	Get hash	malicious	Unknown	Browse	114.135.188.251
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	113.120.26.134
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	202.98.153.102
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	210.185.215.218
	bot.arm.elf	Get hash	malicious	Unknown	Browse	183.68.69.25
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	183.148.55.61
CHINANET-BACKBONENo31Jin-rongStreetCN	ET6LdJaK54.dll	Get hash	malicious	Wannacry	Browse	106.230.138.178
	bot.x86.elf	Get hash	malicious	Unknown	Browse	220.183.55.11
	bot.spc.elf	Get hash	malicious	Unknown	Browse	14.155.77.28
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	120.37.0.150
	bot.mips.elf	Get hash	malicious	Unknown	Browse	114.135.188.251
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	113.120.26.134
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	202.98.153.102
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	210.185.215.218
	bot.arm.elf	Get hash	malicious	Unknown	Browse	183.68.69.25
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	183.148.55.61
ATT-INTERNET4US	ET6LdJaK54.dll	Get hash	malicious	Wannacry	Browse	68.209.105.69
	GeW4GzT8G8.dll	Get hash	malicious	Virut, Wannacry	Browse	69.111.126.153
	bot.x86.elf	Get hash	malicious	Unknown	Browse	74.175.250.164
	bot.spc.elf	Get hash	malicious	Unknown	Browse	108.230.82.125
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	65.67.191.109
	bot.mips.elf	Get hash	malicious	Unknown	Browse	107.137.175.24
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	99.60.85.5
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	12.249.84.172
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	76.249.72.164
	bot.arm.elf	Get hash	malicious	Unknown	Browse	69.220.94.216

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	f5mfkHLLVe.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	hNgIvHRuTU.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	ACH REMITTANCE DOCUMENT 15.01.25.xlsb	Get hash	malicious	Unknown	Browse	23.1.237.91
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPT0wVekqsfeOZRSaz9d28itE0eTxOetbwlGaCx05rQJywXo_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aRXzCg4yzvno75Wb80hSd5kw8Ua5r4R2pwCFTS4zDFYiEkWB-2BYk1VUWtpkJwb9IQIMAq1SSLT005wiJ2XiGw1jPEr6v61MJQRnC7AeLVtxYgqGlydBoPFbs1IP04-2BxPajuRI3fTsnzWZ9ty3RasYpwuqdrF0E8VoyYkggeeLEm9ENK69uYTCVHWHpxCPkzirQSIkvpt5FNZojg491ibS35IgO0LPU5gnpEaeaUj4-2BZoFUHIAAzMMy-2BYqsZ9F9Ldu1c-3D#X	Get hash	malicious	HTMLPhisher	Browse	23.1.237.91
	NLWfV87ouS.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	330tqxXVzm.dll	Get hash	malicious	Wannacry	Browse	23.1.237.91
	https://asalto-bart.eu/o/dcv	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://teiegram-mg.org/	Get hash	malicious	Unknown	Browse	23.1.237.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Windows\tasksche.exe	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse
	UR9TBr66am.dll	Get hash	malicious	Wannacry	Browse
	eAx3JV2z84.dll	Get hash	malicious	Wannacry	Browse
C:\ProgramData\dsvqhifq359\tasksche.exe	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse
	UR9TBr66am.dll	Get hash	malicious	Wannacry	Browse
	eAx3JV2z84.dll	Get hash	malicious	Wannacry	Browse
C:\WINDOWS\qeriuwjhrf (copy)	542CxvZnI5.dll	Get hash	malicious	Virut, Wannacry	Browse
	UR9TBr66am.dll	Get hash	malicious	Wannacry	Browse
	eAx3JV2z84.dll	Get hash	malicious	Wannacry	Browse

Created / dropped Files

C:\ProgramData\dsvqhifq359\b.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
Category:	dropped
Size (bytes):	1440054
Entropy (8bit):	0.3363393123555661
Encrypted:	false
SSDEEP:	384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
MD5:	C17170262312F3BE7027BC2CA825BF0C
SHA1:	F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
SHA-256:	D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
SHA-512:	C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
Malicious:	false
Preview:	BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\dsvqhifq359\c.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	data
Category:	dropped
Size (bytes):	780
Entropy (8bit):	2.332859493676233
Encrypted:	false
SSDEEP:	6:cL+pZkaHqHgVcKKfF9mHRMMPRGS37LlN/sUQqGUSGeTsdEC:ckmaRVcKKfm2MYS3sUQqGLGeTEV
MD5:	383A85EAB6ECDA319BFDDD82416FC6C2
SHA1:	2A9324E1D02C3E41582BF5370043D8AFEB02BA6F
SHA-256:	079CE1041CBFFE18FF62A2B4A33711EDA40F680D0B1D3B551DB47E39A6390B21
SHA-512:	C661E0B3C175D31B365362E52D7B152267A15D59517A4BCC493329BE20B23D0E4EB62D1BA80BB96447EEAF91A6901F4B34BF173B4AB6F90D4111EA97C87C1252
Malicious:	false
Preview:	...........................................................................................................................C......................................................115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn................gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;.......................................................................................................................................https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip...........................................................................................................................................................................................................................................

C:\ProgramData\dsvqhifq359\msg\m_bulgarian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	47879
Entropy (8bit):	4.950611667526586
Encrypted:	false
SSDEEP:	768:Shef3jHdCG28Eb1tyci8crbEw6/5+3xFkbP0vyzbZrS14e:SheU5De
MD5:	95673B0F968C0F55B32204361940D184
SHA1:	81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
SHA-256:	40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
SHA-512:	7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_chinese (simplified).wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	54359
Entropy (8bit):	5.015093444540877
Encrypted:	false
SSDEEP:	768:SWjkSFwwlUdcUG2HAmDTzpXtgmDNQ8qD7DHDqMtgDdLDMaDoKMGzD0DWJQ8/QoZ4:SWcwiqDB
MD5:	0252D45CA21C8E43C9742285C48E91AD
SHA1:	5C14551D2736EEF3A1C1970CC492206E531703C1
SHA-256:	845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
SHA-512:	1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}{\f18\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}MingLiU{\\falt 2OcuAe};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\f44\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}@\'b9\'d9\'c5\'c1;}..{\f45\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}@MingLiU;}{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}..{\f54\fbidi \fmodern\fchar

C:\ProgramData\dsvqhifq359\msg\m_chinese (traditional).wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	79346
Entropy (8bit):	4.901891087442577
Encrypted:	false
SSDEEP:	768:SDwtkzjHdLG2xN1fyvnywUKB5lylYlzlJpsbuEWeM/yDRu9uCuwyInIwDOHEhm/v:SDnz5Rt4D4
MD5:	2EFC3690D67CD073A9406A25005F7CEA
SHA1:	52C07F98870EABACE6EC370B7EB562751E8067E9
SHA-256:	5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
SHA-512:	0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}..{\f18\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}MingLiU{\\falt 2OcuAe};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020

C:\ProgramData\dsvqhifq359\msg\m_croatian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	39070
Entropy (8bit):	5.03796878472628
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdb2YG2+d18Scgn8c8/868H1F8E8/8Z3m8VdAm86a8n:Shef3jHd3G2n+p/mZrS14A
MD5:	17194003FA70CE477326CE2F6DEEB270
SHA1:	E325988F68D327743926EA317ABB9882F347FA73
SHA-256:	3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
SHA-512:	DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_czech.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	40512
Entropy (8bit):	5.035949134693175
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2yG2gv8n8+8zfB8k8F8i8k1Z8M8I818E838C8A8s:Shef3jHd2G26nyMZrS14g
MD5:	537EFEECDFA94CC421E58FD82A58BA9E
SHA1:	3609456E16BC16BA447979F3AA69221290EC17D0
SHA-256:	5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
SHA-512:	E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_danish.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37045
Entropy (8bit):	5.028683023706024
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHd02wG2roqni2Jeo75Y3kmA31dv61QyU:Shef3jHd4G2M5bZrS14Q
MD5:	2C5A3B81D5C4715B7BEA01033367FCB5
SHA1:	B548B45DA8463E17199DAAFD34C23591F94E82CD
SHA-256:	A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
SHA-512:	490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_dutch.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36987
Entropy (8bit):	5.036160205965849
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdp2oG2/CzhReo75Y3kmA31dv61Qyz:Sw3BHSWjHdBG2/UhsZrS14f
MD5:	7A8D499407C6A647C03C4471A67EAAD7
SHA1:	D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
SHA-256:	2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
SHA-512:	608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\ProgramData\dsvqhifq359\msg\m_english.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36973
Entropy (8bit):	5.040611616416892
Encrypted:	false
SSDEEP:	384:S93BHSj2cguALeT+sPzy3EFHjHdM2EG2YLC7O3eo75Y3kmA31dv61QyW:S93BHSTjHd0G2YLCZrS14y
MD5:	FE68C2DC0D2419B38F44D83F2FCF232E
SHA1:	6C6E49949957215AA2F3DFB72207D249ADF36283
SHA-256:	26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
SHA-512:	941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhim

C:\ProgramData\dsvqhifq359\msg\m_filipino.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37580
Entropy (8bit):	5.0458193216786
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdi2MG2AGsi6p07i/eo75Y3kmA31dv61QyR:Sw3BHSWjHdGG2Axa7iGZrS14N
MD5:	08B9E69B57E4C9B966664F8E1C27AB09
SHA1:	2DA1025BBBFB3CD308070765FC0893A48E5A85FA
SHA-256:	D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
SHA-512:	966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\ProgramData\dsvqhifq359\msg\m_finnish.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38377
Entropy (8bit):	5.030938473355282
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2oG2l1glOmeo75Y3kmA31dv61QyB:Shef3jHdMG2l1AO3ZrS14l
MD5:	35C2F97EEA8819B1CAEBD23FEE732D8F
SHA1:	E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
SHA-256:	1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
SHA-512:	908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_french.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38437
Entropy (8bit):	5.031126676607223
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdtW2IG2sjqMeo75Y3kmA31dv61Qyg:Shef3jHd0G2smJZrS14M
MD5:	4E57113A6BF6B88FDD32782A4A381274
SHA1:	0FCCBC91F0F94453D91670C6794F71348711061D
SHA-256:	9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
SHA-512:	4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_german.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37181
Entropy (8bit):	5.039739267952546
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdN26G2VSA1Ieo75Y3kmA31dv61QyU:Shef3jHdfG2oe1ZrS14w
MD5:	3D59BBB5553FE03A89F817819540F469
SHA1:	26781D4B06FF704800B463D0F1FCA3AFD923A9FE
SHA-256:	2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
SHA-512:	95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_greek.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	49044
Entropy (8bit):	4.910095634621579
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdc2oG2WWDFFG5BwKeo75Y3kmA31dv61QyM:Shef3jHdoG2NHG5BwLZrS14Q
MD5:	FB4E8718FEA95BB7479727FDE80CB424
SHA1:	1088C7653CBA385FE994E9AE34A6595898F20AEB
SHA-256:	E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
SHA-512:	24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_indonesian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37196
Entropy (8bit):	5.039268541932758
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdY2oG2pq32eo75Y3kmA31dv61Qys:Sw3BHSWjHdUG2pq3nZrS14I
MD5:	3788F91C694DFC48E12417CE93356B0F
SHA1:	EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
SHA-256:	23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
SHA-512:	B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\ProgramData\dsvqhifq359\msg\m_italian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36883
Entropy (8bit):	5.028048191734335
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdR2AG2c/EnByeo75Y3kmA31dv61Qy9:Shef3jHdJG2cQZrS14R
MD5:	30A200F78498990095B36F574B6E8690
SHA1:	C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
SHA-256:	49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
SHA-512:	C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_japanese.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	81844
Entropy (8bit):	4.85025787009624
Encrypted:	false
SSDEEP:	384:SXZ0j2cKKwd1lksPzy3EFHjHdI2MG275rQeo75Y3kmA31dv61Qyr:SXZ0qbjHd4G2RNZrS14P
MD5:	B77E1221F7ECD0B5D696CB66CDA1609E
SHA1:	51EB7A254A33D05EDF188DED653005DC82DE8A46
SHA-256:	7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
SHA-512:	F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 020306000001

C:\ProgramData\dsvqhifq359\msg\m_korean.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	91501
Entropy (8bit):	4.841830504507431
Encrypted:	false
SSDEEP:	768:Shef3jHdUG2NQcbxfSVZiG9jvi3//ZVrMQr7pEKCHSI2DsY78piTDtTa6BxzBwdY:SheiaDq
MD5:	6735CB43FE44832B061EEB3F5956B099
SHA1:	D636DAF64D524F81367EA92FDAFA3726C909BEE1
SHA-256:	552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
SHA-512:	60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_latvian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	41169
Entropy (8bit):	5.030695296195755
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdcqH24G2ZN1EDCv3Apb0WD5gYV/S4L3rnzdeo75Y3f:Shef3jHdcMG2NpZrS14F
MD5:	C33AFB4ECC04EE1BCC6975BEA49ABE40
SHA1:	FBEA4F170507CDE02B839527EF50B7EC74B4821F
SHA-256:	A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
SHA-512:	0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_norwegian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37577
Entropy (8bit):	5.025836823617116
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdy2MG2D7mgwroXeo75Y3kmA31dv61Qy5:Shef3jHdGG23KrDZrS14N
MD5:	FF70CC7C00951084175D12128CE02399
SHA1:	75AD3B1AD4FB14813882D88E952208C648F1FD18
SHA-256:	CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
SHA-512:	F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_polish.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	39896
Entropy (8bit):	5.048541002474746
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdD2SG2gA8w8OJ6868jy8/8w8m8T848f8y858l8j8yv:Shef3jHdxG2KhuZrS14G
MD5:	E79D7F2833A9C2E2553C7FE04A1B63F4
SHA1:	3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
SHA-256:	519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
SHA-512:	E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_portuguese.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37917
Entropy (8bit):	5.027872281764284
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdy2QG2xgk5eo75Y3kmA31dv61QyV:Shef3jHdCG2EZrS14p
MD5:	FA948F7D8DFB21CEDDD6794F2D56B44F
SHA1:	CA915FBE020CAA88DD776D89632D7866F660FC7A
SHA-256:	BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
SHA-512:	0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_romanian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	52161
Entropy (8bit):	4.964306949910696
Encrypted:	false
SSDEEP:	768:Shef3jHdXG2Cz2/vBAOZsQO0cLfnF/Zhcz7sDsYZBB/0gBjL+IU/hbhMVDtsR49P:ShehlrGR1m4dx9mjVyAvg7ouDT
MD5:	313E0ECECD24F4FA1504118A11BC7986
SHA1:	E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
SHA-256:	70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
SHA-512:	C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_russian.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	47108
Entropy (8bit):	4.952777691675008
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2qG2aUGs0K6lyZqmfGGHRblldORZeo75Y3kmA31L:Shef3jHdeG2lGsDOcZxbP7ZrS14K
MD5:	452615DB2336D60AF7E2057481E4CAB5
SHA1:	442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
SHA-256:	02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
SHA-512:	7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_slovak.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	41391
Entropy (8bit):	5.027730966276624
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHd4Yb2YG2gNZ8a8zV/8j8U8l8x838Z8Q808m8d8T8hw:Shef3jHdZvG23AZrS14f
MD5:	C911ABA4AB1DA6C28CF86338AB2AB6CC
SHA1:	FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
SHA-256:	E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
SHA-512:	3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_spanish.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37381
Entropy (8bit):	5.02443306661187
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdf24G2/ezV6YQUdZYlujeMQ9RXmhRweo75Y3kmA31S:Shef3jHdrG2fuhZrS14T
MD5:	8D61648D34CBA8AE9D1E2A219019ADD1
SHA1:	2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
SHA-256:	72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
SHA-512:	68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_swedish.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38483
Entropy (8bit):	5.022972736625151
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdb24G2ZKLVdDeo75Y3kmA31dv61QyE:Shef3jHd/G2w6ZrS14w
MD5:	C7A19984EB9F37198652EAF2FD1EE25C
SHA1:	06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
SHA-256:	146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
SHA-512:	43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_turkish.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	42582
Entropy (8bit):	5.010722377068833
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHds42WG2mzGu/eo75Y3kmA31dv61QyZ:Shef3jHdsiG2moZrS149
MD5:	531BA6B1A5460FC9446946F91CC8C94B
SHA1:	CC56978681BD546FD82D87926B5D9905C92A5803
SHA-256:	6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
SHA-512:	EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\msg\m_vietnamese.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	93778
Entropy (8bit):	4.76206134900188
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdW2YG22cViQj3KiG8dpcH8iEriG8E8O83Jz52sxG8h:Shef3jHdWG2+oPZrS14i
MD5:	8419BE28A0DCEC3F55823620922B00FA
SHA1:	2E4791F9CDFCA8ABF345D606F313D22B36C46B92
SHA-256:	1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
SHA-512:	8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\ProgramData\dsvqhifq359\r.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	864
Entropy (8bit):	4.5335184780121995
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0Ei5bnBR7brW8PNAi0eEprY+Ai75wRZce/:DZD36W5/vWmMo+m
MD5:	3E0020FC529B1C2A061016DD2469BA96
SHA1:	C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
SHA-256:	402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
SHA-512:	5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\ProgramData\dsvqhifq359\r.wnry, Author: Florian Roth
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send %s to this bitcoin address: %s.... Next, please find an application file named "%s". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window...

C:\ProgramData\dsvqhifq359\s.wnry

Download File

Process:	C:\ProgramData\dsvqhifq359\tasksche.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2752512
Entropy (8bit):	7.9983596446162535
Encrypted:	true
SSDEEP:	49152:zUx4db9A1iRdHAHZXaTnCshuTnSQYUB/UZfCg2clOQin2h37l2Jh93:z/b96AdHA5XaTJvQYUBBgRlJi+rl4
MD5:	23BE438907AAF12146646F32E399D494
SHA1:	8785F329B80C05714FB38880DABC7B3F908BA027
SHA-256:	2E335B26D70EA21BAE79E936DA29EC35E91685C5ACFC86966E21ACEC4C36E227
SHA-512:	5F421A75C381314A0F658F42D88E18A3897B420EDA41F8A2EF167CDB3B5A50C1043FB396573863376D2107B03EDC997E9907CCBE6919379057F78CF26AC68A3B
Malicious:	false
Preview:	PK..........!(................Data/PK........M..J................Data/Tor/PK..........!(................Tor/PK..........!(..t.......0.....Tor/libeay32.dll.:.t.e....6m.....Me.Vjil....!..E..T..e.....e....,.c..o=..t.u..,....J..k-.x.V..:1u....v..7.L~..?{..rN23.w......o..N2....WU..G..G.......Ed..7..q.o.5.]w.{...wl\y..m..w...?]......n......Z]UX./h4.....]...71....e.\^1..I..MH5...k.o+..s...c\|s....-#d,!..............eW...?a.......R..I..R......w.....m..#od.q.&..g.;.C(..t.V...j.Jq%...d_.Js...Hk.j#...DH.....,8_.O...]U....t .......ks:..T...18.C.%ASZJ3.U.nl..J.@)...$...N.s.O........m.0..e..4.....m...lI..Z..7.f-.?....;...?.SO....}..7#.L8...5.z.~.........E.S..1....7..0...pf.....jz.)..Y..8..^....B........p.W..r..B.....p..?......../`Wl..D.xAi..$..d.......&..p. ..bOtE.\.......(..&A...6v..S..Q...L...3 .:.6.m7.'.......)......iH.NZ_t.;./.a..n.g...A`.T.k.........."...<.rt..3....0.{N..yy...p.z.=..#.u.u...d......mQ...H..2.N.BRSN...XC....).".@.._.18.&...n

C:\ProgramData\dsvqhifq359\tasksche.exe

Download File

Process:	C:\Windows\tasksche.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.777724762407647
Encrypted:	false
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3x:QqPe1Cxcxk3ZAEUadzR8sB
MD5:	79409B6F48460807480E4A574312D85F
SHA1:	5D9F64CCF13081441F2785A535E02312236445D9
SHA-256:	331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
SHA-512:	AC004B3248CBC2CE7B6D566E3F5128195669E5C53C24AE13668E37FDADCB5158CC345D7A33CADFED6328A25A640C5FA612D0F0DB86989C3ACC21771B55508916
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Joe Sandbox View:	Filename: 542CxvZnI5.dll, Detection: malicious, Browse Filename: UR9TBr66am.dll, Detection: malicious, Browse Filename: eAx3JV2z84.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\WINDOWS\qeriuwjhrf (copy)

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.777724762407647
Encrypted:	false
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3x:QqPe1Cxcxk3ZAEUadzR8sB
MD5:	79409B6F48460807480E4A574312D85F
SHA1:	5D9F64CCF13081441F2785A535E02312236445D9
SHA-256:	331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
SHA-512:	AC004B3248CBC2CE7B6D566E3F5128195669E5C53C24AE13668E37FDADCB5158CC345D7A33CADFED6328A25A640C5FA612D0F0DB86989C3ACC21771B55508916
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 93%
Joe Sandbox View:	Filename: 542CxvZnI5.dll, Detection: malicious, Browse Filename: UR9TBr66am.dll, Detection: malicious, Browse Filename: eAx3JV2z84.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\b.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	PC bitmap, Windows 3.x format, 800 x 600 x 24, image size 1440000, resolution 3779 x 3779 px/m, cbSize 1440054, bits offset 54
Category:	dropped
Size (bytes):	1440054
Entropy (8bit):	0.3363393123555661
Encrypted:	false
SSDEEP:	384:zYzuP4tiuOub2WuzvqOFgjexqO5XgYWTIWv/+:sbL+
MD5:	C17170262312F3BE7027BC2CA825BF0C
SHA1:	F19ECEDA82973239A1FDC5826BCE7691E5DCB4FB
SHA-256:	D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
SHA-512:	C6160FD03AD659C8DD9CF2A83F9FDCD34F2DB4F8F27F33C5AFD52ACED49DFA9CE4909211C221A0479DBBB6E6C985385557C495FC04D3400FF21A0FBBAE42EE7C
Malicious:	false
Preview:	BM6.......6...(... ...X.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\c.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	data
Category:	dropped
Size (bytes):	780
Entropy (8bit):	2.332859493676233
Encrypted:	false
SSDEEP:	6:cL+pZkaHqHgVcKKfF9mHRMMPRGS37LlN/sUQqGUSGeTsdEC:ckmaRVcKKfm2MYS3sUQqGLGeTEV
MD5:	383A85EAB6ECDA319BFDDD82416FC6C2
SHA1:	2A9324E1D02C3E41582BF5370043D8AFEB02BA6F
SHA-256:	079CE1041CBFFE18FF62A2B4A33711EDA40F680D0B1D3B551DB47E39A6390B21
SHA-512:	C661E0B3C175D31B365362E52D7B152267A15D59517A4BCC493329BE20B23D0E4EB62D1BA80BB96447EEAF91A6901F4B34BF173B4AB6F90D4111EA97C87C1252
Malicious:	false
Preview:	...........................................................................................................................C......................................................115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn................gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;.......................................................................................................................................https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip...........................................................................................................................................................................................................................................

C:\Windows\msg\m_bulgarian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	47879
Entropy (8bit):	4.950611667526586
Encrypted:	false
SSDEEP:	768:Shef3jHdCG28Eb1tyci8crbEw6/5+3xFkbP0vyzbZrS14e:SheU5De
MD5:	95673B0F968C0F55B32204361940D184
SHA1:	81E427D15A1A826B93E91C3D2FA65221C8CA9CFF
SHA-256:	40B37E7B80CF678D7DD302AAF41B88135ADE6DDF44D89BDBA19CF171564444BD
SHA-512:	7601F1883EDBB4150A9DC17084012323B3BFA66F6D19D3D0355CF82B6A1C9DCE475D758DA18B6D17A8B321BF6FCA20915224DBAEDCB3F4D16ABFAF7A5FC21B92
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_chinese (simplified).wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	54359
Entropy (8bit):	5.015093444540877
Encrypted:	false
SSDEEP:	768:SWjkSFwwlUdcUG2HAmDTzpXtgmDNQ8qD7DHDqMtgDdLDMaDoKMGzD0DWJQ8/QoZ4:SWcwiqDB
MD5:	0252D45CA21C8E43C9742285C48E91AD
SHA1:	5C14551D2736EEF3A1C1970CC492206E531703C1
SHA-256:	845D0E178AEEBD6C7E2A2E9697B2BF6CF02028C50C288B3BA88FE2918EA2834A
SHA-512:	1BFCF6C0E7C977D777F12BD20AC347630999C4D99BD706B40DE7FF8F2F52E02560D68093142CC93722095657807A1480CE3FB6A2E000C488550548C497998755
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}{\f18\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}MingLiU{\\falt 2OcuAe};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\f44\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}@\'b9\'d9\'c5\'c1;}..{\f45\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}@MingLiU;}{\f53\fbidi \fmodern\fcharset129\fprq1{\*\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}..{\f54\fbidi \fmodern\fchar

C:\Windows\msg\m_chinese (traditional).wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	79346
Entropy (8bit):	4.901891087442577
Encrypted:	false
SSDEEP:	768:SDwtkzjHdLG2xN1fyvnywUKB5lylYlzlJpsbuEWeM/yDRu9uCuwyInIwDOHEhm/v:SDnz5Rt4D4
MD5:	2EFC3690D67CD073A9406A25005F7CEA
SHA1:	52C07F98870EABACE6EC370B7EB562751E8067E9
SHA-256:	5C7F6AD1EC4BC2C8E2C9C126633215DABA7DE731AC8B12BE10CA157417C97F3A
SHA-512:	0766C58E64D9CDA5328E00B86F8482316E944AA2C26523A3C37289E22C34BE4B70937033BEBDB217F675E40DB9FECDCE0A0D516F9065A170E28286C2D218487C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}..{\f18\fbidi \fmodern\fcharset136\fprq1{\\panose 02020509000000000000}MingLiU{\\falt 2OcuAe};}{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}..{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020

C:\Windows\msg\m_croatian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	39070
Entropy (8bit):	5.03796878472628
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdb2YG2+d18Scgn8c8/868H1F8E8/8Z3m8VdAm86a8n:Shef3jHd3G2n+p/mZrS14A
MD5:	17194003FA70CE477326CE2F6DEEB270
SHA1:	E325988F68D327743926EA317ABB9882F347FA73
SHA-256:	3F33734B2D34CCE83936CE99C3494CD845F1D2C02D7F6DA31D42DFC1CA15A171
SHA-512:	DCF4CCF0B352A8B271827B3B8E181F7D6502CA0F8C9DDA3DC6E53441BB4AE6E77B49C9C947CC3EDE0BF323F09140A0C068A907F3C23EA2A8495D1AD96820051C
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_czech.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	40512
Entropy (8bit):	5.035949134693175
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2yG2gv8n8+8zfB8k8F8i8k1Z8M8I818E838C8A8s:Shef3jHd2G26nyMZrS14g
MD5:	537EFEECDFA94CC421E58FD82A58BA9E
SHA1:	3609456E16BC16BA447979F3AA69221290EC17D0
SHA-256:	5AFA4753AFA048C6D6C39327CE674F27F5F6E5D3F2A060B7A8AED61725481150
SHA-512:	E007786FFA09CCD5A24E5C6504C8DE444929A2FAAAFAD3712367C05615B7E1B0FBF7FBFFF7028ED3F832CE226957390D8BF54308870E9ED597948A838DA1137B
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_danish.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37045
Entropy (8bit):	5.028683023706024
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHd02wG2roqni2Jeo75Y3kmA31dv61QyU:Shef3jHd4G2M5bZrS14Q
MD5:	2C5A3B81D5C4715B7BEA01033367FCB5
SHA1:	B548B45DA8463E17199DAAFD34C23591F94E82CD
SHA-256:	A75BB44284B9DB8D702692F84909A7E23F21141866ADF3DB888042E9109A1CB6
SHA-512:	490C5A892FAC801B853C348477B1140755D4C53CA05726AC19D3649AF4285C93523393A3667E209C71C80AC06FFD809F62DD69AE65012DCB00445D032F1277B3
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_dutch.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36987
Entropy (8bit):	5.036160205965849
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdp2oG2/CzhReo75Y3kmA31dv61Qyz:Sw3BHSWjHdBG2/UhsZrS14f
MD5:	7A8D499407C6A647C03C4471A67EAAD7
SHA1:	D573B6AC8E7E04A05CBBD6B7F6A9842F371D343B
SHA-256:	2C95BEF914DA6C50D7BDEDEC601E589FBB4FDA24C4863A7260F4F72BD025799C
SHA-512:	608EF3FF0A517FE1E70FF41AEB277821565C5A9BEE5103AA5E45C68D4763FCE507C2A34D810F4CD242D163181F8341D9A69E93FE32ADED6FBC7F544C55743F12
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\Windows\msg\m_english.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36973
Entropy (8bit):	5.040611616416892
Encrypted:	false
SSDEEP:	384:S93BHSj2cguALeT+sPzy3EFHjHdM2EG2YLC7O3eo75Y3kmA31dv61QyW:S93BHSTjHd0G2YLCZrS14y
MD5:	FE68C2DC0D2419B38F44D83F2FCF232E
SHA1:	6C6E49949957215AA2F3DFB72207D249ADF36283
SHA-256:	26FD072FDA6E12F8C2D3292086EF0390785EFA2C556E2A88BD4673102AF703E5
SHA-512:	941FA0A1F6A5756ED54260994DB6158A7EBEB9E18B5C8CA2F6530C579BC4455918DF0B38C609F501CA466B3CC067B40E4B861AD6513373B483B36338AE20A810
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f1\fbidi \fswiss\fcharset0\fprq2{\\panose 020b0604020202020204}Arial;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhim

C:\Windows\msg\m_filipino.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37580
Entropy (8bit):	5.0458193216786
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdi2MG2AGsi6p07i/eo75Y3kmA31dv61QyR:Sw3BHSWjHdGG2Axa7iGZrS14N
MD5:	08B9E69B57E4C9B966664F8E1C27AB09
SHA1:	2DA1025BBBFB3CD308070765FC0893A48E5A85FA
SHA-256:	D8489F8C16318E524B45DE8B35D7E2C3CD8ED4821C136F12F5EF3C9FC3321324
SHA-512:	966B5ED68BE6B5CCD46E0DE1FA868CFE5432D9BF82E1E2F6EB99B2AEF3C92F88D96F4F4EEC5E16381B9C6DB80A68071E7124CA1474D664BDD77E1817EC600CB4
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\Windows\msg\m_finnish.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38377
Entropy (8bit):	5.030938473355282
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2oG2l1glOmeo75Y3kmA31dv61QyB:Shef3jHdMG2l1AO3ZrS14l
MD5:	35C2F97EEA8819B1CAEBD23FEE732D8F
SHA1:	E354D1CC43D6A39D9732ADEA5D3B0F57284255D2
SHA-256:	1ADFEE058B98206CB4FBE1A46D3ED62A11E1DEE2C7FF521C1EEF7C706E6A700E
SHA-512:	908149A6F5238FCCCD86F7C374986D486590A0991EF5243F0CD9E63CC8E208158A9A812665233B09C3A478233D30F21E3D355B94F36B83644795556F147345BF
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_french.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38437
Entropy (8bit):	5.031126676607223
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdtW2IG2sjqMeo75Y3kmA31dv61Qyg:Shef3jHd0G2smJZrS14M
MD5:	4E57113A6BF6B88FDD32782A4A381274
SHA1:	0FCCBC91F0F94453D91670C6794F71348711061D
SHA-256:	9BD38110E6523547AED50617DDC77D0920D408FAEED2B7A21AB163FDA22177BC
SHA-512:	4F1918A12269C654D44E9D394BC209EF0BC32242BE8833A2FBA437B879125177E149F56F2FB0C302330DEC328139B34982C04B3FEFB045612B6CC9F83EC85AA9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_german.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37181
Entropy (8bit):	5.039739267952546
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdN26G2VSA1Ieo75Y3kmA31dv61QyU:Shef3jHdfG2oe1ZrS14w
MD5:	3D59BBB5553FE03A89F817819540F469
SHA1:	26781D4B06FF704800B463D0F1FCA3AFD923A9FE
SHA-256:	2ADC900FAFA9938D85CE53CB793271F37AF40CF499BCC454F44975DB533F0B61
SHA-512:	95719AE80589F71209BB3CB953276538040E7111B994D757B0A24283AEFE27AADBBE9EEF3F1F823CE4CABC1090946D4A2A558607AC6CAC6FACA5971529B34DAC
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_greek.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	49044
Entropy (8bit):	4.910095634621579
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdc2oG2WWDFFG5BwKeo75Y3kmA31dv61QyM:Shef3jHdoG2NHG5BwLZrS14Q
MD5:	FB4E8718FEA95BB7479727FDE80CB424
SHA1:	1088C7653CBA385FE994E9AE34A6595898F20AEB
SHA-256:	E13CC9B13AA5074DC45D50379ECEB17EE39A0C2531AB617D93800FE236758CA9
SHA-512:	24DB377AF1569E4E2B2EBCCEC42564CEA95A30F1FF43BCAF25A692F99567E027BCEF4AACEF008EC5F64EA2EEF0C04BE88D2B30BCADABB3919B5F45A6633940CB
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_indonesian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37196
Entropy (8bit):	5.039268541932758
Encrypted:	false
SSDEEP:	384:Sw3BHSj2cLeT+sPzy3EFHjHdY2oG2pq32eo75Y3kmA31dv61Qys:Sw3BHSWjHdUG2pq3nZrS14I
MD5:	3788F91C694DFC48E12417CE93356B0F
SHA1:	EB3B87F7F654B604DAF3484DA9E02CA6C4EA98B7
SHA-256:	23E5E738AAD10FB8EF89AA0285269AFF728070080158FD3E7792FE9ED47C51F4
SHA-512:	B7DD9E6DC7C2D023FF958CAF132F0544C76FAE3B2D8E49753257676CC541735807B4BEFDF483BCAE94C2DCDE3C878C783B4A89DCA0FECBC78F5BBF7C356F35CD
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f53\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}\'b1\'bc\'b8\'b2\'c3\'bc;}{\f54\fbidi \fmodern\fcharset129\fprq1{\\panose 020b0609000101010101}@\'b1\'bc\'b8\'b2\'c3\'bc;}..{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\fhimajor\f31502\fbidi \froman\fcharset0\fprq2{\*\panose 02040503050406030204}

C:\Windows\msg\m_italian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	36883
Entropy (8bit):	5.028048191734335
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdR2AG2c/EnByeo75Y3kmA31dv61Qy9:Shef3jHdJG2cQZrS14R
MD5:	30A200F78498990095B36F574B6E8690
SHA1:	C4B1B3C087BD12B063E98BCA464CD05F3F7B7882
SHA-256:	49F2C739E7D9745C0834DC817A71BF6676CCC24A4C28DCDDF8844093AAB3DF07
SHA-512:	C0DA2AAE82C397F6943A0A7B838F60EEEF8F57192C5F498F2ECF05DB824CFEB6D6CA830BF3715DA7EE400AA8362BD64DC835298F3F0085AE7A744E6E6C690511
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_japanese.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	81844
Entropy (8bit):	4.85025787009624
Encrypted:	false
SSDEEP:	384:SXZ0j2cKKwd1lksPzy3EFHjHdI2MG275rQeo75Y3kmA31dv61Qyr:SXZ0qbjHd4G2RNZrS14P
MD5:	B77E1221F7ECD0B5D696CB66CDA1609E
SHA1:	51EB7A254A33D05EDF188DED653005DC82DE8A46
SHA-256:	7E491E7B48D6E34F916624C1CDA9F024E86FCBEC56ACDA35E27FA99D530D017E
SHA-512:	F435FD67954787E6B87460DB026759410FBD25B2F6EA758118749C113A50192446861A114358443A129BE817020B50F21D27B1EBD3D22C7BE62082E8B45223FC
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f11\fbidi \fmodern\fcharset128\fprq1{\\panose 02020609040205080304}MS Mincho{\\falt ?l?r ??\'81\'66c};}{\f12\fbidi \froman\fcharset129\fprq2{\\panose 02030600000101010101}\'b9\'d9\'c5\'c1{\\falt Batang};}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}..{\f44\fbidi \froman\fcharset129\fprq2{\*\panose 020306000001

C:\Windows\msg\m_korean.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	91501
Entropy (8bit):	4.841830504507431
Encrypted:	false
SSDEEP:	768:Shef3jHdUG2NQcbxfSVZiG9jvi3//ZVrMQr7pEKCHSI2DsY78piTDtTa6BxzBwdY:SheiaDq
MD5:	6735CB43FE44832B061EEB3F5956B099
SHA1:	D636DAF64D524F81367EA92FDAFA3726C909BEE1
SHA-256:	552AA0F82F37C9601114974228D4FC54F7434FE3AE7A276EF1AE98A0F608F1D0
SHA-512:	60272801909DBBA21578B22C49F6B0BA8CD0070F116476FF35B3AC8347B987790E4CC0334724244C4B13415A246E77A577230029E4561AE6F04A598C3F536C7E
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_latvian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	41169
Entropy (8bit):	5.030695296195755
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdcqH24G2ZN1EDCv3Apb0WD5gYV/S4L3rnzdeo75Y3f:Shef3jHdcMG2NpZrS14F
MD5:	C33AFB4ECC04EE1BCC6975BEA49ABE40
SHA1:	FBEA4F170507CDE02B839527EF50B7EC74B4821F
SHA-256:	A0356696877F2D94D645AE2DF6CE6B370BD5C0D6DB3D36DEF44E714525DE0536
SHA-512:	0D435F0836F61A5FF55B78C02FA47B191E5807A79D8A6E991F3115743DF2141B3DB42BA8BDAD9AD259E12F5800828E9E72D7C94A6A5259312A447D669B03EC44
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_norwegian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37577
Entropy (8bit):	5.025836823617116
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdy2MG2D7mgwroXeo75Y3kmA31dv61Qy5:Shef3jHdGG23KrDZrS14N
MD5:	FF70CC7C00951084175D12128CE02399
SHA1:	75AD3B1AD4FB14813882D88E952208C648F1FD18
SHA-256:	CB5DA96B3DFCF4394713623DBF3831B2A0B8BE63987F563E1C32EDEB74CB6C3A
SHA-512:	F01DF3256D49325E5EC49FD265AA3F176020C8FFEC60EB1D828C75A3FA18FF8634E1DE824D77DFDD833768ACFF1F547303104620C70066A2708654A07EF22E19
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_polish.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	39896
Entropy (8bit):	5.048541002474746
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdD2SG2gA8w8OJ6868jy8/8w8m8T848f8y858l8j8yv:Shef3jHdxG2KhuZrS14G
MD5:	E79D7F2833A9C2E2553C7FE04A1B63F4
SHA1:	3D9F56D2381B8FE16042AA7C4FEB1B33F2BAEBFF
SHA-256:	519AD66009A6C127400C6C09E079903223BD82ECC18AD71B8E5CD79F5F9C053E
SHA-512:	E0159C753491CAC7606A7250F332E87BC6B14876BC7A1CF5625FA56AB4F09C485F7B231DD52E4FF0F5F3C29862AFB1124C0EFD0741613EB97A83CBE2668AF5DE
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_portuguese.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37917
Entropy (8bit):	5.027872281764284
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdy2QG2xgk5eo75Y3kmA31dv61QyV:Shef3jHdCG2EZrS14p
MD5:	FA948F7D8DFB21CEDDD6794F2D56B44F
SHA1:	CA915FBE020CAA88DD776D89632D7866F660FC7A
SHA-256:	BD9F4B3AEDF4F81F37EC0A028AABCB0E9A900E6B4DE04E9271C8DB81432E2A66
SHA-512:	0D211BFB0AE953081DCA00CD07F8C908C174FD6C47A8001FADC614203F0E55D9FBB7FA9B87C735D57101341AB36AF443918EE00737ED4C19ACE0A2B85497F41A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_romanian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	52161
Entropy (8bit):	4.964306949910696
Encrypted:	false
SSDEEP:	768:Shef3jHdXG2Cz2/vBAOZsQO0cLfnF/Zhcz7sDsYZBB/0gBjL+IU/hbhMVDtsR49P:ShehlrGR1m4dx9mjVyAvg7ouDT
MD5:	313E0ECECD24F4FA1504118A11BC7986
SHA1:	E1B9AE804C7FB1D27F39DB18DC0647BB04E75E9D
SHA-256:	70C0F32ED379AE899E5AC975E20BBBACD295CF7CD50C36174D2602420C770AC1
SHA-512:	C7500363C61BAF8B77FCE796D750F8F5E6886FF0A10F81C3240EA3AD4E5F101B597490DEA8AB6BD9193457D35D8FD579FCE1B88A1C8D85EBE96C66D909630730
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_russian.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	47108
Entropy (8bit):	4.952777691675008
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdg2qG2aUGs0K6lyZqmfGGHRblldORZeo75Y3kmA31L:Shef3jHdeG2lGsDOcZxbP7ZrS14K
MD5:	452615DB2336D60AF7E2057481E4CAB5
SHA1:	442E31F6556B3D7DE6EB85FBAC3D2957B7F5EAC6
SHA-256:	02932052FAFE97E6ACAAF9F391738A3A826F5434B1A013ABBFA7A6C1ADE1E078
SHA-512:	7613DC329ABE7A3F32164C9A6B660F209A84B774AB9C008BF6503C76255B30EA9A743A6DC49A8DE8DF0BCB9AEA5A33F7408BA27848D9562583FF51991910911F
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_slovak.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	41391
Entropy (8bit):	5.027730966276624
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHd4Yb2YG2gNZ8a8zV/8j8U8l8x838Z8Q808m8d8T8hw:Shef3jHdZvG23AZrS14f
MD5:	C911ABA4AB1DA6C28CF86338AB2AB6CC
SHA1:	FEE0FD58B8EFE76077620D8ABC7500DBFEF7C5B0
SHA-256:	E64178E339C8E10EAC17A236A67B892D0447EB67B1DCD149763DAD6FD9F72729
SHA-512:	3491ED285A091A123A1A6D61AAFBB8D5621CCC9E045A237A2F9C2CF6049E7420EB96EF30FDCEA856B50454436E2EC468770F8D585752D73FAFD676C4EF5E800A
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_spanish.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	37381
Entropy (8bit):	5.02443306661187
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdf24G2/ezV6YQUdZYlujeMQ9RXmhRweo75Y3kmA31S:Shef3jHdrG2fuhZrS14T
MD5:	8D61648D34CBA8AE9D1E2A219019ADD1
SHA1:	2091E42FC17A0CC2F235650F7AAD87ABF8BA22C2
SHA-256:	72F20024B2F69B45A1391F0A6474E9F6349625CE329F5444AEC7401FE31F8DE1
SHA-512:	68489C33BA89EDFE2E3AEBAACF8EF848D2EA88DCBEF9609C258662605E02D12CFA4FFDC1D266FC5878488E296D2848B2CB0BBD45F1E86EF959BAB6162D284079
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_swedish.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	38483
Entropy (8bit):	5.022972736625151
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdb24G2ZKLVdDeo75Y3kmA31dv61QyE:Shef3jHd/G2w6ZrS14w
MD5:	C7A19984EB9F37198652EAF2FD1EE25C
SHA1:	06EAFED025CF8C4D76966BF382AB0C5E1BD6A0AE
SHA-256:	146F61DB72297C9C0FACFFD560487F8D6A2846ECEC92ECC7DB19C8D618DBC3A4
SHA-512:	43DD159F9C2EAC147CBFF1DDA83F6A83DD0C59D2D7ACAC35BA8B407A04EC9A1110A6A8737535D060D100EDE1CB75078CF742C383948C9D4037EF459D150F6020
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_turkish.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	42582
Entropy (8bit):	5.010722377068833
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHds42WG2mzGu/eo75Y3kmA31dv61QyZ:Shef3jHdsiG2moZrS149
MD5:	531BA6B1A5460FC9446946F91CC8C94B
SHA1:	CC56978681BD546FD82D87926B5D9905C92A5803
SHA-256:	6DB650836D64350BBDE2AB324407B8E474FC041098C41ECAC6FD77D632A36415
SHA-512:	EF25C3CF4343DF85954114F59933C7CC8107266C8BCAC3B5EA7718EB74DBEE8CA8A02DA39057E6EF26B64F1DFCCD720DD3BF473F5AE340BA56941E87D6B796C9
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\msg\m_vietnamese.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Rich Text Format data, version 1, ANSI, code page 1252, default middle east language ID 1025
Category:	dropped
Size (bytes):	93778
Entropy (8bit):	4.76206134900188
Encrypted:	false
SSDEEP:	384:SheftipUENLFsPzy3EFHjHdW2YG22cViQj3KiG8dpcH8iEriG8E8O83Jz52sxG8h:Shef3jHdWG2+oPZrS14i
MD5:	8419BE28A0DCEC3F55823620922B00FA
SHA1:	2E4791F9CDFCA8ABF345D606F313D22B36C46B92
SHA-256:	1F21838B244C80F8BED6F6977AA8A557B419CF22BA35B1FD4BF0F98989C5BDF8
SHA-512:	8FCA77E54480AEA3C0C7A705263ED8FB83C58974F5F0F62F12CC97C8E0506BA2CDB59B70E59E9A6C44DD7CDE6ADEEEC35B494D31A6A146FF5BA7006136AB9386
Malicious:	false
Preview:	{\rtf1\adeflang1025\ansi\ansicpg1252\uc2\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi0\deflang1033\deflangfe1042\themelang1033\themelangfe1042\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}{\f2\fbidi \fmodern\fcharset0\fprq1{\\panose 02070309020205020404}Courier New;}..{\f34\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria Math;}{\f36\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f37\fbidi \froman\fcharset0\fprq2{\\panose 02040503050406030204}Cambria;}{\f40\fbidi \fmodern\fcharset129\fprq2{\\panose 020b0503020000020004}@\'b8\'bc\'c0\'ba \'b0\'ed\'b5\'f1;}..{\f41\fbidi \fmodern\fcharset0\fprq1{\\panose 020b0609020204030204}Consolas;}{\flomajor\f31500\fbidi \froman\fcharset0\fprq2{\\panose 02020603050405020304}Times New Roman;}..{\fdbmajor\f31501\fbidi \fmodern\fcharset129\fprq2{\*\panose 020b0503020000020004}\'b8\'bc\'c0\'ba

C:\Windows\r.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	864
Entropy (8bit):	4.5335184780121995
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0Ei5bnBR7brW8PNAi0eEprY+Ai75wRZce/:DZD36W5/vWmMo+m
MD5:	3E0020FC529B1C2A061016DD2469BA96
SHA1:	C3A91C22B63F6FE709E7C29CAFB29A2EE83E6ADE
SHA-256:	402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
SHA-512:	5CA3C134201ED39D96D72911C0498BAE6F98701513FD7F1DC8512819B673F0EA580510FA94ED9413CCC73DA18B39903772A7CBFA3478176181CEE68C896E14CF
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\Windows\r.wnry, Author: Florian Roth
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send %s to this bitcoin address: %s.... Next, please find an application file named "%s". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window...

C:\Windows\s.wnry

Download File

Process:	C:\Windows\tasksche.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	2752512
Entropy (8bit):	7.9983596446162535
Encrypted:	true
SSDEEP:	49152:zUx4db9A1iRdHAHZXaTnCshuTnSQYUB/UZfCg2clOQin2h37l2Jh93:z/b96AdHA5XaTJvQYUBBgRlJi+rl4
MD5:	23BE438907AAF12146646F32E399D494
SHA1:	8785F329B80C05714FB38880DABC7B3F908BA027
SHA-256:	2E335B26D70EA21BAE79E936DA29EC35E91685C5ACFC86966E21ACEC4C36E227
SHA-512:	5F421A75C381314A0F658F42D88E18A3897B420EDA41F8A2EF167CDB3B5A50C1043FB396573863376D2107B03EDC997E9907CCBE6919379057F78CF26AC68A3B
Malicious:	false
Preview:	PK..........!(................Data/PK........M..J................Data/Tor/PK..........!(................Tor/PK..........!(..t.......0.....Tor/libeay32.dll.:.t.e....6m.....Me.Vjil....!..E..T..e.....e....,.c..o=..t.u..,....J..k-.x.V..:1u....v..7.L~..?{..rN23.w......o..N2....WU..G..G.......Ed..7..q.o.5.]w.{...wl\y..m..w...?]......n......Z]UX./h4.....]...71....e.\^1..I..MH5...k.o+..s...c\|s....-#d,!..............eW...?a.......R..I..R......w.....m..#od.q.&..g.;.C(..t.V...j.Jq%...d_.Js...Hk.j#...DH.....,8_.O...]U....t .......ks:..T...18.C.%ASZJ3.U.nl..J.@)...$...N.s.O........m.0..e..4.....m...lI..Z..7.f-.?....;...?.SO....}..7#.L8...5.z.~.........E.S..1....7..0...pf.....jz.)..Y..8..^....B........p.W..r..B.....p..?......../`Wl..D.xAi..$..d.......&..p. ..bOtE.\.......(..&A...6v..S..Q...L...3 .:.6.m7.'.......)......iH.NZ_t.;./.a..n.g...A`.T.k.........."...<.rt..3....0.{N..yy...p.z.=..#.u.u...d......mQ...H..2.N.BRSN...XC....).".@.._.18.&...n

C:\Windows\tasksche.exe

Download File

Process:	C:\Windows\mssecsvc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3514368
Entropy (8bit):	7.777724762407647
Encrypted:	false
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3x:QqPe1Cxcxk3ZAEUadzR8sB
MD5:	79409B6F48460807480E4A574312D85F
SHA1:	5D9F64CCF13081441F2785A535E02312236445D9
SHA-256:	331E14A6594B700B6167690430C9DA72FEE72D408DD1B8C5CB155C0199033D0A
SHA-512:	AC004B3248CBC2CE7B6D566E3F5128195669E5C53C24AE13668E37FDADCB5158CC345D7A33CADFED6328A25A640C5FA612D0F0DB86989C3ACC21771B55508916
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 93%
Joe Sandbox View:	Filename: 542CxvZnI5.dll, Detection: malicious, Browse Filename: UR9TBr66am.dll, Detection: malicious, Browse Filename: eAx3JV2z84.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:..T...T...T..X...T.._...T.'.Z...T..^...T..P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L...A..L.................p... 5......w............@...........................5.................................................d.........4..........................................................................................................text....i.......p.................. ..`.rdata..p_.......`..................@..@.data...X........ ..................@....rsrc.....4.......4.................@..@........................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.106029924189513
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	txWVWM8Kx4.dll
File size:	5'267'459 bytes
MD5:	07a5d326b196d166dc0618e7c25ac2b5
SHA1:	7a23e2ef0682cfb8813a27dc559da187f9e178f5
SHA256:	5d7fa45d2fcb10893ee5bdbfc4b16bdeeffd34aa5791331332a8bbb1015cb63b
SHA512:	38088c24dacd01b7ecdef5afdbcbff2ee723bdea65d4e7138c5007b2de823aecd9db2f5e970ea4c132fac2938525b984d94dcc7c8d01af952bd79006b64ddfc2
SSDEEP:	98304:d8qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8s3:d8qPe1Cxcxk3ZAEUadzR8s
TLSH:	9836E052D2850EA4D5E10AF61269DB50A77F2F5582AFB23E2621402F1CB7F1C9DE4F2C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.r_9...9...9.......=...9...6.....A.:.......8.......8.......:...Rich9...........................PE..L...QW.Y...........!.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x100011e9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x59145751 [Thu May 11 12:21:37 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2e5708ae5fed0403e8117c645fb23e5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push ebx
mov ebx, dword ptr [ebp+08h]
push esi
mov esi, dword ptr [ebp+0Ch]
push edi
mov edi, dword ptr [ebp+10h]
test esi, esi
jne 00007F2A9CCB28DBh
cmp dword ptr [10003140h], 00000000h
jmp 00007F2A9CCB28F8h
cmp esi, 01h
je 00007F2A9CCB28D7h
cmp esi, 02h
jne 00007F2A9CCB28F4h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F2A9CCB28DBh
push edi
push esi
push ebx
call eax
test eax, eax
je 00007F2A9CCB28DEh
push edi
push esi
push ebx
call 00007F2A9CCB27EAh
test eax, eax
jne 00007F2A9CCB28D6h
xor eax, eax
jmp 00007F2A9CCB2920h
push edi
push esi
push ebx
call 00007F2A9CCB269Ch
cmp esi, 01h
mov dword ptr [ebp+0Ch], eax
jne 00007F2A9CCB28DEh
test eax, eax
jne 00007F2A9CCB2909h
push edi
push eax
push ebx
call 00007F2A9CCB27C6h
test esi, esi
je 00007F2A9CCB28D7h
cmp esi, 03h
jne 00007F2A9CCB28F8h
push edi
push esi
push ebx
call 00007F2A9CCB27B5h
test eax, eax
jne 00007F2A9CCB28D5h
and dword ptr [ebp+0Ch], eax
cmp dword ptr [ebp+0Ch], 00000000h
je 00007F2A9CCB28E3h
mov eax, dword ptr [10003150h]
test eax, eax
je 00007F2A9CCB28DAh
push edi
push esi
push ebx
call eax
mov dword ptr [ebp+0Ch], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
pop esi
pop ebx
pop ebp
retn 000Ch
jmp dword ptr [10002028h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x2190	0x48	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x203c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x500060	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x505000	0x5c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x28c	0x1000	8de9a2cb31e4c74bd008b871d14bfafc	False	0.13037109375	data	1.4429971244731552	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x1d8	0x1000	3dd394f95ab218593f2bc8eb65184db4	False	0.072509765625	data	0.7346018133622799	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3000	0x154	0x1000	fe5022c5b5d015ad38b2b77fc437a5cb	False	0.016845703125	Matlab v4 mat-file (little endian) C:\%s\%s, numeric, rows 0, columns 0	0.085238686413312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4000	0x500060	0x501000	bb90e698cd9907db1ec1973f1c30a5bb	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x505000	0x2ac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
W	0x4060	0x500000	data	English	United States	0.8770351409912109

Imports

DLL	Import
KERNEL32.dll	CloseHandle, WriteFile, CreateFileA, SizeofResource, LockResource, LoadResource, FindResourceA, CreateProcessA
MSVCRT.dll	free, _initterm, malloc, _adjust_fdiv, sprintf

Exports

Name	Ordinal	Address
PlayGame	1	0x10001114

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 18:11:57.840711117 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:11:58.012501001 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:11:58.121884108 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:03.066648006 CET	49704	445	192.168.2.5	52.34.64.23
Jan 15, 2025 18:12:03.071820974 CET	445	49704	52.34.64.23	192.168.2.5
Jan 15, 2025 18:12:03.071919918 CET	49704	445	192.168.2.5	52.34.64.23
Jan 15, 2025 18:12:03.071980953 CET	49704	445	192.168.2.5	52.34.64.23
Jan 15, 2025 18:12:03.072185993 CET	49705	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:03.077121973 CET	445	49705	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:03.077241898 CET	49705	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:03.077243090 CET	445	49704	52.34.64.23	192.168.2.5
Jan 15, 2025 18:12:03.077313900 CET	49704	445	192.168.2.5	52.34.64.23
Jan 15, 2025 18:12:03.077953100 CET	49705	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:03.082885981 CET	49706	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:03.082988024 CET	445	49705	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:03.083058119 CET	49705	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:03.087851048 CET	445	49706	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:03.087915897 CET	49706	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:03.087970972 CET	49706	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:03.092761993 CET	445	49706	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:05.060837984 CET	49729	445	192.168.2.5	59.178.161.129
Jan 15, 2025 18:12:05.065956116 CET	445	49729	59.178.161.129	192.168.2.5
Jan 15, 2025 18:12:05.066060066 CET	49729	445	192.168.2.5	59.178.161.129
Jan 15, 2025 18:12:05.066133022 CET	49729	445	192.168.2.5	59.178.161.129
Jan 15, 2025 18:12:05.066344976 CET	49730	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:05.071141005 CET	445	49730	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:05.071165085 CET	445	49729	59.178.161.129	192.168.2.5
Jan 15, 2025 18:12:05.071207047 CET	49730	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:05.071245909 CET	49729	445	192.168.2.5	59.178.161.129
Jan 15, 2025 18:12:05.071324110 CET	49730	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:05.072818041 CET	49731	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:05.076086998 CET	445	49730	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:05.076163054 CET	49730	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:05.077630043 CET	445	49731	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:05.077764988 CET	49731	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:05.077764988 CET	49731	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:05.082555056 CET	445	49731	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:07.076304913 CET	49754	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:07.450073004 CET	49674	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:07.621845007 CET	49675	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:07.629697084 CET	445	49754	161.26.121.2	192.168.2.5
Jan 15, 2025 18:12:07.629812002 CET	49754	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:07.629888058 CET	49754	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:07.630218029 CET	49761	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:07.634913921 CET	445	49754	161.26.121.2	192.168.2.5
Jan 15, 2025 18:12:07.634999990 CET	445	49761	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:07.635051012 CET	49754	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:07.635128021 CET	49761	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:07.635282993 CET	49761	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:07.636198044 CET	49762	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:07.640110016 CET	445	49761	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:07.640228987 CET	49761	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:07.640959024 CET	445	49762	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:07.641025066 CET	49762	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:07.641091108 CET	49762	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:07.645884037 CET	445	49762	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:07.731211901 CET	49673	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:09.092185020 CET	49779	445	192.168.2.5	133.14.202.157
Jan 15, 2025 18:12:09.097163916 CET	445	49779	133.14.202.157	192.168.2.5
Jan 15, 2025 18:12:09.097294092 CET	49779	445	192.168.2.5	133.14.202.157
Jan 15, 2025 18:12:09.097328901 CET	49779	445	192.168.2.5	133.14.202.157
Jan 15, 2025 18:12:09.097556114 CET	49780	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:09.102394104 CET	445	49780	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:09.102422953 CET	445	49779	133.14.202.157	192.168.2.5
Jan 15, 2025 18:12:09.102479935 CET	49780	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:09.102519989 CET	49780	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:09.102591038 CET	49779	445	192.168.2.5	133.14.202.157
Jan 15, 2025 18:12:09.103708029 CET	49781	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:09.107892990 CET	445	49780	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:09.107988119 CET	49780	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:09.108562946 CET	445	49781	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:09.108633995 CET	49781	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:09.108681917 CET	49781	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:09.113509893 CET	445	49781	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:11.002216101 CET	443	49703	23.1.237.91	192.168.2.5
Jan 15, 2025 18:12:11.002325058 CET	49703	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:11.107450962 CET	49802	445	192.168.2.5	136.243.125.160
Jan 15, 2025 18:12:11.112780094 CET	445	49802	136.243.125.160	192.168.2.5
Jan 15, 2025 18:12:11.112947941 CET	49802	445	192.168.2.5	136.243.125.160
Jan 15, 2025 18:12:11.113017082 CET	49802	445	192.168.2.5	136.243.125.160
Jan 15, 2025 18:12:11.113313913 CET	49803	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:11.118200064 CET	445	49803	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:11.118352890 CET	445	49802	136.243.125.160	192.168.2.5
Jan 15, 2025 18:12:11.118371010 CET	49803	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:11.118422031 CET	49802	445	192.168.2.5	136.243.125.160
Jan 15, 2025 18:12:11.118470907 CET	49803	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:11.119596958 CET	49804	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:11.123389006 CET	445	49803	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:11.123460054 CET	49803	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:11.124440908 CET	445	49804	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:11.124526024 CET	49804	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:11.124591112 CET	49804	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:11.129376888 CET	445	49804	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:12.798844099 CET	445	49804	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:12.798985004 CET	49804	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:12.799031973 CET	49804	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:12.799129963 CET	49804	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:12.804034948 CET	445	49804	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:12.804069996 CET	445	49804	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:13.143161058 CET	49827	445	192.168.2.5	74.80.92.140
Jan 15, 2025 18:12:13.148497105 CET	445	49827	74.80.92.140	192.168.2.5
Jan 15, 2025 18:12:13.148652077 CET	49827	445	192.168.2.5	74.80.92.140
Jan 15, 2025 18:12:13.156893015 CET	49827	445	192.168.2.5	74.80.92.140
Jan 15, 2025 18:12:13.157187939 CET	49828	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:13.161963940 CET	445	49827	74.80.92.140	192.168.2.5
Jan 15, 2025 18:12:13.162060022 CET	49827	445	192.168.2.5	74.80.92.140
Jan 15, 2025 18:12:13.162067890 CET	445	49828	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:13.162148952 CET	49828	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:13.179750919 CET	49828	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:13.184722900 CET	445	49828	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:13.184880972 CET	49828	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:13.189855099 CET	49829	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:13.194911003 CET	445	49829	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:13.194993019 CET	49829	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:13.198200941 CET	49829	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:13.203072071 CET	445	49829	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:15.138309002 CET	49850	445	192.168.2.5	104.93.180.79
Jan 15, 2025 18:12:15.143338919 CET	445	49850	104.93.180.79	192.168.2.5
Jan 15, 2025 18:12:15.143435001 CET	49850	445	192.168.2.5	104.93.180.79
Jan 15, 2025 18:12:15.143481970 CET	49850	445	192.168.2.5	104.93.180.79
Jan 15, 2025 18:12:15.143582106 CET	49851	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:15.148355961 CET	445	49851	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:15.148502111 CET	445	49850	104.93.180.79	192.168.2.5
Jan 15, 2025 18:12:15.148572922 CET	49851	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:15.148726940 CET	49850	445	192.168.2.5	104.93.180.79
Jan 15, 2025 18:12:15.148726940 CET	49851	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:15.148937941 CET	49852	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:15.153543949 CET	445	49851	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:15.153603077 CET	49851	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:15.153794050 CET	445	49852	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:15.153950930 CET	49852	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:15.153950930 CET	49852	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:15.158763885 CET	445	49852	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:15.269102097 CET	445	49829	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:15.269187927 CET	49829	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:15.269231081 CET	49829	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:15.269304991 CET	49829	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:15.274099112 CET	445	49829	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:15.274115086 CET	445	49829	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:15.817893982 CET	49860	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:15.822957039 CET	445	49860	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:15.823086977 CET	49860	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:15.841398954 CET	49860	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:15.846282005 CET	445	49860	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:17.156418085 CET	49874	445	192.168.2.5	60.213.189.205
Jan 15, 2025 18:12:17.161564112 CET	445	49874	60.213.189.205	192.168.2.5
Jan 15, 2025 18:12:17.162924051 CET	49874	445	192.168.2.5	60.213.189.205
Jan 15, 2025 18:12:17.163012981 CET	49874	445	192.168.2.5	60.213.189.205
Jan 15, 2025 18:12:17.163173914 CET	49875	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:17.168028116 CET	445	49875	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:17.168462992 CET	445	49874	60.213.189.205	192.168.2.5
Jan 15, 2025 18:12:17.168602943 CET	49874	445	192.168.2.5	60.213.189.205
Jan 15, 2025 18:12:17.168628931 CET	49875	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:17.169198990 CET	49876	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:17.173800945 CET	445	49875	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:17.174061060 CET	445	49875	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:17.174120903 CET	49875	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:17.174300909 CET	445	49876	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:17.174361944 CET	49876	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:17.174393892 CET	49876	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:17.179399967 CET	445	49876	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:17.522665977 CET	445	49860	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:17.522958994 CET	49860	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:17.523181915 CET	49860	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:17.523181915 CET	49860	445	192.168.2.5	136.243.125.1
Jan 15, 2025 18:12:17.528049946 CET	445	49860	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:17.528069019 CET	445	49860	136.243.125.1	192.168.2.5
Jan 15, 2025 18:12:17.575548887 CET	49884	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:17.580643892 CET	445	49884	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:17.581000090 CET	49884	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:17.581110001 CET	49884	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:17.581509113 CET	49885	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:17.586106062 CET	445	49884	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:17.586388111 CET	445	49885	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:17.586458921 CET	49884	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:17.586533070 CET	49885	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:17.586615086 CET	49885	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:17.591428041 CET	445	49885	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:18.278522015 CET	49893	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:18.283493996 CET	445	49893	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:18.283657074 CET	49893	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:18.283793926 CET	49893	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:18.288656950 CET	445	49893	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:19.009828091 CET	49703	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:19.010127068 CET	49703	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:19.014692068 CET	443	49703	23.1.237.91	192.168.2.5
Jan 15, 2025 18:12:19.014955997 CET	443	49703	23.1.237.91	192.168.2.5
Jan 15, 2025 18:12:19.017595053 CET	49903	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:19.017649889 CET	443	49903	23.1.237.91	192.168.2.5
Jan 15, 2025 18:12:19.017720938 CET	49903	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:19.018434048 CET	49903	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:19.018467903 CET	443	49903	23.1.237.91	192.168.2.5
Jan 15, 2025 18:12:19.169719934 CET	49906	445	192.168.2.5	60.171.191.45
Jan 15, 2025 18:12:19.174710035 CET	445	49906	60.171.191.45	192.168.2.5
Jan 15, 2025 18:12:19.174777985 CET	49906	445	192.168.2.5	60.171.191.45
Jan 15, 2025 18:12:19.174880028 CET	49906	445	192.168.2.5	60.171.191.45
Jan 15, 2025 18:12:19.175086975 CET	49907	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:19.181413889 CET	445	49906	60.171.191.45	192.168.2.5
Jan 15, 2025 18:12:19.181426048 CET	445	49907	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:19.181474924 CET	49906	445	192.168.2.5	60.171.191.45
Jan 15, 2025 18:12:19.181503057 CET	49907	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:19.181600094 CET	49907	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:19.182049990 CET	49908	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:19.186847925 CET	445	49907	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:19.186860085 CET	445	49908	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:19.186903954 CET	49907	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:19.186929941 CET	49908	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:19.187046051 CET	49908	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:19.191859007 CET	445	49908	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:19.609874964 CET	443	49903	23.1.237.91	192.168.2.5
Jan 15, 2025 18:12:19.609947920 CET	49903	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:20.328916073 CET	445	49893	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:20.328999043 CET	49893	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:20.329145908 CET	49893	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:20.329145908 CET	49893	445	192.168.2.5	74.80.92.1
Jan 15, 2025 18:12:20.333964109 CET	445	49893	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:20.333980083 CET	445	49893	74.80.92.1	192.168.2.5
Jan 15, 2025 18:12:20.387691021 CET	49928	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:20.392760038 CET	445	49928	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:20.392936945 CET	49928	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:20.393277884 CET	49928	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:20.393512011 CET	49929	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:20.398361921 CET	445	49929	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:20.398485899 CET	49929	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:20.398485899 CET	49929	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:20.398578882 CET	445	49928	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:20.398778915 CET	49928	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:20.403414011 CET	445	49929	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:21.186943054 CET	49944	445	192.168.2.5	75.48.114.78
Jan 15, 2025 18:12:21.191998005 CET	445	49944	75.48.114.78	192.168.2.5
Jan 15, 2025 18:12:21.192095995 CET	49944	445	192.168.2.5	75.48.114.78
Jan 15, 2025 18:12:21.192157030 CET	49944	445	192.168.2.5	75.48.114.78
Jan 15, 2025 18:12:21.192380905 CET	49945	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:21.197098017 CET	445	49944	75.48.114.78	192.168.2.5
Jan 15, 2025 18:12:21.197150946 CET	445	49945	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:21.197165966 CET	49944	445	192.168.2.5	75.48.114.78
Jan 15, 2025 18:12:21.197222948 CET	49945	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:21.197276115 CET	49945	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:21.197762966 CET	49946	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:21.202219963 CET	445	49945	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:21.202285051 CET	49945	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:21.202519894 CET	445	49946	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:21.202590942 CET	49946	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:21.202622890 CET	49946	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:21.207386971 CET	445	49946	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:22.456170082 CET	445	49929	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:22.456464052 CET	49929	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:22.456464052 CET	49929	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:22.456516027 CET	49929	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:22.461328983 CET	445	49929	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:22.461340904 CET	445	49929	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:23.200305939 CET	49983	445	192.168.2.5	198.243.245.217
Jan 15, 2025 18:12:23.205177069 CET	445	49983	198.243.245.217	192.168.2.5
Jan 15, 2025 18:12:23.210922003 CET	49983	445	192.168.2.5	198.243.245.217
Jan 15, 2025 18:12:23.210937023 CET	49983	445	192.168.2.5	198.243.245.217
Jan 15, 2025 18:12:23.211086035 CET	49984	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:23.215928078 CET	445	49984	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:23.216031075 CET	445	49983	198.243.245.217	192.168.2.5
Jan 15, 2025 18:12:23.216114998 CET	49984	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:23.216115952 CET	49983	445	192.168.2.5	198.243.245.217
Jan 15, 2025 18:12:23.216439009 CET	49985	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:23.221136093 CET	445	49984	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:23.221189976 CET	445	49985	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:23.221287966 CET	49984	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:23.221327066 CET	49985	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:23.221355915 CET	49985	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:23.226098061 CET	445	49985	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:24.447343111 CET	445	49706	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:24.447567940 CET	49706	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:24.447567940 CET	49706	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:24.447640896 CET	49706	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:24.452606916 CET	445	49706	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:24.452624083 CET	445	49706	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:25.215943098 CET	50017	445	192.168.2.5	188.228.236.160
Jan 15, 2025 18:12:25.220880985 CET	445	50017	188.228.236.160	192.168.2.5
Jan 15, 2025 18:12:25.220961094 CET	50017	445	192.168.2.5	188.228.236.160
Jan 15, 2025 18:12:25.221007109 CET	50017	445	192.168.2.5	188.228.236.160
Jan 15, 2025 18:12:25.221159935 CET	50018	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:25.225965977 CET	445	50017	188.228.236.160	192.168.2.5
Jan 15, 2025 18:12:25.225981951 CET	445	50018	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:25.226075888 CET	50017	445	192.168.2.5	188.228.236.160
Jan 15, 2025 18:12:25.226111889 CET	50018	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:25.226185083 CET	50018	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:25.226500988 CET	50019	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:25.231300116 CET	445	50019	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:25.231375933 CET	50019	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:25.231412888 CET	50019	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:25.232024908 CET	445	50018	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:25.232075930 CET	50018	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:25.236382961 CET	445	50019	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:25.465922117 CET	50024	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:25.472371101 CET	445	50024	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:25.472476959 CET	50024	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:25.472517967 CET	50024	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:25.479099989 CET	445	50024	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:26.447333097 CET	445	49731	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:26.447453976 CET	49731	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:26.447453976 CET	49731	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:26.447526932 CET	49731	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:26.452423096 CET	445	49731	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:26.452440977 CET	445	49731	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:27.233848095 CET	50057	445	192.168.2.5	41.167.36.161
Jan 15, 2025 18:12:27.238719940 CET	445	50057	41.167.36.161	192.168.2.5
Jan 15, 2025 18:12:27.238801956 CET	50057	445	192.168.2.5	41.167.36.161
Jan 15, 2025 18:12:27.238888025 CET	50057	445	192.168.2.5	41.167.36.161
Jan 15, 2025 18:12:27.239027023 CET	50058	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:27.243916035 CET	445	50058	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:27.243982077 CET	50058	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:27.243994951 CET	445	50057	41.167.36.161	192.168.2.5
Jan 15, 2025 18:12:27.244045019 CET	50057	445	192.168.2.5	41.167.36.161
Jan 15, 2025 18:12:27.244153976 CET	50058	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:27.244468927 CET	50060	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:27.248914003 CET	445	50058	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:27.248997927 CET	50058	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:27.249217033 CET	445	50060	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:27.249496937 CET	50060	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:27.249497890 CET	50060	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:27.254317999 CET	445	50060	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:27.456679106 CET	50061	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:27.461776018 CET	445	50061	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:27.461880922 CET	50061	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:27.464605093 CET	50061	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:27.469441891 CET	445	50061	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:27.549438000 CET	445	50024	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:27.549612045 CET	50024	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:27.584677935 CET	50024	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:27.584777117 CET	50024	445	192.168.2.5	74.80.92.2
Jan 15, 2025 18:12:27.589766026 CET	445	50024	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:27.589786053 CET	445	50024	74.80.92.2	192.168.2.5
Jan 15, 2025 18:12:27.640364885 CET	50063	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:27.645212889 CET	445	50063	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:27.645523071 CET	50063	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:27.648679972 CET	50063	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:27.653537035 CET	445	50063	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:27.653621912 CET	50063	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:27.662833929 CET	50064	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:27.667687893 CET	445	50064	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:27.667772055 CET	50064	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:27.667798042 CET	50064	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:27.672540903 CET	445	50064	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:29.026011944 CET	445	49762	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:29.026195049 CET	49762	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:29.026276112 CET	49762	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:29.026357889 CET	49762	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:29.031106949 CET	445	49762	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:29.031131029 CET	445	49762	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:29.248267889 CET	50076	445	192.168.2.5	147.208.214.20
Jan 15, 2025 18:12:29.253192902 CET	445	50076	147.208.214.20	192.168.2.5
Jan 15, 2025 18:12:29.258990049 CET	50076	445	192.168.2.5	147.208.214.20
Jan 15, 2025 18:12:29.259119987 CET	50076	445	192.168.2.5	147.208.214.20
Jan 15, 2025 18:12:29.259387016 CET	50077	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:29.264180899 CET	445	50076	147.208.214.20	192.168.2.5
Jan 15, 2025 18:12:29.264210939 CET	445	50077	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:29.264317036 CET	50076	445	192.168.2.5	147.208.214.20
Jan 15, 2025 18:12:29.264369011 CET	50077	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:29.264456034 CET	50077	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:29.264796019 CET	50078	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:29.269354105 CET	445	50077	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:29.269668102 CET	445	50078	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:29.269737005 CET	50077	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:29.269752979 CET	50078	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:29.269839048 CET	50078	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:29.274593115 CET	445	50078	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:29.450216055 CET	50081	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:29.455116034 CET	445	50081	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:29.455204964 CET	50081	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:29.455445051 CET	50081	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:29.460163116 CET	445	50081	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:30.511759043 CET	445	49781	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:30.511974096 CET	49781	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:30.512054920 CET	49781	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:30.512135983 CET	49781	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:30.516839981 CET	445	49781	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:30.516935110 CET	445	49781	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:31.263140917 CET	50094	445	192.168.2.5	82.127.77.223
Jan 15, 2025 18:12:31.268064976 CET	445	50094	82.127.77.223	192.168.2.5
Jan 15, 2025 18:12:31.268153906 CET	50094	445	192.168.2.5	82.127.77.223
Jan 15, 2025 18:12:31.268234968 CET	50094	445	192.168.2.5	82.127.77.223
Jan 15, 2025 18:12:31.268445969 CET	50095	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:31.273271084 CET	445	50095	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:31.273309946 CET	445	50094	82.127.77.223	192.168.2.5
Jan 15, 2025 18:12:31.273340940 CET	50095	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:31.273375034 CET	50095	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:31.273379087 CET	50094	445	192.168.2.5	82.127.77.223
Jan 15, 2025 18:12:31.273775101 CET	50096	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:31.278400898 CET	445	50095	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:31.278459072 CET	50095	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:31.278554916 CET	445	50096	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:31.278614998 CET	50096	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:31.279009104 CET	50096	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:31.283788919 CET	445	50096	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:32.028601885 CET	50102	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:32.033638000 CET	445	50102	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:32.034929037 CET	50102	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:32.039088964 CET	50102	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:32.043900967 CET	445	50102	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:33.278779030 CET	50109	445	192.168.2.5	193.209.214.28
Jan 15, 2025 18:12:33.283608913 CET	445	50109	193.209.214.28	192.168.2.5
Jan 15, 2025 18:12:33.283677101 CET	50109	445	192.168.2.5	193.209.214.28
Jan 15, 2025 18:12:33.283751011 CET	50109	445	192.168.2.5	193.209.214.28
Jan 15, 2025 18:12:33.283904076 CET	50110	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:33.288687944 CET	445	50109	193.209.214.28	192.168.2.5
Jan 15, 2025 18:12:33.288700104 CET	445	50110	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:33.288734913 CET	50109	445	192.168.2.5	193.209.214.28
Jan 15, 2025 18:12:33.288781881 CET	50110	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:33.288850069 CET	50110	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:33.289316893 CET	50111	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:33.293740988 CET	445	50110	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:33.293796062 CET	50110	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:33.294100046 CET	445	50111	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:33.294156075 CET	50111	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:33.294181108 CET	50111	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:33.298930883 CET	445	50111	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:33.513092041 CET	50115	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:33.518353939 CET	445	50115	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:33.518481016 CET	50115	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:33.518521070 CET	50115	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:33.523933887 CET	445	50115	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:35.294049025 CET	50128	445	192.168.2.5	161.4.168.214
Jan 15, 2025 18:12:35.298926115 CET	445	50128	161.4.168.214	192.168.2.5
Jan 15, 2025 18:12:35.299022913 CET	50128	445	192.168.2.5	161.4.168.214
Jan 15, 2025 18:12:35.299066067 CET	50128	445	192.168.2.5	161.4.168.214
Jan 15, 2025 18:12:35.299166918 CET	50129	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:35.303992987 CET	445	50129	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:35.304080963 CET	50129	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:35.304115057 CET	50129	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:35.304383993 CET	445	50128	161.4.168.214	192.168.2.5
Jan 15, 2025 18:12:35.304440975 CET	50128	445	192.168.2.5	161.4.168.214
Jan 15, 2025 18:12:35.304562092 CET	50130	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:35.309022903 CET	445	50129	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:35.309106112 CET	50129	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:35.309344053 CET	445	50130	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:35.309406042 CET	50130	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:35.309443951 CET	50130	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:35.314261913 CET	445	50130	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:36.510061979 CET	445	49852	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:36.511327028 CET	49852	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:36.526226044 CET	49852	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:36.526226044 CET	49852	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:36.531239986 CET	445	49852	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:36.531255960 CET	445	49852	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:37.309756041 CET	50143	445	192.168.2.5	95.129.132.70
Jan 15, 2025 18:12:37.314738035 CET	445	50143	95.129.132.70	192.168.2.5
Jan 15, 2025 18:12:37.314826012 CET	50143	445	192.168.2.5	95.129.132.70
Jan 15, 2025 18:12:37.314915895 CET	50143	445	192.168.2.5	95.129.132.70
Jan 15, 2025 18:12:37.315130949 CET	50144	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:37.319811106 CET	445	50143	95.129.132.70	192.168.2.5
Jan 15, 2025 18:12:37.319889069 CET	50143	445	192.168.2.5	95.129.132.70
Jan 15, 2025 18:12:37.320005894 CET	445	50144	95.129.132.1	192.168.2.5
Jan 15, 2025 18:12:37.320076942 CET	50144	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:37.320131063 CET	50144	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:37.320378065 CET	50145	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:37.324985981 CET	445	50144	95.129.132.1	192.168.2.5
Jan 15, 2025 18:12:37.325048923 CET	50144	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:37.325297117 CET	445	50145	95.129.132.1	192.168.2.5
Jan 15, 2025 18:12:37.325352907 CET	50145	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:37.325376987 CET	50145	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:37.330158949 CET	445	50145	95.129.132.1	192.168.2.5
Jan 15, 2025 18:12:38.592168093 CET	445	49876	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:38.592343092 CET	49876	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:38.598349094 CET	49876	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:38.598349094 CET	49876	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:38.603244066 CET	445	49876	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:38.603257895 CET	445	49876	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:38.775377989 CET	443	49903	23.1.237.91	192.168.2.5
Jan 15, 2025 18:12:38.775469065 CET	49903	443	192.168.2.5	23.1.237.91
Jan 15, 2025 18:12:38.994700909 CET	445	49885	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:38.994796991 CET	49885	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:38.994836092 CET	49885	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:38.994867086 CET	49885	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:38.999767065 CET	445	49885	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:38.999797106 CET	445	49885	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:39.185041904 CET	50157	445	192.168.2.5	113.103.233.249
Jan 15, 2025 18:12:39.189954996 CET	445	50157	113.103.233.249	192.168.2.5
Jan 15, 2025 18:12:39.192955971 CET	50157	445	192.168.2.5	113.103.233.249
Jan 15, 2025 18:12:39.192986012 CET	50157	445	192.168.2.5	113.103.233.249
Jan 15, 2025 18:12:39.193144083 CET	50159	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:12:39.198035955 CET	445	50159	113.103.233.1	192.168.2.5
Jan 15, 2025 18:12:39.198138952 CET	445	50157	113.103.233.249	192.168.2.5
Jan 15, 2025 18:12:39.198159933 CET	50159	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:12:39.198187113 CET	50157	445	192.168.2.5	113.103.233.249
Jan 15, 2025 18:12:39.198348045 CET	50159	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:12:39.198755026 CET	50160	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:12:39.203416109 CET	445	50159	113.103.233.1	192.168.2.5
Jan 15, 2025 18:12:39.203586102 CET	445	50160	113.103.233.1	192.168.2.5
Jan 15, 2025 18:12:39.203671932 CET	50159	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:12:39.203704119 CET	50160	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:12:39.203744888 CET	50160	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:12:39.208508968 CET	445	50160	113.103.233.1	192.168.2.5
Jan 15, 2025 18:12:39.530397892 CET	50163	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:39.535274029 CET	445	50163	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:39.537921906 CET	50163	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:39.537970066 CET	50163	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:12:39.542774916 CET	445	50163	104.93.180.1	192.168.2.5
Jan 15, 2025 18:12:40.541060925 CET	445	49908	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:40.541344881 CET	49908	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:40.541400909 CET	49908	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:40.541475058 CET	49908	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:40.546195984 CET	445	49908	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:40.546257019 CET	445	49908	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:40.934732914 CET	50173	445	192.168.2.5	126.96.38.227
Jan 15, 2025 18:12:40.939538002 CET	445	50173	126.96.38.227	192.168.2.5
Jan 15, 2025 18:12:40.939610958 CET	50173	445	192.168.2.5	126.96.38.227
Jan 15, 2025 18:12:40.939634085 CET	50173	445	192.168.2.5	126.96.38.227
Jan 15, 2025 18:12:40.939889908 CET	50174	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:12:40.944664955 CET	445	50174	126.96.38.1	192.168.2.5
Jan 15, 2025 18:12:40.944677114 CET	445	50173	126.96.38.227	192.168.2.5
Jan 15, 2025 18:12:40.944739103 CET	50173	445	192.168.2.5	126.96.38.227
Jan 15, 2025 18:12:40.944751978 CET	50174	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:12:40.945091963 CET	50175	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:12:40.949759960 CET	445	50174	126.96.38.1	192.168.2.5
Jan 15, 2025 18:12:40.949824095 CET	445	50175	126.96.38.1	192.168.2.5
Jan 15, 2025 18:12:40.949877977 CET	50175	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:12:40.949980021 CET	50175	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:12:40.950783014 CET	445	50174	126.96.38.1	192.168.2.5
Jan 15, 2025 18:12:40.950822115 CET	50174	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:12:40.954668045 CET	445	50175	126.96.38.1	192.168.2.5
Jan 15, 2025 18:12:41.606400967 CET	50180	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:41.611212969 CET	445	50180	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:41.611268997 CET	50180	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:41.611306906 CET	50180	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:12:41.616147041 CET	445	50180	60.213.189.1	192.168.2.5
Jan 15, 2025 18:12:41.997009039 CET	50183	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:42.001852989 CET	445	50183	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:42.002096891 CET	50183	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:42.002096891 CET	50183	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:12:42.006886005 CET	445	50183	136.243.125.2	192.168.2.5
Jan 15, 2025 18:12:42.575486898 CET	50189	445	192.168.2.5	29.147.136.127
Jan 15, 2025 18:12:42.580518007 CET	445	50189	29.147.136.127	192.168.2.5
Jan 15, 2025 18:12:42.583035946 CET	50189	445	192.168.2.5	29.147.136.127
Jan 15, 2025 18:12:42.583158016 CET	50190	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:12:42.583163023 CET	50189	445	192.168.2.5	29.147.136.127
Jan 15, 2025 18:12:42.588184118 CET	445	50190	29.147.136.1	192.168.2.5
Jan 15, 2025 18:12:42.588345051 CET	445	50189	29.147.136.127	192.168.2.5
Jan 15, 2025 18:12:42.588459015 CET	50189	445	192.168.2.5	29.147.136.127
Jan 15, 2025 18:12:42.588547945 CET	50190	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:12:42.588547945 CET	50190	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:12:42.588778973 CET	50191	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:12:42.593699932 CET	445	50191	29.147.136.1	192.168.2.5
Jan 15, 2025 18:12:42.593732119 CET	445	50190	29.147.136.1	192.168.2.5
Jan 15, 2025 18:12:42.593801975 CET	50190	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:12:42.593817949 CET	50191	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:12:42.593863964 CET	50191	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:12:42.598669052 CET	445	50191	29.147.136.1	192.168.2.5
Jan 15, 2025 18:12:42.619066000 CET	445	49946	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:42.622919083 CET	49946	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:42.622958899 CET	49946	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:42.622991085 CET	49946	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:42.627938986 CET	445	49946	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:42.627968073 CET	445	49946	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:43.544794083 CET	50197	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:43.550209045 CET	445	50197	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:43.550313950 CET	50197	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:43.550359964 CET	50197	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:12:43.557265997 CET	445	50197	60.171.191.1	192.168.2.5
Jan 15, 2025 18:12:44.106734991 CET	50202	445	192.168.2.5	152.117.243.51
Jan 15, 2025 18:12:44.111507893 CET	445	50202	152.117.243.51	192.168.2.5
Jan 15, 2025 18:12:44.111630917 CET	50202	445	192.168.2.5	152.117.243.51
Jan 15, 2025 18:12:44.111648083 CET	50202	445	192.168.2.5	152.117.243.51
Jan 15, 2025 18:12:44.111880064 CET	50203	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:44.116574049 CET	445	50202	152.117.243.51	192.168.2.5
Jan 15, 2025 18:12:44.116633892 CET	50202	445	192.168.2.5	152.117.243.51
Jan 15, 2025 18:12:44.116727114 CET	445	50203	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:44.116781950 CET	50203	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:44.116796017 CET	50203	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:44.117197990 CET	50204	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:44.121817112 CET	445	50203	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:44.121865034 CET	50203	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:44.122035980 CET	445	50204	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:44.122090101 CET	50204	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:44.123354912 CET	50204	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:44.128153086 CET	445	50204	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:44.592247009 CET	445	49985	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:44.594963074 CET	49985	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:44.595038891 CET	49985	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:44.595040083 CET	49985	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:44.599870920 CET	445	49985	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:44.599884033 CET	445	49985	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:45.589202881 CET	50214	445	192.168.2.5	99.19.50.104
Jan 15, 2025 18:12:45.594095945 CET	445	50214	99.19.50.104	192.168.2.5
Jan 15, 2025 18:12:45.594244957 CET	50214	445	192.168.2.5	99.19.50.104
Jan 15, 2025 18:12:45.595402002 CET	50214	445	192.168.2.5	99.19.50.104
Jan 15, 2025 18:12:45.595551014 CET	50215	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:12:45.600244045 CET	445	50214	99.19.50.104	192.168.2.5
Jan 15, 2025 18:12:45.600327969 CET	50214	445	192.168.2.5	99.19.50.104
Jan 15, 2025 18:12:45.600361109 CET	445	50215	99.19.50.1	192.168.2.5
Jan 15, 2025 18:12:45.600418091 CET	50215	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:12:45.602536917 CET	50215	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:12:45.607383966 CET	445	50215	99.19.50.1	192.168.2.5
Jan 15, 2025 18:12:45.607497931 CET	50215	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:12:45.637880087 CET	50216	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:45.641254902 CET	50217	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:12:45.642786026 CET	445	50216	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:45.642860889 CET	50216	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:45.642898083 CET	50216	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:12:45.646182060 CET	445	50217	99.19.50.1	192.168.2.5
Jan 15, 2025 18:12:45.646250963 CET	50217	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:12:45.646295071 CET	50217	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:12:45.647665024 CET	445	50216	75.48.114.1	192.168.2.5
Jan 15, 2025 18:12:45.651103020 CET	445	50217	99.19.50.1	192.168.2.5
Jan 15, 2025 18:12:46.623718977 CET	445	50019	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:46.626966953 CET	50019	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:46.627047062 CET	50019	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:46.627047062 CET	50019	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:46.631906986 CET	445	50019	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:46.631917000 CET	445	50019	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:46.887892008 CET	50225	445	192.168.2.5	43.89.144.111
Jan 15, 2025 18:12:46.892750025 CET	445	50225	43.89.144.111	192.168.2.5
Jan 15, 2025 18:12:46.892841101 CET	50225	445	192.168.2.5	43.89.144.111
Jan 15, 2025 18:12:46.892883062 CET	50225	445	192.168.2.5	43.89.144.111
Jan 15, 2025 18:12:46.893028975 CET	50226	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:12:46.897805929 CET	445	50225	43.89.144.111	192.168.2.5
Jan 15, 2025 18:12:46.897869110 CET	445	50226	43.89.144.1	192.168.2.5
Jan 15, 2025 18:12:46.897892952 CET	445	50225	43.89.144.111	192.168.2.5
Jan 15, 2025 18:12:46.897959948 CET	50226	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:12:46.897974968 CET	50225	445	192.168.2.5	43.89.144.111
Jan 15, 2025 18:12:46.898163080 CET	50226	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:12:46.898370981 CET	50227	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:12:46.903047085 CET	445	50226	43.89.144.1	192.168.2.5
Jan 15, 2025 18:12:46.903187990 CET	50226	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:12:46.903256893 CET	445	50227	43.89.144.1	192.168.2.5
Jan 15, 2025 18:12:46.903362989 CET	50227	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:12:46.903363943 CET	50227	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:12:46.908252954 CET	445	50227	43.89.144.1	192.168.2.5
Jan 15, 2025 18:12:47.606280088 CET	50233	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:47.611110926 CET	445	50233	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:47.611644983 CET	50233	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:47.611665964 CET	50233	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:12:47.616421938 CET	445	50233	198.243.245.1	192.168.2.5
Jan 15, 2025 18:12:48.122286081 CET	50239	445	192.168.2.5	194.81.103.25
Jan 15, 2025 18:12:48.127119064 CET	445	50239	194.81.103.25	192.168.2.5
Jan 15, 2025 18:12:48.127239943 CET	50239	445	192.168.2.5	194.81.103.25
Jan 15, 2025 18:12:48.127257109 CET	50239	445	192.168.2.5	194.81.103.25
Jan 15, 2025 18:12:48.127372980 CET	50240	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:12:48.132112026 CET	445	50240	194.81.103.1	192.168.2.5
Jan 15, 2025 18:12:48.132169962 CET	50240	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:12:48.132188082 CET	50240	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:12:48.132555962 CET	50241	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:12:48.133295059 CET	445	50239	194.81.103.25	192.168.2.5
Jan 15, 2025 18:12:48.133344889 CET	50239	445	192.168.2.5	194.81.103.25
Jan 15, 2025 18:12:48.137077093 CET	445	50240	194.81.103.1	192.168.2.5
Jan 15, 2025 18:12:48.137121916 CET	50240	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:12:48.137301922 CET	445	50241	194.81.103.1	192.168.2.5
Jan 15, 2025 18:12:48.137439013 CET	50241	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:12:48.137475014 CET	50241	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:12:48.142189026 CET	445	50241	194.81.103.1	192.168.2.5
Jan 15, 2025 18:12:48.604151011 CET	445	50060	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:48.604346991 CET	50060	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:48.604415894 CET	50060	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:48.604415894 CET	50060	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:48.609170914 CET	445	50060	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:48.609183073 CET	445	50060	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:48.873579979 CET	445	50061	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:48.873672009 CET	50061	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:48.873730898 CET	50061	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:48.873779058 CET	50061	445	192.168.2.5	52.34.64.1
Jan 15, 2025 18:12:48.878746986 CET	445	50061	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:48.878781080 CET	445	50061	52.34.64.1	192.168.2.5
Jan 15, 2025 18:12:48.934505939 CET	50246	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:12:48.939479113 CET	445	50246	52.34.64.2	192.168.2.5
Jan 15, 2025 18:12:48.939558983 CET	50246	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:12:48.939590931 CET	50246	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:12:48.940079927 CET	50247	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:12:48.944664955 CET	445	50246	52.34.64.2	192.168.2.5
Jan 15, 2025 18:12:48.944720030 CET	50246	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:12:48.944974899 CET	445	50247	52.34.64.2	192.168.2.5
Jan 15, 2025 18:12:48.945043087 CET	50247	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:12:48.945082903 CET	50247	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:12:48.949836016 CET	445	50247	52.34.64.2	192.168.2.5
Jan 15, 2025 18:12:49.057089090 CET	445	50064	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:49.057290077 CET	50064	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:49.057385921 CET	50064	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:49.057387114 CET	50064	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:49.063488007 CET	445	50064	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:49.063505888 CET	445	50064	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:49.278614998 CET	50248	445	192.168.2.5	180.35.1.114
Jan 15, 2025 18:12:49.285106897 CET	445	50248	180.35.1.114	192.168.2.5
Jan 15, 2025 18:12:49.285324097 CET	50248	445	192.168.2.5	180.35.1.114
Jan 15, 2025 18:12:49.285460949 CET	50248	445	192.168.2.5	180.35.1.114
Jan 15, 2025 18:12:49.285676956 CET	50249	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:12:49.291958094 CET	445	50249	180.35.1.1	192.168.2.5
Jan 15, 2025 18:12:49.292048931 CET	50249	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:12:49.292059898 CET	445	50248	180.35.1.114	192.168.2.5
Jan 15, 2025 18:12:49.292109013 CET	50249	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:12:49.292136908 CET	50248	445	192.168.2.5	180.35.1.114
Jan 15, 2025 18:12:49.292573929 CET	50250	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:12:49.298701048 CET	445	50249	180.35.1.1	192.168.2.5
Jan 15, 2025 18:12:49.298800945 CET	50249	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:12:49.299119949 CET	445	50250	180.35.1.1	192.168.2.5
Jan 15, 2025 18:12:49.299213886 CET	50250	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:12:49.299256086 CET	50250	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:12:49.304620028 CET	445	50250	180.35.1.1	192.168.2.5
Jan 15, 2025 18:12:49.637614965 CET	50255	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:49.642528057 CET	445	50255	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:49.642663956 CET	50255	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:49.642663956 CET	50255	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:12:49.647543907 CET	445	50255	188.228.236.1	192.168.2.5
Jan 15, 2025 18:12:50.356519938 CET	50260	445	192.168.2.5	107.54.42.129
Jan 15, 2025 18:12:50.361402035 CET	445	50260	107.54.42.129	192.168.2.5
Jan 15, 2025 18:12:50.361504078 CET	50260	445	192.168.2.5	107.54.42.129
Jan 15, 2025 18:12:50.361552000 CET	50260	445	192.168.2.5	107.54.42.129
Jan 15, 2025 18:12:50.361850023 CET	50261	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:12:50.366584063 CET	445	50260	107.54.42.129	192.168.2.5
Jan 15, 2025 18:12:50.366662979 CET	50260	445	192.168.2.5	107.54.42.129
Jan 15, 2025 18:12:50.366703033 CET	445	50261	107.54.42.1	192.168.2.5
Jan 15, 2025 18:12:50.366754055 CET	50261	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:12:50.366785049 CET	50261	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:12:50.367005110 CET	50262	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:12:50.371669054 CET	445	50261	107.54.42.1	192.168.2.5
Jan 15, 2025 18:12:50.371782064 CET	50261	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:12:50.371810913 CET	445	50262	107.54.42.1	192.168.2.5
Jan 15, 2025 18:12:50.371937990 CET	50262	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:12:50.371937990 CET	50262	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:12:50.376713037 CET	445	50262	107.54.42.1	192.168.2.5
Jan 15, 2025 18:12:50.666568995 CET	445	50078	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:50.666637897 CET	50078	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:50.666690111 CET	50078	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:50.666753054 CET	50078	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:50.671488047 CET	445	50078	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:50.671556950 CET	445	50078	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:50.824708939 CET	445	50081	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:50.824809074 CET	50081	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:50.824938059 CET	50081	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:50.825005054 CET	50081	445	192.168.2.5	59.178.161.1
Jan 15, 2025 18:12:50.829808950 CET	445	50081	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:50.829819918 CET	445	50081	59.178.161.1	192.168.2.5
Jan 15, 2025 18:12:50.887754917 CET	50264	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:12:50.892837048 CET	445	50264	59.178.161.2	192.168.2.5
Jan 15, 2025 18:12:50.892954111 CET	50264	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:12:50.893004894 CET	50264	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:12:50.893270016 CET	50265	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:12:50.898144960 CET	445	50265	59.178.161.2	192.168.2.5
Jan 15, 2025 18:12:50.898178101 CET	445	50264	59.178.161.2	192.168.2.5
Jan 15, 2025 18:12:50.898225069 CET	50265	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:12:50.898257017 CET	50264	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:12:50.898266077 CET	50265	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:12:50.903141975 CET	445	50265	59.178.161.2	192.168.2.5
Jan 15, 2025 18:12:51.346963882 CET	445	50204	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:51.347070932 CET	50204	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:51.347140074 CET	50204	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:51.347141027 CET	50204	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:51.352015972 CET	445	50204	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:51.352050066 CET	445	50204	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:51.373874903 CET	50271	445	192.168.2.5	136.227.119.21
Jan 15, 2025 18:12:51.378941059 CET	445	50271	136.227.119.21	192.168.2.5
Jan 15, 2025 18:12:51.379034042 CET	50271	445	192.168.2.5	136.227.119.21
Jan 15, 2025 18:12:51.379164934 CET	50271	445	192.168.2.5	136.227.119.21
Jan 15, 2025 18:12:51.379340887 CET	50272	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:12:51.384228945 CET	445	50272	136.227.119.1	192.168.2.5
Jan 15, 2025 18:12:51.384316921 CET	445	50271	136.227.119.21	192.168.2.5
Jan 15, 2025 18:12:51.384320021 CET	50272	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:12:51.384381056 CET	50271	445	192.168.2.5	136.227.119.21
Jan 15, 2025 18:12:51.384433985 CET	50272	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:12:51.384747982 CET	50273	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:12:51.389543056 CET	445	50272	136.227.119.1	192.168.2.5
Jan 15, 2025 18:12:51.389616966 CET	445	50273	136.227.119.1	192.168.2.5
Jan 15, 2025 18:12:51.389621973 CET	50272	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:12:51.389708042 CET	50273	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:12:51.389731884 CET	50273	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:12:51.394536018 CET	445	50273	136.227.119.1	192.168.2.5
Jan 15, 2025 18:12:51.606416941 CET	50274	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:51.611429930 CET	445	50274	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:51.611566067 CET	50274	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:51.611644983 CET	50274	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:12:51.616437912 CET	445	50274	41.167.36.1	192.168.2.5
Jan 15, 2025 18:12:52.059554100 CET	50279	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:52.064495087 CET	445	50279	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:52.064738035 CET	50279	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:52.064779043 CET	50279	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:12:52.069593906 CET	445	50279	74.80.92.3	192.168.2.5
Jan 15, 2025 18:12:52.309919119 CET	50281	445	192.168.2.5	7.191.5.66
Jan 15, 2025 18:12:52.314840078 CET	445	50281	7.191.5.66	192.168.2.5
Jan 15, 2025 18:12:52.315092087 CET	50281	445	192.168.2.5	7.191.5.66
Jan 15, 2025 18:12:52.315109015 CET	50281	445	192.168.2.5	7.191.5.66
Jan 15, 2025 18:12:52.315265894 CET	50282	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:12:52.320112944 CET	445	50282	7.191.5.1	192.168.2.5
Jan 15, 2025 18:12:52.320171118 CET	445	50281	7.191.5.66	192.168.2.5
Jan 15, 2025 18:12:52.320205927 CET	50282	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:12:52.320245028 CET	50281	445	192.168.2.5	7.191.5.66
Jan 15, 2025 18:12:52.320245028 CET	50282	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:12:52.320453882 CET	50283	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:12:52.325196981 CET	445	50282	7.191.5.1	192.168.2.5
Jan 15, 2025 18:12:52.325329065 CET	445	50283	7.191.5.1	192.168.2.5
Jan 15, 2025 18:12:52.325329065 CET	50282	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:12:52.325422049 CET	50283	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:12:52.325422049 CET	50283	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:12:52.330228090 CET	445	50283	7.191.5.1	192.168.2.5
Jan 15, 2025 18:12:52.619677067 CET	445	50096	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:52.619755030 CET	50096	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:52.619961977 CET	50096	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:52.619961977 CET	50096	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:52.624751091 CET	445	50096	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:52.624772072 CET	445	50096	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:53.186453104 CET	50289	445	192.168.2.5	108.182.16.49
Jan 15, 2025 18:12:53.191390991 CET	445	50289	108.182.16.49	192.168.2.5
Jan 15, 2025 18:12:53.191500902 CET	50289	445	192.168.2.5	108.182.16.49
Jan 15, 2025 18:12:53.192085028 CET	50289	445	192.168.2.5	108.182.16.49
Jan 15, 2025 18:12:53.192306042 CET	50290	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:12:53.196981907 CET	445	50289	108.182.16.49	192.168.2.5
Jan 15, 2025 18:12:53.197082996 CET	50289	445	192.168.2.5	108.182.16.49
Jan 15, 2025 18:12:53.197298050 CET	445	50290	108.182.16.1	192.168.2.5
Jan 15, 2025 18:12:53.197381020 CET	50290	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:12:53.200304985 CET	50290	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:12:53.200892925 CET	50291	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:12:53.205821037 CET	445	50290	108.182.16.1	192.168.2.5
Jan 15, 2025 18:12:53.205852032 CET	445	50291	108.182.16.1	192.168.2.5
Jan 15, 2025 18:12:53.205915928 CET	50291	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:12:53.205950022 CET	50291	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:12:53.206995964 CET	445	50290	108.182.16.1	192.168.2.5
Jan 15, 2025 18:12:53.207055092 CET	50290	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:12:53.210843086 CET	445	50291	108.182.16.1	192.168.2.5
Jan 15, 2025 18:12:53.422818899 CET	445	50102	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:53.422981977 CET	50102	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:53.423037052 CET	50102	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:53.423105955 CET	50102	445	192.168.2.5	161.26.121.1
Jan 15, 2025 18:12:53.427771091 CET	445	50102	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:53.427838087 CET	445	50102	161.26.121.1	192.168.2.5
Jan 15, 2025 18:12:53.481789112 CET	50295	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:53.486681938 CET	445	50295	161.26.121.2	192.168.2.5
Jan 15, 2025 18:12:53.486792088 CET	50295	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:53.486864090 CET	50295	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:53.487356901 CET	50296	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:53.492305040 CET	445	50296	161.26.121.2	192.168.2.5
Jan 15, 2025 18:12:53.492381096 CET	50296	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:53.492415905 CET	50296	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:53.497195959 CET	445	50296	161.26.121.2	192.168.2.5
Jan 15, 2025 18:12:53.497813940 CET	445	50295	161.26.121.2	192.168.2.5
Jan 15, 2025 18:12:53.504425049 CET	445	50295	161.26.121.2	192.168.2.5
Jan 15, 2025 18:12:53.504487038 CET	50295	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:12:53.669018030 CET	50299	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:53.674024105 CET	445	50299	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:53.674144983 CET	50299	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:53.674233913 CET	50299	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:12:53.678971052 CET	445	50299	147.208.214.1	192.168.2.5
Jan 15, 2025 18:12:54.013114929 CET	50300	445	192.168.2.5	15.1.53.127
Jan 15, 2025 18:12:54.017995119 CET	445	50300	15.1.53.127	192.168.2.5
Jan 15, 2025 18:12:54.018085003 CET	50300	445	192.168.2.5	15.1.53.127
Jan 15, 2025 18:12:54.018223047 CET	50300	445	192.168.2.5	15.1.53.127
Jan 15, 2025 18:12:54.018512964 CET	50301	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:12:54.023066044 CET	445	50300	15.1.53.127	192.168.2.5
Jan 15, 2025 18:12:54.023122072 CET	50300	445	192.168.2.5	15.1.53.127
Jan 15, 2025 18:12:54.023252010 CET	445	50301	15.1.53.1	192.168.2.5
Jan 15, 2025 18:12:54.023341894 CET	50301	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:12:54.023369074 CET	50301	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:12:54.023777962 CET	50302	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:12:54.028261900 CET	445	50301	15.1.53.1	192.168.2.5
Jan 15, 2025 18:12:54.028328896 CET	50301	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:12:54.028572083 CET	445	50302	15.1.53.1	192.168.2.5
Jan 15, 2025 18:12:54.028635025 CET	50302	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:12:54.028666973 CET	50302	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:12:54.033406019 CET	445	50302	15.1.53.1	192.168.2.5
Jan 15, 2025 18:12:54.356729984 CET	50307	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:54.361588955 CET	445	50307	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:54.361689091 CET	50307	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:54.361737013 CET	50307	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:54.366549015 CET	445	50307	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:54.701725006 CET	445	50111	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:54.701901913 CET	50111	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:54.701953888 CET	50111	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:54.702018023 CET	50111	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:54.706909895 CET	445	50111	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:54.706923962 CET	445	50111	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:54.778618097 CET	50309	445	192.168.2.5	21.217.77.225
Jan 15, 2025 18:12:54.783432007 CET	445	50309	21.217.77.225	192.168.2.5
Jan 15, 2025 18:12:54.783502102 CET	50309	445	192.168.2.5	21.217.77.225
Jan 15, 2025 18:12:54.783526897 CET	50309	445	192.168.2.5	21.217.77.225
Jan 15, 2025 18:12:54.783651114 CET	50310	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:12:54.788376093 CET	445	50310	21.217.77.1	192.168.2.5
Jan 15, 2025 18:12:54.788532972 CET	445	50309	21.217.77.225	192.168.2.5
Jan 15, 2025 18:12:54.788719893 CET	50310	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:12:54.788825989 CET	50309	445	192.168.2.5	21.217.77.225
Jan 15, 2025 18:12:54.789099932 CET	50310	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:12:54.789725065 CET	50311	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:12:54.794243097 CET	445	50310	21.217.77.1	192.168.2.5
Jan 15, 2025 18:12:54.794328928 CET	50310	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:12:54.794503927 CET	445	50311	21.217.77.1	192.168.2.5
Jan 15, 2025 18:12:54.794573069 CET	50311	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:12:54.794595957 CET	50311	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:12:54.799340010 CET	445	50311	21.217.77.1	192.168.2.5
Jan 15, 2025 18:12:54.889489889 CET	445	50115	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:54.889559984 CET	50115	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:54.889703989 CET	50115	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:54.889925003 CET	50115	445	192.168.2.5	133.14.202.1
Jan 15, 2025 18:12:54.894496918 CET	445	50115	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:54.894690037 CET	445	50115	133.14.202.1	192.168.2.5
Jan 15, 2025 18:12:54.966095924 CET	50315	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:12:54.971066952 CET	445	50315	133.14.202.2	192.168.2.5
Jan 15, 2025 18:12:54.971143007 CET	50315	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:12:54.971236944 CET	50315	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:12:54.971972942 CET	50316	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:12:54.976305008 CET	445	50315	133.14.202.2	192.168.2.5
Jan 15, 2025 18:12:54.976387978 CET	50315	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:12:54.976843119 CET	445	50316	133.14.202.2	192.168.2.5
Jan 15, 2025 18:12:54.976916075 CET	50316	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:12:54.976942062 CET	50316	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:12:54.981816053 CET	445	50316	133.14.202.2	192.168.2.5
Jan 15, 2025 18:12:55.622097969 CET	50320	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:55.627094030 CET	445	50320	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:55.627178907 CET	50320	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:55.627247095 CET	50320	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:12:55.632081032 CET	445	50320	82.127.77.1	192.168.2.5
Jan 15, 2025 18:12:56.270818949 CET	445	50307	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:56.274051905 CET	50307	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:56.274051905 CET	50307	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:56.274051905 CET	50307	445	192.168.2.5	152.117.243.1
Jan 15, 2025 18:12:56.281189919 CET	445	50307	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:56.281203985 CET	445	50307	152.117.243.1	192.168.2.5
Jan 15, 2025 18:12:56.325217009 CET	50327	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:56.330528021 CET	445	50327	152.117.243.2	192.168.2.5
Jan 15, 2025 18:12:56.330754042 CET	50327	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:56.330754042 CET	50327	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:56.331353903 CET	50328	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:56.335963011 CET	445	50327	152.117.243.2	192.168.2.5
Jan 15, 2025 18:12:56.336183071 CET	50327	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:56.336998940 CET	445	50328	152.117.243.2	192.168.2.5
Jan 15, 2025 18:12:56.337694883 CET	50328	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:56.337694883 CET	50328	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:56.342561960 CET	445	50328	152.117.243.2	192.168.2.5
Jan 15, 2025 18:12:56.673036098 CET	445	50130	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:56.673522949 CET	50130	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:56.673522949 CET	50130	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:56.673522949 CET	50130	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:56.678448915 CET	445	50130	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:56.678482056 CET	445	50130	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:57.715687037 CET	50343	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:57.720638990 CET	445	50343	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:57.723067045 CET	50343	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:57.723067999 CET	50343	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:12:57.727900028 CET	445	50343	193.209.214.1	192.168.2.5
Jan 15, 2025 18:12:58.257627964 CET	445	50328	152.117.243.2	192.168.2.5
Jan 15, 2025 18:12:58.257848978 CET	50328	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:58.257848978 CET	50328	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:58.257848978 CET	50328	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:12:58.262738943 CET	445	50328	152.117.243.2	192.168.2.5
Jan 15, 2025 18:12:58.262770891 CET	445	50328	152.117.243.2	192.168.2.5
Jan 15, 2025 18:12:58.698160887 CET	445	50145	95.129.132.1	192.168.2.5
Jan 15, 2025 18:12:58.700650930 CET	50145	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:58.700702906 CET	50145	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:58.700731993 CET	50145	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:12:58.705550909 CET	445	50145	95.129.132.1	192.168.2.5
Jan 15, 2025 18:12:58.705569983 CET	445	50145	95.129.132.1	192.168.2.5
Jan 15, 2025 18:12:59.684562922 CET	50370	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:59.689450026 CET	445	50370	161.4.168.1	192.168.2.5
Jan 15, 2025 18:12:59.693999052 CET	50370	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:59.694160938 CET	50370	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:12:59.707369089 CET	445	50370	161.4.168.1	192.168.2.5
Jan 15, 2025 18:13:00.619882107 CET	445	50160	113.103.233.1	192.168.2.5
Jan 15, 2025 18:13:00.619997025 CET	50160	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:13:00.620171070 CET	50160	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:13:00.620171070 CET	50160	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:13:00.624967098 CET	445	50160	113.103.233.1	192.168.2.5
Jan 15, 2025 18:13:00.624986887 CET	445	50160	113.103.233.1	192.168.2.5
Jan 15, 2025 18:13:00.902868032 CET	445	50163	104.93.180.1	192.168.2.5
Jan 15, 2025 18:13:00.903269053 CET	50163	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:13:00.903470993 CET	50163	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:13:00.903470993 CET	50163	445	192.168.2.5	104.93.180.1
Jan 15, 2025 18:13:00.909364939 CET	445	50163	104.93.180.1	192.168.2.5
Jan 15, 2025 18:13:00.909377098 CET	445	50163	104.93.180.1	192.168.2.5
Jan 15, 2025 18:13:00.965745926 CET	50392	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:00.970643044 CET	445	50392	104.93.180.2	192.168.2.5
Jan 15, 2025 18:13:00.970717907 CET	50392	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:00.970813036 CET	50392	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:00.971204042 CET	50393	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:00.975737095 CET	445	50392	104.93.180.2	192.168.2.5
Jan 15, 2025 18:13:00.975799084 CET	50392	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:00.976027966 CET	445	50393	104.93.180.2	192.168.2.5
Jan 15, 2025 18:13:00.976121902 CET	50393	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:00.976159096 CET	50393	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:00.980922937 CET	445	50393	104.93.180.2	192.168.2.5
Jan 15, 2025 18:13:01.262835979 CET	50400	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:13:01.267709017 CET	445	50400	152.117.243.2	192.168.2.5
Jan 15, 2025 18:13:01.267805099 CET	50400	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:13:01.267853975 CET	50400	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:13:01.272635937 CET	445	50400	152.117.243.2	192.168.2.5
Jan 15, 2025 18:13:01.716089964 CET	50409	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:13:01.720917940 CET	445	50409	95.129.132.1	192.168.2.5
Jan 15, 2025 18:13:01.720987082 CET	50409	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:13:01.721055031 CET	50409	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:13:01.725837946 CET	445	50409	95.129.132.1	192.168.2.5
Jan 15, 2025 18:13:02.323120117 CET	445	50175	126.96.38.1	192.168.2.5
Jan 15, 2025 18:13:02.323199034 CET	50175	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:13:02.323247910 CET	50175	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:13:02.323267937 CET	50175	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:13:02.328063965 CET	445	50175	126.96.38.1	192.168.2.5
Jan 15, 2025 18:13:02.328074932 CET	445	50175	126.96.38.1	192.168.2.5
Jan 15, 2025 18:13:02.985224009 CET	445	50180	60.213.189.1	192.168.2.5
Jan 15, 2025 18:13:02.985318899 CET	50180	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:13:02.985414028 CET	50180	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:13:02.985414982 CET	50180	445	192.168.2.5	60.213.189.1
Jan 15, 2025 18:13:02.990381956 CET	445	50180	60.213.189.1	192.168.2.5
Jan 15, 2025 18:13:02.990416050 CET	445	50180	60.213.189.1	192.168.2.5
Jan 15, 2025 18:13:03.043884039 CET	50436	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:03.048922062 CET	445	50436	60.213.189.2	192.168.2.5
Jan 15, 2025 18:13:03.048994064 CET	50436	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:03.049088001 CET	50436	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:03.049385071 CET	50437	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:03.054224968 CET	445	50437	60.213.189.2	192.168.2.5
Jan 15, 2025 18:13:03.054291010 CET	50437	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:03.054316044 CET	50437	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:03.054332018 CET	445	50436	60.213.189.2	192.168.2.5
Jan 15, 2025 18:13:03.054387093 CET	50436	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:03.059266090 CET	445	50437	60.213.189.2	192.168.2.5
Jan 15, 2025 18:13:03.181055069 CET	445	50400	152.117.243.2	192.168.2.5
Jan 15, 2025 18:13:03.181152105 CET	50400	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:13:03.181262016 CET	50400	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:13:03.181334019 CET	50400	445	192.168.2.5	152.117.243.2
Jan 15, 2025 18:13:03.186223984 CET	445	50400	152.117.243.2	192.168.2.5
Jan 15, 2025 18:13:03.186260939 CET	445	50400	152.117.243.2	192.168.2.5
Jan 15, 2025 18:13:03.248141050 CET	50442	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:03.253249884 CET	445	50442	152.117.243.3	192.168.2.5
Jan 15, 2025 18:13:03.253331900 CET	50442	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:03.253350019 CET	50442	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:03.253843069 CET	50443	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:03.258454084 CET	445	50442	152.117.243.3	192.168.2.5
Jan 15, 2025 18:13:03.258667946 CET	50442	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:03.258711100 CET	445	50443	152.117.243.3	192.168.2.5
Jan 15, 2025 18:13:03.258780003 CET	50443	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:03.258816957 CET	50443	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:03.263720989 CET	445	50443	152.117.243.3	192.168.2.5
Jan 15, 2025 18:13:03.371884108 CET	445	50183	136.243.125.2	192.168.2.5
Jan 15, 2025 18:13:03.372036934 CET	50183	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:13:03.372136116 CET	50183	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:13:03.372136116 CET	50183	445	192.168.2.5	136.243.125.2
Jan 15, 2025 18:13:03.377090931 CET	445	50183	136.243.125.2	192.168.2.5
Jan 15, 2025 18:13:03.377129078 CET	445	50183	136.243.125.2	192.168.2.5
Jan 15, 2025 18:13:03.434585094 CET	50449	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:03.439640045 CET	445	50449	136.243.125.3	192.168.2.5
Jan 15, 2025 18:13:03.439754009 CET	50449	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:03.439807892 CET	50449	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:03.440253019 CET	50450	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:03.445208073 CET	445	50450	136.243.125.3	192.168.2.5
Jan 15, 2025 18:13:03.445241928 CET	445	50449	136.243.125.3	192.168.2.5
Jan 15, 2025 18:13:03.445317030 CET	50450	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:03.445353031 CET	50450	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:03.445369005 CET	50449	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:03.450072050 CET	445	50450	136.243.125.3	192.168.2.5
Jan 15, 2025 18:13:03.622076988 CET	50455	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:13:03.626933098 CET	445	50455	113.103.233.1	192.168.2.5
Jan 15, 2025 18:13:03.627032995 CET	50455	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:13:03.627077103 CET	50455	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:13:03.631912947 CET	445	50455	113.103.233.1	192.168.2.5
Jan 15, 2025 18:13:03.983339071 CET	445	50191	29.147.136.1	192.168.2.5
Jan 15, 2025 18:13:03.983488083 CET	50191	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:13:03.983537912 CET	50191	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:13:03.983587980 CET	50191	445	192.168.2.5	29.147.136.1
Jan 15, 2025 18:13:03.995392084 CET	445	50191	29.147.136.1	192.168.2.5
Jan 15, 2025 18:13:03.995404959 CET	445	50191	29.147.136.1	192.168.2.5
Jan 15, 2025 18:13:04.901546955 CET	445	50197	60.171.191.1	192.168.2.5
Jan 15, 2025 18:13:04.901850939 CET	50197	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:13:04.902025938 CET	50197	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:13:04.902025938 CET	50197	445	192.168.2.5	60.171.191.1
Jan 15, 2025 18:13:04.906945944 CET	445	50197	60.171.191.1	192.168.2.5
Jan 15, 2025 18:13:04.906960964 CET	445	50197	60.171.191.1	192.168.2.5
Jan 15, 2025 18:13:04.966243029 CET	50498	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:04.971653938 CET	445	50498	60.171.191.2	192.168.2.5
Jan 15, 2025 18:13:04.971765995 CET	50498	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:04.971810102 CET	50498	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:04.972172022 CET	50499	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:04.976876020 CET	445	50498	60.171.191.2	192.168.2.5
Jan 15, 2025 18:13:04.976996899 CET	445	50499	60.171.191.2	192.168.2.5
Jan 15, 2025 18:13:04.977024078 CET	50498	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:04.977071047 CET	50499	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:04.977112055 CET	50499	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:04.981940031 CET	445	50499	60.171.191.2	192.168.2.5
Jan 15, 2025 18:13:05.324980974 CET	50514	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:13:05.330183983 CET	445	50514	126.96.38.1	192.168.2.5
Jan 15, 2025 18:13:05.330952883 CET	50514	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:13:05.330987930 CET	50514	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:13:05.335778952 CET	445	50514	126.96.38.1	192.168.2.5
Jan 15, 2025 18:13:07.010687113 CET	445	50217	99.19.50.1	192.168.2.5
Jan 15, 2025 18:13:07.010744095 CET	50217	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:13:07.026278019 CET	445	50216	75.48.114.1	192.168.2.5
Jan 15, 2025 18:13:07.026377916 CET	50216	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:13:08.238936901 CET	50247	445	192.168.2.5	52.34.64.2
Jan 15, 2025 18:13:08.238996983 CET	50443	445	192.168.2.5	152.117.243.3
Jan 15, 2025 18:13:08.239057064 CET	50316	445	192.168.2.5	133.14.202.2
Jan 15, 2025 18:13:08.239094019 CET	50437	445	192.168.2.5	60.213.189.2
Jan 15, 2025 18:13:08.239161015 CET	50409	445	192.168.2.5	95.129.132.1
Jan 15, 2025 18:13:08.239182949 CET	50265	445	192.168.2.5	59.178.161.2
Jan 15, 2025 18:13:08.239239931 CET	50255	445	192.168.2.5	188.228.236.1
Jan 15, 2025 18:13:08.239269972 CET	50296	445	192.168.2.5	161.26.121.2
Jan 15, 2025 18:13:08.239310026 CET	50216	445	192.168.2.5	75.48.114.1
Jan 15, 2025 18:13:08.239335060 CET	50217	445	192.168.2.5	99.19.50.1
Jan 15, 2025 18:13:08.239367962 CET	50227	445	192.168.2.5	43.89.144.1
Jan 15, 2025 18:13:08.239392996 CET	50233	445	192.168.2.5	198.243.245.1
Jan 15, 2025 18:13:08.239419937 CET	50241	445	192.168.2.5	194.81.103.1
Jan 15, 2025 18:13:08.239449024 CET	50250	445	192.168.2.5	180.35.1.1
Jan 15, 2025 18:13:08.239480972 CET	50262	445	192.168.2.5	107.54.42.1
Jan 15, 2025 18:13:08.239507914 CET	50273	445	192.168.2.5	136.227.119.1
Jan 15, 2025 18:13:08.239536047 CET	50274	445	192.168.2.5	41.167.36.1
Jan 15, 2025 18:13:08.239558935 CET	50279	445	192.168.2.5	74.80.92.3
Jan 15, 2025 18:13:08.239635944 CET	50283	445	192.168.2.5	7.191.5.1
Jan 15, 2025 18:13:08.239662886 CET	50291	445	192.168.2.5	108.182.16.1
Jan 15, 2025 18:13:08.239686966 CET	50299	445	192.168.2.5	147.208.214.1
Jan 15, 2025 18:13:08.239713907 CET	50302	445	192.168.2.5	15.1.53.1
Jan 15, 2025 18:13:08.239741087 CET	50311	445	192.168.2.5	21.217.77.1
Jan 15, 2025 18:13:08.239768028 CET	50320	445	192.168.2.5	82.127.77.1
Jan 15, 2025 18:13:08.239797115 CET	50393	445	192.168.2.5	104.93.180.2
Jan 15, 2025 18:13:08.239823103 CET	50343	445	192.168.2.5	193.209.214.1
Jan 15, 2025 18:13:08.239859104 CET	50370	445	192.168.2.5	161.4.168.1
Jan 15, 2025 18:13:08.239891052 CET	50450	445	192.168.2.5	136.243.125.3
Jan 15, 2025 18:13:08.239922047 CET	50455	445	192.168.2.5	113.103.233.1
Jan 15, 2025 18:13:08.240022898 CET	50499	445	192.168.2.5	60.171.191.2
Jan 15, 2025 18:13:08.240091085 CET	50514	445	192.168.2.5	126.96.38.1
Jan 15, 2025 18:14:08.270948887 CET	50619	445	192.168.2.5	218.181.19.94
Jan 15, 2025 18:14:08.392841101 CET	445	50619	218.181.19.94	192.168.2.5
Jan 15, 2025 18:14:08.395117044 CET	50619	445	192.168.2.5	218.181.19.94
Jan 15, 2025 18:14:08.395272970 CET	50619	445	192.168.2.5	218.181.19.94
Jan 15, 2025 18:14:08.395293951 CET	50623	445	192.168.2.5	218.181.19.1
Jan 15, 2025 18:14:08.400135994 CET	445	50623	218.181.19.1	192.168.2.5
Jan 15, 2025 18:14:08.400320053 CET	445	50619	218.181.19.94	192.168.2.5
Jan 15, 2025 18:14:08.400412083 CET	50619	445	192.168.2.5	218.181.19.94
Jan 15, 2025 18:14:08.400475979 CET	50623	445	192.168.2.5	218.181.19.1
Jan 15, 2025 18:14:08.400475979 CET	50623	445	192.168.2.5	218.181.19.1
Jan 15, 2025 18:14:08.400995970 CET	50624	445	192.168.2.5	218.181.19.1
Jan 15, 2025 18:14:08.405633926 CET	445	50623	218.181.19.1	192.168.2.5
Jan 15, 2025 18:14:08.405733109 CET	50623	445	192.168.2.5	218.181.19.1
Jan 15, 2025 18:14:08.405828953 CET	445	50624	218.181.19.1	192.168.2.5
Jan 15, 2025 18:14:08.405903101 CET	50624	445	192.168.2.5	218.181.19.1
Jan 15, 2025 18:14:08.405945063 CET	50624	445	192.168.2.5	218.181.19.1
Jan 15, 2025 18:14:08.410748959 CET	445	50624	218.181.19.1	192.168.2.5
Jan 15, 2025 18:14:10.278495073 CET	50644	445	192.168.2.5	178.219.104.9
Jan 15, 2025 18:14:10.283432007 CET	445	50644	178.219.104.9	192.168.2.5
Jan 15, 2025 18:14:10.283504009 CET	50644	445	192.168.2.5	178.219.104.9
Jan 15, 2025 18:14:10.283552885 CET	50644	445	192.168.2.5	178.219.104.9
Jan 15, 2025 18:14:10.283830881 CET	50645	445	192.168.2.5	178.219.104.1
Jan 15, 2025 18:14:10.288503885 CET	445	50644	178.219.104.9	192.168.2.5
Jan 15, 2025 18:14:10.288583994 CET	50644	445	192.168.2.5	178.219.104.9
Jan 15, 2025 18:14:10.288712978 CET	445	50645	178.219.104.1	192.168.2.5
Jan 15, 2025 18:14:10.288785934 CET	50645	445	192.168.2.5	178.219.104.1
Jan 15, 2025 18:14:10.288844109 CET	50645	445	192.168.2.5	178.219.104.1
Jan 15, 2025 18:14:10.289123058 CET	50646	445	192.168.2.5	178.219.104.1
Jan 15, 2025 18:14:10.293724060 CET	445	50645	178.219.104.1	192.168.2.5
Jan 15, 2025 18:14:10.294014931 CET	445	50645	178.219.104.1	192.168.2.5
Jan 15, 2025 18:14:10.294044971 CET	445	50646	178.219.104.1	192.168.2.5
Jan 15, 2025 18:14:10.294073105 CET	50645	445	192.168.2.5	178.219.104.1
Jan 15, 2025 18:14:10.294110060 CET	50646	445	192.168.2.5	178.219.104.1
Jan 15, 2025 18:14:10.294145107 CET	50646	445	192.168.2.5	178.219.104.1
Jan 15, 2025 18:14:10.298938990 CET	445	50646	178.219.104.1	192.168.2.5

Target ID:	0
Start time:	12:12:01
Start date:	15/01/2025
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll"
Imagebase:	0xf60000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:12:01
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:12:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:12:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\txWVWM8Kx4.dll,PlayGame
Imagebase:	0x220000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:12:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",#1
Imagebase:	0x220000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:12:01
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	A75A57A712300662CE3FF1447A0C4805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000000.2053811513.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000000.2053681836.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:12:02
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe -m security
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	A75A57A712300662CE3FF1447A0C4805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2056001605.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000000.2056132349.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2693479834.0000000001E83000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000007.00000002.2693749913.00000000023A0000.00000004.00000020.00020000.00000000.sdmp, Author: us-cert code analysis team
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:12:02
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	79409B6F48460807480E4A574312D85F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000008.00000000.2058421206.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\Windows\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\Windows\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\Windows\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\Windows\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:12:02
Start date:	15/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c "C:\ProgramData\dsvqhifq359\tasksche.exe"
Imagebase:	0x7ff630150000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:12:02
Start date:	15/01/2025
Path:	C:\ProgramData\dsvqhifq359\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\dsvqhifq359\tasksche.exe
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	79409B6F48460807480E4A574312D85F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000002.2068015450.000000000040F000.00000004.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000000A.00000000.2060906503.000000000040E000.00000008.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: Joe Security Rule: WannaCry_Ransomware, Description: Detects WannaCry Ransomware, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: Florian Roth (with the help of binar.ly) Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: us-cert code analysis team Rule: Win32_Ransomware_WannaCry, Description: unknown, Source: C:\ProgramData\dsvqhifq359\tasksche.exe, Author: ReversingLabs
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 93%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:12:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0x320000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:12:03
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls . /grant Everyone:F /T /C /Q
Imagebase:	0x780000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:12:03
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:12:03
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:12:04
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\txWVWM8Kx4.dll",PlayGame
Imagebase:	0x220000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:12:04
Start date:	15/01/2025
Path:	C:\Windows\mssecsvc.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\mssecsvc.exe
Imagebase:	0x400000
File size:	3'723'264 bytes
MD5 hash:	A75A57A712300662CE3FF1447A0C4805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000002.2086246634.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000010.00000002.2086390129.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000000.2082010028.000000000040F000.00000008.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000010.00000000.2082127312.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000010.00000000.2082127312.0000000000710000.00000002.00000001.01000000.00000004.sdmp, Author: us-cert code analysis team
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	12:12:05
Start date:	15/01/2025
Path:	C:\Windows\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\WINDOWS\tasksche.exe /i
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	79409B6F48460807480E4A574312D85F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000000.2085577185.000000000040E000.00000008.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000011.00000002.3127527649.000000000040F000.00000004.00000001.01000000.00000007.sdmp, Author: us-cert code analysis team
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	12:12:05
Start date:	15/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /c "C:\ProgramData\dsvqhifq359\tasksche.exe"
Imagebase:	0x7ff630150000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: tasksche.exePID: 7120, Parent PID: 3816

General

Target ID:	19
Start time:	12:12:05
Start date:	15/01/2025
Path:	C:\ProgramData\dsvqhifq359\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\dsvqhifq359\tasksche.exe
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	79409B6F48460807480E4A574312D85F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000013.00000002.2092835134.000000000040F000.00000004.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000013.00000000.2087719412.000000000040E000.00000008.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	12:12:05
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0x320000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	12:12:05
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls . /grant Everyone:F /T /C /Q
Imagebase:	0x780000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	12:12:05
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	12:12:05
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	12:12:54
Start date:	15/01/2025
Path:	C:\ProgramData\dsvqhifq359\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\dsvqhifq359\tasksche.exe
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	79409B6F48460807480E4A574312D85F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001A.00000002.2582916598.000000000040F000.00000004.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001A.00000000.2577645149.000000000040E000.00000008.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	12:12:54
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0x320000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	12:12:54
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls . /grant Everyone:F /T /C /Q
Imagebase:	0x780000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	12:12:54
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	12:12:54
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	12:12:56
Start date:	15/01/2025
Path:	C:\ProgramData\dsvqhifq359\tasksche.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\dsvqhifq359\tasksche.exe
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	79409B6F48460807480E4A574312D85F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001F.00000002.2605730753.000000000040F000.00000004.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 0000001F.00000000.2599504308.000000000040E000.00000008.00000001.01000000.00000008.sdmp, Author: us-cert code analysis team
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	12:12:57
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0x320000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	12:12:57
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls . /grant Everyone:F /T /C /Q
Imagebase:	0x780000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	12:12:57
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	12:12:57
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	12:13:46
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0x320000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	12:13:46
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls . /grant Everyone:F /T /C /Q
Imagebase:	0x780000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	12:13:46
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	12:13:46
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	12:13:49
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\attrib.exe
Wow64 process (32bit):	true
Commandline:	attrib +h .
Imagebase:	0x320000
File size:	19'456 bytes
MD5 hash:	0E938DD280E83B1596EC6AA48729C2B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	12:13:49
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	icacls . /grant Everyone:F /T /C /Q
Imagebase:	0x780000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	12:13:49
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	12:13:49
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	77.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
CloseHandle.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

tasksche.exe, xrefs: 00407DEA
kernel32.dll, xrefs: 00407CEA
WINDOWS, xrefs: 00407DF2, 00407E0D
/i, xrefs: 00407E8D
C:\%s\%s, xrefs: 00407DFB
WriteFile, xrefs: 00407D1C
CloseHandle, xrefs: 00407D29
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000005.00000002.2059135210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2059115177.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059156323.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059350693.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressHandleProcResource$CloseFile$Createsprintf$FindLoadLockModuleMoveProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4281112323-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.SECHOST(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000005.00000002.2059135210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2059115177.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059156323.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059350693.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000005.00000002.2059135210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2059115177.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059156323.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059350693.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000005.00000002.2059135210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2059115177.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059156323.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059350693.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000005.00000002.2059135210.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.2059115177.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059156323.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059180156.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059350693.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.2059483616.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: mssecsvc.exePID: 616, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.0,000F01FF,6F370EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.0, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000007.00000002.2692391389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2692377736.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692406078.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692468126.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692484546.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.0
API String ID: 4274534310-3729025388
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 6.0, APIs: 4, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Memory Dump Source

Source File: 00000007.00000002.2692391389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2692377736.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692406078.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692468126.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692484546.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen
String ID:
API String ID: 435140893-0
Opcode ID: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction ID: 1dd4d323c29996ceece3d10fb5d3e331cb9ed4e1cabd62d72b2cd6c3d10c6962
Opcode Fuzzy Hash: 7bc602e844cdf910e4a24fc0389d75e4e4c0db4e5e0cdfe1b8e612c3f784a296
Instruction Fuzzy Hash: 050162715443106EE320DF648D01B6B7BE9EF85710F01082EF984E7280EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.0,Microsoft Security Center (2.0) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F370EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

mssecsvc2.0, xrefs: 00407C95
Microsoft Security Center (2.0) Service, xrefs: 00407C90
%s -m security, xrefs: 00407C50

Memory Dump Source

Source File: 00000007.00000002.2692391389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2692377736.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692406078.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692468126.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692484546.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.0) Service$mssecsvc2.0
API String ID: 3340711343-4063779371
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F370EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

C:\%s\%s, xrefs: 00407DFB
/i, xrefs: 00407E8D
WriteFile, xrefs: 00407D1C
kernel32.dll, xrefs: 00407CEA
CloseHandle, xrefs: 00407D29
WINDOWS, xrefs: 00407DF2, 00407E0D
CreateProcessA, xrefs: 00407D07
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA
D, xrefs: 00407ED3

Memory Dump Source

Source File: 00000007.00000002.2692391389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2692377736.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692406078.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692468126.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692484546.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000007.00000002.2692391389.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2692377736.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692406078.000000000040A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692420438.000000000040F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692455039.000000000042E000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692468126.000000000042F000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692484546.0000000000431000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.2692571152.0000000000710000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_mssecsvc.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Analysis Process: tasksche.exePID: 3552, Parent PID: 3176COMMON

Execution Graph

Execution Coverage:	12%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.5%
Total number of Nodes:	667
Total number of Limit Nodes:	13

Executed Functions

Function 004014A6 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 178
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00401556
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00401591
ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004015BD
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004015DA
ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 004015F7
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
ReadFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0040168E
_local_unwind2.MSVCRT ref: 004016D6

Strings

WANACRY!, xrefs: 00401566
2!@, xrefs: 004016C5

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Read$AllocCreateGlobalSize_local_unwind2memcmp
String ID: 2!@$WANACRY!
API String ID: 1982583507-2846199637
Opcode ID: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction ID: 23909f9b909e50c20e483d6bc4be6e23e355ec3bf8b0a6de4718622c8bde6caa
Opcode Fuzzy Hash: 3616707767261f84fde6c13708b35c3d4dbb974938da28d5f777545cb9cffa02
Instruction Fuzzy Hash: 6E512C71900209ABDB219F95CD84FEEB7BCEB08790F1444BAF515F21A0D739AA45CB28

Function 004014B3 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 175
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040150D
GetFileSizeEx.KERNEL32(00000000,?), ref: 00401529
ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 00401556
memcmp.MSVCRT(?,WANACRY!,00000008), ref: 00401572
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 00401591
ReadFile.KERNEL32(00000000,?,00000100,?,00000000), ref: 004015BD
ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 004015DA
ReadFile.KERNEL32(00000000,?,00000008,?,00000000), ref: 004015F7
GlobalAlloc.KERNEL32(00000000,?,?,?,00000010,?,?,?,?), ref: 0040166D
ReadFile.KERNEL32(000000FF,?,?,?,00000000), ref: 0040168E
_local_unwind2.MSVCRT ref: 004016D6

Strings

WANACRY!, xrefs: 00401566
2!@, xrefs: 004016C5

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Read$AllocCreateGlobalSize_local_unwind2memcmp
String ID: 2!@$WANACRY!
API String ID: 1982583507-2846199637
Opcode ID: 0617473e4e20d7b6ed9bef36bf15e82b9b6eff7b6dc2b454fe684dd7f5303500
Instruction ID: 4f5db7b03fbae4bd1a74ba09c9783dfc14942441ffc150fb06ee42d3f2d97cbc
Opcode Fuzzy Hash: 0617473e4e20d7b6ed9bef36bf15e82b9b6eff7b6dc2b454fe684dd7f5303500
Instruction Fuzzy Hash: EF511C71901219AFDB219F95CD88BEEB7BCEB08380F1444BAF515F61A0D7399A45CF28

Function 00401CE8 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 75
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE
OpenServiceA.ADVAPI32(00000000,dsvqhifq359,000F01FF), ref: 00401D21
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00401D31
CloseServiceHandle.ADVAPI32(?), ref: 00401D3A
CloseServiceHandle.ADVAPI32(?), ref: 00401D9E

Strings

cmd.exe /c "%s", xrefs: 00401D4E
dsvqhifq359, xrefs: 00401D19, 00401D1F, 00401D70, 00401D71

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerStart
String ID: cmd.exe /c "%s"$dsvqhifq359
API String ID: 1485051382-2525565682
Opcode ID: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction ID: 93977d8af42d47d1d9866270745c8e9c50065656b45fe828c5c40e24baaa5e60
Opcode Fuzzy Hash: 4dc5d8109ff1f89eb2c8b95274d01a87daa9a34efcc40f147da3f0b4c8cffa2a
Instruction Fuzzy Hash: 6411AF71900118BBDB205B659E4CE9FBF7CEF85745F10407AF601F21A0CA744949DB68

Function 00401861 Relevance: 1.5, APIs: 1, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0040182C: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,00401869,?,00401448,?), ref: 00401849

CryptImportKey.ADVAPI32(?,0040EBF8,00000494,00000000,00000000,?,?,00401448,?), ref: 00401888

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Crypt$AcquireContextImport
String ID:
API String ID: 193843291-0
Opcode ID: 00163cd05f23b90a1eb4289055b6149a937518a9f4e0d8f5a43f95d4d64a5ccf
Instruction ID: dd5a952b134a24afde2d3cacf3910d543f64e1b6cba6ed960c047e302ab63d3a
Opcode Fuzzy Hash: 00163cd05f23b90a1eb4289055b6149a937518a9f4e0d8f5a43f95d4d64a5ccf
Instruction Fuzzy Hash: 15F08C73504202AAF6247621DC42E7772ACAF10348B00C83BF946F05F0E779EA919659

Function 0040182C Relevance: 1.5, APIs: 1, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000000,?,?,00401869,?,00401448,?), ref: 00401849

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: 05a3c7366586a31bd645e4b87497eee4fc7f9b0be6c205703f8acccdb6d36970
Instruction ID: a10c3aed07c23a8bf5b408c060acb1fa1e0ef34e360896137e0dfc64bb6721bb
Opcode Fuzzy Hash: 05a3c7366586a31bd645e4b87497eee4fc7f9b0be6c205703f8acccdb6d36970
Instruction Fuzzy Hash: 1EE0C23734011064F330242AAC05FE71559D7C1714F14C036F906EA0D0C2248A4780A8

Function 00401FE7 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 132
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000208), ref: 0040201F

Part of subcall function 00401225: GetComputerNameW.KERNEL32(?,0000018F), ref: 0040125F
Part of subcall function 00401225: wcslen.MSVCRT ref: 00401279
Part of subcall function 00401225: wcslen.MSVCRT ref: 00401298
Part of subcall function 00401225: srand.MSVCRT ref: 004012A1
Part of subcall function 00401225: rand.MSVCRT ref: 004012AE
Part of subcall function 00401225: rand.MSVCRT ref: 004012C0
Part of subcall function 00401225: rand.MSVCRT ref: 004012DD

__p___argc.MSVCRT ref: 00402030
__p___argv.MSVCRT ref: 00402040
strcmp.MSVCRT ref: 0040204B

Part of subcall function 00401B5F: MultiByteToWideChar.KERNEL32(00000000,00000000,dsvqhifq359,000000FF,?,00000063), ref: 00401BCA
Part of subcall function 00401B5F: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
Part of subcall function 00401B5F: swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
Part of subcall function 00401B5F: GetFileAttributesW.KERNELBASE(?), ref: 00401C10

CopyFileA.KERNEL32(?,tasksche.exe,00000000), ref: 0040206F
GetFileAttributesA.KERNELBASE(tasksche.exe), ref: 00402076

Part of subcall function 00401F5D: GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

strrchr.MSVCRT ref: 0040209D
strrchr.MSVCRT ref: 004020AE
SetCurrentDirectoryA.KERNELBASE(?), ref: 004020BB

Strings

attrib +h ., xrefs: 004020DC
icacls . /grant Everyone:F /T /C /Q, xrefs: 004020E8
TaskStart, xrefs: 00402145
dsvqhifq359, xrefs: 00402025
tasksche.exe, xrefs: 00402061, 0040206D, 00402075
t.wnry, xrefs: 00402125

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Namerand$AttributesDirectorystrrchrwcslen$ByteCharComputerCopyCurrentFullModuleMultiPathWideWindows__p___argc__p___argvsrandstrcmpswprintf
String ID: TaskStart$attrib +h .$dsvqhifq359$icacls . /grant Everyone:F /T /C /Q$t.wnry$tasksche.exe
API String ID: 1102508541-3280366790
Opcode ID: 2ff1392d6f58b437ec25317e3d0be93fd1ee27ac7dc1296052efe3cc6886503f
Instruction ID: 97633fc0405850e3ba211803acf8e340ff081048f6dba40907e2b9e4b27fb4f3
Opcode Fuzzy Hash: 2ff1392d6f58b437ec25317e3d0be93fd1ee27ac7dc1296052efe3cc6886503f
Instruction Fuzzy Hash: 3741B472500359AEDB20A7B1DE49E9F376C9F10314F2005BFF645F61E2DE788D488A28

Function 0040714C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%s%s, xrefs: 00407389
\, xrefs: 00407358
:, xrefs: 0040736E
%s%s%s, xrefs: 004072F6

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s$%s%s%s$:$\
API String ID: 0-1100577047
Opcode ID: 7af23acfb13c3847202d0f3544f069c8b3606865e2b11a7f6c25b24928257d8c
Instruction ID: dec7791a7ad8f487ce6c0967fc7a8847d7a3d4ba063244555504d9e5938931ce
Opcode Fuzzy Hash: 7af23acfb13c3847202d0f3544f069c8b3606865e2b11a7f6c25b24928257d8c
Instruction Fuzzy Hash: 86710671D0C2089ADB219F14CC44BEA7BA9AB01304F1445BFF885B62D1D779BA86CB5A

Function 00401B5F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,dsvqhifq359,000000FF,?,00000063), ref: 00401BCA
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00401BDD
swprintf.MSVCRT(?,%s\ProgramData,?), ref: 00401C04
GetFileAttributesW.KERNELBASE(?), ref: 00401C10
swprintf.MSVCRT(?,%s\Intel,?), ref: 00401C53
GetTempPathW.KERNEL32(00000104,?), ref: 00401C97
wcsrchr.MSVCRT ref: 00401CAC
wcsrchr.MSVCRT ref: 00401CBD

Part of subcall function 00401AF6: CreateDirectoryW.KERNELBASE(?,00000000), ref: 00401B07
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNELBASE(?), ref: 00401B12
Part of subcall function 00401AF6: CreateDirectoryW.KERNELBASE(?,00000000), ref: 00401B1E
Part of subcall function 00401AF6: SetCurrentDirectoryW.KERNELBASE(?), ref: 00401B21

Strings

%s\ProgramData, xrefs: 00401BFE
%s\Intel, xrefs: 00401C4D
dsvqhifq359, xrefs: 00401BC1

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$CreateCurrentswprintfwcsrchr$AttributesByteCharFileMultiPathTempWideWindows
String ID: %s\Intel$%s\ProgramData$dsvqhifq359
API String ID: 3806094219-2329595571
Opcode ID: 82f37d28a7ec1077cf8751c63b0340feb8606763232324736a07dd36ddf2b000
Instruction ID: 4ac525b1174630586dc3f01422198d44c3eaba501bd80531e66e43f198221a67
Opcode Fuzzy Hash: 82f37d28a7ec1077cf8751c63b0340feb8606763232324736a07dd36ddf2b000
Instruction Fuzzy Hash: 2C41447294021DAAEF609BA0DD45FDA777CAF04310F1045BBE608F71E0EA74DA888F59

Function 004010FD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcscat.MSVCRT ref: 0040114B
RegCreateKeyW.ADVAPI32(80000001,?,00000000), ref: 0040117A
GetCurrentDirectoryA.KERNEL32(00000207,?), ref: 0040119A
strlen.MSVCRT ref: 004011A7
RegSetValueExA.ADVAPI32(00000000,0040E030,00000000,00000001,?,00000001), ref: 004011BD
RegQueryValueExA.ADVAPI32(00000000,0040E030,00000000,00000000,?,?), ref: 004011E4
SetCurrentDirectoryA.KERNEL32(?), ref: 004011FA
RegCloseKey.ADVAPI32(00000000), ref: 00401203

Strings

Software\, xrefs: 0040110A
0@, xrefs: 00401157
WanaCrypt0r, xrefs: 00401145

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryValue$CloseCreateQuerystrlenwcscat
String ID: 0@$Software\$WanaCrypt0r
API String ID: 865909632-3421300005
Opcode ID: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction ID: 752dd9e6153134350df00ddc45e524be7a8e60cbe47ba2191db59f61a0b32c4f
Opcode Fuzzy Hash: be197859f140e0a5161343930b87c84f9738d6a9d10ac2d583ef225433aeadb0
Instruction Fuzzy Hash: 09316232801228EBDB218B90DD09BDEBB78EB44751F1140BBE645F6190CB745E84CBA8

Function 004077C7 Relevance: 16.6, APIs: 11, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 004077E7
__p__fmode.MSVCRT ref: 004077FC
__p__commode.MSVCRT ref: 0040780A
__setusermatherr.MSVCRT ref: 00407836
_initterm.MSVCRT ref: 0040784C
__getmainargs.MSVCRT ref: 0040786F
_initterm.MSVCRT ref: 0040787F
GetStartupInfoA.KERNEL32(?), ref: 004078BE
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004078E2
exit.KERNELBASE ref: 004078F2
_XcptFilter.MSVCRT ref: 00407904

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: 0e2500766ef754de96a0bec646d21198ba904cb2609c2db2b7504f8e1e7d9631
Instruction ID: b6807de3fe1c3e28ab0f2b8c021909998ac3013dced3884fb388c7f537fcd598
Opcode Fuzzy Hash: 0e2500766ef754de96a0bec646d21198ba904cb2609c2db2b7504f8e1e7d9631
Instruction Fuzzy Hash: A34173B1C04344AFDB20AFA4DE49AA97BB8BF05310F20417FE581B72E1D7786845CB59

Function 00401AF6 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00401B07
SetCurrentDirectoryW.KERNELBASE(?), ref: 00401B12
CreateDirectoryW.KERNELBASE(?,00000000), ref: 00401B1E
SetCurrentDirectoryW.KERNELBASE(?), ref: 00401B21
GetFileAttributesW.KERNELBASE(?), ref: 00401B2C
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00401B36
swprintf.MSVCRT(?,%s\%s,?,?), ref: 00401B4E

Strings

%s\%s, xrefs: 00401B46

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Directory$AttributesCreateCurrentFile$swprintf
String ID: %s\%s
API String ID: 1036847564-4073750446
Opcode ID: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction ID: 4a0a9b6f0974b2b783bf1fd4f993800d593798a72c4fd06372b86497b3864b36
Opcode Fuzzy Hash: e8d223ccc4edc92c4536f1ca202ba6161fd040db7272db682552e70b0b18d917
Instruction Fuzzy Hash: 99F06271200208BBEB103F65DE44F9B3B2CEB457A5F015832FA46B61A1DB75A855CAB8

Function 00401064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004010A8
WaitForSingleObject.KERNEL32(?,?), ref: 004010BD
TerminateProcess.KERNEL32(?,000000FF), ref: 004010CC
GetExitCodeProcess.KERNEL32(?,?), ref: 004010DD
CloseHandle.KERNEL32(?), ref: 004010EC
CloseHandle.KERNEL32(?), ref: 004010F1

Strings

D, xrefs: 00401074

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Process$CloseHandle$CodeCreateExitObjectSingleTerminateWait
String ID: D
API String ID: 786732093-2746444292
Opcode ID: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction ID: fabf2a0aaa91e867d54492d1ca24e81fc8ed090543e33b3e61fa812da4358066
Opcode Fuzzy Hash: 520ef4afec62fe4405832db260c3c6b21caa087d375fb1c1d919acb3a27097cb
Instruction Fuzzy Hash: 8D116431900229ABDB218F9ADD04ADFBF79FF04720F008426F514B65A0DB708A18DAA8

Function 00401225 Relevance: 10.6, APIs: 7, Instructions: 87
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32(?,0000018F), ref: 0040125F
wcslen.MSVCRT ref: 00401279
wcslen.MSVCRT ref: 00401298
srand.MSVCRT ref: 004012A1
rand.MSVCRT ref: 004012AE
rand.MSVCRT ref: 004012C0
rand.MSVCRT ref: 004012DD

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: rand$wcslen$ComputerNamesrand
String ID:
API String ID: 3058258771-0
Opcode ID: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction ID: 153b78e0bdef4b648922335b0398b7079fc1e42e5dbb3c53d325bf346215f47a
Opcode Fuzzy Hash: b0791ced207a07d975efd615d75f91e7379ad7fc4ff6fb2c179a53625b9ec986
Instruction Fuzzy Hash: FA212833A00318ABD7119B65ED81BDD77A8EB45354F1100BBF948F71C0CA759EC28BA8

Function 00407070 Relevance: 10.6, APIs: 7, Instructions: 74
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?), ref: 00407083
CreateDirectoryA.KERNEL32(?,00000000), ref: 00407091
memcpy.MSVCRT(?,?,?), ref: 004070CA
strcpy.MSVCRT(00000000,?), ref: 004070FB
strcat.MSVCRT(00000000,?), ref: 0040710A
GetFileAttributesA.KERNELBASE(00000000), ref: 00407118
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040712C

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$memcpystrcatstrcpy
String ID:
API String ID: 2935503933-0
Opcode ID: ec2dd8a6a6d018b3cd610cad55174b7a39c77c45f8e06270025fb69be962d290
Instruction ID: 50ba023859918e707bf45bf33fbe73a6a33da9a39eec2eddc6b78618a8cc3524
Opcode Fuzzy Hash: ec2dd8a6a6d018b3cd610cad55174b7a39c77c45f8e06270025fb69be962d290
Instruction Fuzzy Hash: 1A112B72C0821456CB305B749D88FD7776C9B11320F1403BBE595B32C2DA78BD898669

Function 00401EFF Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00401F16
OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Sleep.KERNELBASE(000003E8), ref: 00401F40
CloseHandle.KERNEL32(00000000), ref: 00401F52

Strings

Global\MsWinZonesCacheCounterMutexA, xrefs: 00401F08
%s%d, xrefs: 00401F10

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexOpenSleepsprintf
String ID: %s%d$Global\MsWinZonesCacheCounterMutexA
API String ID: 2780352083-2959021817
Opcode ID: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction ID: f4a3b48a0bafa41ae68b0177be176e29d76f271436d11399ade0a1af8f7a19ee
Opcode Fuzzy Hash: d195781efe0b704a0c45d33d3827b966fde6c598e7eccee7cfdb972a19423a06
Instruction Fuzzy Hash: 92F0E931A40305BBDB20EBA49E4AB9B7758AB04B40F104036F945FA0D2DBB8D54586D8

Function 00401000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fopen.MSVCRT ref: 0040101B
fread.MSVCRT ref: 0040103F
fwrite.MSVCRT ref: 00401047
fclose.MSVCRT ref: 00401058

Strings

c.wnry, xrefs: 00401016

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: fclosefopenfreadfwrite
String ID: c.wnry
API String ID: 4000964834-3240288721
Opcode ID: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction ID: 4fc4ee2583eead98f325da0eb4a8e2a7a7827d82b7f69226d67b1691b23a23d5
Opcode Fuzzy Hash: 83356dae967f3845aa64eafaf8b7e6f79fd4dc7784855bee587f11601882f661
Instruction Fuzzy Hash: 0CF05931204260ABCA301F656D4AA277B10DBC4F61F10083FF1C1F40E2CABD44C296BE

Function 00401E67 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?), ref: 00401E6E

Strings

PWVuW, xrefs: 00401E47
c.wnry, xrefs: 00401E55
PX, xrefs: 00401E5A

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: PWVuW$PX$c.wnry
API String ID: 3188754299-2001399172
Opcode ID: ec73f6b3c9132d7e3ce96bf0fbf9a1f131312635740bf2e065ed47a29311a57c
Instruction ID: 1ab428f28edc1f41aae3b1c0182739b4a88dd02c55c662672f6f3eeec65b2962
Opcode Fuzzy Hash: ec73f6b3c9132d7e3ce96bf0fbf9a1f131312635740bf2e065ed47a29311a57c
Instruction Fuzzy Hash: 16F08272D0101429DA20A665DC45EDF336C9B85338F1004B7F945F10C1EB39EAD58AA9

Function 00401F5D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(tasksche.exe,00000208,?,00000000), ref: 00401F97

Part of subcall function 00401CE8: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00401CFE

Part of subcall function 00401EFF: sprintf.MSVCRT ref: 00401F16
Part of subcall function 00401EFF: OpenMutexA.KERNEL32(00100000,00000001,?), ref: 00401F31
Part of subcall function 00401EFF: Sleep.KERNELBASE(000003E8), ref: 00401F40

Strings

tasksche.exe, xrefs: 00401F92

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Open$FullManagerMutexNamePathSleepsprintf
String ID: tasksche.exe
API String ID: 167337186-4155512336
Opcode ID: e28efb750bf976631a794869ff46538edd4b3e3d85bdc5ef0a4500b41de16267
Instruction ID: 32b044e02b32a453714f0bad96ed570d6c8ae3fbdab621874b5fd1cc0105bf25
Opcode Fuzzy Hash: e28efb750bf976631a794869ff46538edd4b3e3d85bdc5ef0a4500b41de16267
Instruction Fuzzy Hash: B101F93274430965FF6056B5ED0AF9B73AC5B00704F0005B7FA94F51E2EEB4D6858768

Function 00407572 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004074FE,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000), ref: 00407587
??3@YAXPAX@Z.MSVCRT(?,00000000,00000000,004074FE,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000), ref: 004075A1

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ba5292d95df2e6e8fe9c6fc3959bdbdfb5d84876b251159bb7c94f9be4a473a2
Instruction ID: 0625bedb389590e33774cd0b9b2d0ee1860b9ef3adb0428d6309db58d756d510
Opcode Fuzzy Hash: ba5292d95df2e6e8fe9c6fc3959bdbdfb5d84876b251159bb7c94f9be4a473a2
Instruction Fuzzy Hash: ADE04F32B0460367DA145A2AE801BD6F3ACAF40325F10092EA444F3180CB3CBA81C6A8

Function 00401437 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401861: CryptImportKey.ADVAPI32(?,0040EBF8,00000494,00000000,00000000,?,?,00401448,?), ref: 00401888

GlobalAlloc.KERNELBASE(00000000,00100000,?), ref: 0040146A
GlobalAlloc.KERNELBASE(00000000,00100000), ref: 00401479

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AllocGlobal$CryptImport
String ID:
API String ID: 2229914853-0
Opcode ID: f1c38862a4e40a926a9cb8dbd32efdc124995eee8a134f66152ea3beb40ebdb5
Instruction ID: 13949ebcdeb320815bc01409d0816805a193b4ce3528f2eda1310b41e89de721
Opcode Fuzzy Hash: f1c38862a4e40a926a9cb8dbd32efdc124995eee8a134f66152ea3beb40ebdb5
Instruction Fuzzy Hash: E9F01DB25047059EE360DA259C40F57B3E8EFC4794F10493FE959E22A1E774A8058B25

Function 004013CE Relevance: 2.5, APIs: 2, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004018B9: CryptDestroyKey.ADVAPI32(?,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018C4
Part of subcall function 004018B9: CryptDestroyKey.ADVAPI32(?,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018D6
Part of subcall function 004018B9: CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

GlobalFree.KERNELBASE(?), ref: 00401407
GlobalFree.KERNELBASE(?), ref: 00401427

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Crypt$DestroyFreeGlobal$ContextRelease
String ID:
API String ID: 3802593847-0
Opcode ID: 6a6a0ddf2cc44157899aa89d4246a2e7fd4c82d45ff6ecee45ca955221c1c337
Instruction ID: afe9474b1f6453f597e9dfd6c6faa5702c9a72b75f6a7d499fb8a404dd574701
Opcode Fuzzy Hash: 6a6a0ddf2cc44157899aa89d4246a2e7fd4c82d45ff6ecee45ca955221c1c337
Instruction Fuzzy Hash: 25F04FB12026004EF761D625D8C4FA373D4EB50319F14443EE59E972F1CA78AC458B28

Function 004056DD Relevance: 1.3, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

calloc.MSVCRT ref: 004056E5

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: calloc
String ID:
API String ID: 2635317215-0
Opcode ID: c79bc297218a7ee9d4f5a5f90e12914113c8194a3ce27a4038e9e9559bc3c912
Instruction ID: e97520f53d479ee56607858e69e3bcf2bfd840abb73b8ebea511af8bedfd3791
Opcode Fuzzy Hash: c79bc297218a7ee9d4f5a5f90e12914113c8194a3ce27a4038e9e9559bc3c912
Instruction Fuzzy Hash: A2B0123200C200FFCF050B00FD05409BBA1EF84231F30C41DF096000708F324020AB05

Function 004056EE Relevance: 1.3, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004056F2

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4703dff8ab147e29624c9a464740c36ea3abe7ebfc27b417c2f57159497d317e
Instruction ID: c0edcc233990ff9cdbf4b79c666f34576f6bab842d07e662915ac3b582d0cfa1
Opcode Fuzzy Hash: 4703dff8ab147e29624c9a464740c36ea3abe7ebfc27b417c2f57159497d317e
Instruction Fuzzy Hash: 67A00271005501DBCA451B20EF0C8497F71EF84252B60456DF08754470CF324462AA09

Non-executed Functions

Function 00406D26 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 290COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?), ref: 00406D61
??3@YAXPAX@Z.MSVCRT(?), ref: 00406D83

Strings

/..\, xrefs: 00406E03
\../, xrefs: 00406DE7
/../, xrefs: 00406DF5
\..\, xrefs: 00406DD9

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??2@??3@
String ID: /../$/..\$\../$\..\
API String ID: 1936579350-3885502717
Opcode ID: 9fe2ee11d69112ebdb782c6af2ace678ca2e36f17f4e057c812f61113bddf1f6
Instruction ID: 3737b326712c28fce93d2c19f1fd65a783408c21a39be2a04ec551ad1204ea0d
Opcode Fuzzy Hash: 9fe2ee11d69112ebdb782c6af2ace678ca2e36f17f4e057c812f61113bddf1f6
Instruction Fuzzy Hash: B6A153729082499FDB19CF68C8916EEBBF4EF05300F14857FE496A7281C738A515CB98

Function 00401A45 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00401A77
GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00401A84
GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00401A91
GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00401A9E
GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00401AAB
GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00401AB8

Strings

advapi32.dll, xrefs: 00401A55
CryptDecrypt, xrefs: 00401AA0
CryptGenKey, xrefs: 00401AAD
CryptEncrypt, xrefs: 00401A93
CryptAcquireContextA, xrefs: 00401A71
CryptImportKey, xrefs: 00401A79
CryptDestroyKey, xrefs: 00401A86

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptDecrypt$CryptDestroyKey$CryptEncrypt$CryptGenKey$CryptImportKey$advapi32.dll
API String ID: 2238633743-2459060434
Opcode ID: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction ID: 9aae3444cc52ced5e7e1ad1d2a06d11cf911cb2b3a933a05a08c6ba10b936042
Opcode Fuzzy Hash: b9d8274d123a30a539352919ce36730ce9328d7041a45cd95e79278e35d60e58
Instruction Fuzzy Hash: 20011E32A86311EBDB30AFA5AE856677AE4EA41750368843FB104B2DB1D7F81448DE5C

Function 00402A76 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 334COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 00402A95
_CxxThrowException.MSVCRT(00000010,0040D570), ref: 00402AA4
??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 00402ACD
_CxxThrowException.MSVCRT(00000010,0040D570), ref: 00402ADC
??0exception@@QAE@ABQBD@Z.MSVCRT(?), ref: 00402AFF
_CxxThrowException.MSVCRT(00000010,0040D570), ref: 00402B0E
memcpy.MSVCRT(?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B2A
memcpy.MSVCRT(?,?,?,?,?,00000010,?,?,00000000,00000010,?,?), ref: 00402B3F

Strings

, xrefs: 00402E64

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow$memcpy
String ID:
API String ID: 1881450474-3916222277
Opcode ID: 5e29447d29244d2d39637b6b268b84fba844d2984039595502739967419f177d
Instruction ID: fcfef073648f46ce18afaeffe4143d5033c2e410e09e17396796de68d512254b
Opcode Fuzzy Hash: 5e29447d29244d2d39637b6b268b84fba844d2984039595502739967419f177d
Instruction Fuzzy Hash: 8DD1C3706006099FDB28CF29C5846EA77F5FF48314F14C43EE95AEB281D778AA85CB58

Function 004018F9 Relevance: 9.1, APIs: 6, Instructions: 79filememoryencryptionCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040193A
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 0040194A
GlobalAlloc.KERNEL32(00000000,00000000,?,?,?,?,?,?,00401448,?), ref: 00401964
ReadFile.KERNEL32(000000FF,00000000,00000000,?,00000000,?,?,?,?,?,?,00401448,?), ref: 0040197D
CryptImportKey.ADVAPI32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,00401448,?), ref: 00401993
_local_unwind2.MSVCRT ref: 004019A6

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$AllocCreateCryptGlobalImportReadSize_local_unwind2
String ID:
API String ID: 1543066754-0
Opcode ID: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction ID: fb063a64e2dc49fc25d010f75d45645ced701e765f932c996de96a45c5b9f027
Opcode Fuzzy Hash: 232dc3714e51fefb2f6fb0f5b065eea7eb2b0009f41f45388587d49ab84ddf28
Instruction Fuzzy Hash: B62160B1901624AFCB209B99CD48FDF7E78EB097B0F54022AF525B22E0D7785805C6AC

Function 0040350F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00403528
_CxxThrowException.MSVCRT(?,0040D570), ref: 00403537
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B51,?,?), ref: 004036A9

Strings

, xrefs: 004036AE
Q;@, xrefs: 004036E2, 004035FD

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID: $Q;@
API String ID: 2382887404-262343263
Opcode ID: 9d88d7451ce12b7c3a5d5664735e91029da3423811efce9d06213ba3f138044b
Instruction ID: bc36c6e363c45e845c5013d3ee32ff29fee655b638a1b5d52e43d816bbd12583
Opcode Fuzzy Hash: 9d88d7451ce12b7c3a5d5664735e91029da3423811efce9d06213ba3f138044b
Instruction Fuzzy Hash: A581C3759002499FCB05CF68C9809EEBBF5EF89308F2484AEE595E7352C234BA45CF58

Function 004019E1 Relevance: 7.5, APIs: 5, Instructions: 39encryptionCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,?,?,00401642,?,?,?,?), ref: 004019F2
CryptDecrypt.ADVAPI32(00000000,00000000,00000001,00000000,?,?,?,?,00401642,?,?,?,?), ref: 00401A08
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A13
LeaveCriticalSection.KERNEL32(?,?,?,00401642,?,?,?,?), ref: 00401A1D
memcpy.MSVCRT(?,?,?,?,?,00401642,?,?,?,?), ref: 00401A2C

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CriticalSection$Leave$CryptDecryptEntermemcpy
String ID:
API String ID: 629328382-0
Opcode ID: 94e8d9869d495fd689c19527cd0e18adf9874140e5f97769a3eef967b1068a4f
Instruction ID: 582611ac2dab466912340a9d1f37a03f8b1d3421f3d1388c7c0078807ea36f1a
Opcode Fuzzy Hash: 94e8d9869d495fd689c19527cd0e18adf9874140e5f97769a3eef967b1068a4f
Instruction Fuzzy Hash: 7FF0A432200204FFEB119F90DD05FAA3769EF44710F008439F945AA1A0D7B5A854DB65

Function 00403797 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 004037B0
_CxxThrowException.MSVCRT(?,0040D570), ref: 004037BF
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00403B9C,?,?), ref: 00403937

Strings

, xrefs: 0040393C

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-3916222277
Opcode ID: 42e34b84d78c9f38c94d52d8705d7c54678ed6dfd70add5debdb3b39e4a64336
Instruction ID: 1cfba4d829132d5223a2741c68a06c6b284a50eb41fad236877f379c856cacdf
Opcode Fuzzy Hash: 42e34b84d78c9f38c94d52d8705d7c54678ed6dfd70add5debdb3b39e4a64336
Instruction Fuzzy Hash: B991C375A002499FCB05CF69C480AEEBBF5FF89315F2480AEE595E7342C234AA45CF58

Function 004018B9 Relevance: 4.5, APIs: 3, Instructions: 25encryptionCOMMONLIBRARYCODE

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32(?,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018C4
CryptDestroyKey.ADVAPI32(?,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018D6
CryptReleaseContext.ADVAPI32(?,00000000,?,004013DB,?,?,?,0040139D,?,?,00401366), ref: 004018EA

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Crypt$Destroy$ContextRelease
String ID:
API String ID: 1308222791-0
Opcode ID: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction ID: 2349b07d823645f04250185dd133334db1216db109592f97c32ed3e6f6040a2b
Opcode Fuzzy Hash: 5ecafc68ca33f8cfa3c4e9ed1ded46982a6db61dfcb788b9f393b121ae522fda
Instruction Fuzzy Hash: C7E0ED323147019BEB30AB65ED49B5373E8AF00762F04C83DB05AE6990CBB9E8448A58

Function 004029CC Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00402A15
GetProcessHeap.KERNEL32(00000000,00000000,00000000,00000000,0040243C,00000000), ref: 00402A36
HeapFree.KERNEL32(00000000), ref: 00402A3D

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcessfree
String ID:
API String ID: 3428986607-0
Opcode ID: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction ID: 6307eaad725422957632c7c85bafc458d1caddc7471a2505469f2591130cc2ff
Opcode Fuzzy Hash: 67af2f346d87749f9cdb855264ac8d2816ecbe8db690f3f12af5f99a0e11ec4c
Instruction Fuzzy Hash: C4010C72600A019FCB309FA5DE88967B7E9FF48321354483EF196A2591CB75F841CF58

Function 00402E7E Relevance: 3.3, APIs: 2, Instructions: 272COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00402E98
_CxxThrowException.MSVCRT(?,0040D570), ref: 00402EA7

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction ID: 7c46eb61736c4a52f21da4615b0110659747632e7974af7727d2e67ead4b8ec0
Opcode Fuzzy Hash: 0b3a82e1866a10e008d9e23789663a186783f6e7ea65f1ebfadb5e40c8bf56e2
Instruction Fuzzy Hash: 01B1AD75A081D99EDB05CFB989A04EAFFF2AF4E20474ED1E9C5C4AB313C5306505DB98

Function 004031BC Relevance: 3.3, APIs: 2, Instructions: 271COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 004031D6
_CxxThrowException.MSVCRT(?,0040D570), ref: 004031E5

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrow
String ID:
API String ID: 941485209-0
Opcode ID: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction ID: bcf4991698fce177fafabfcfbf4d003d7da0a1e91b0dfae35dbc96c431f9713a
Opcode Fuzzy Hash: 0dda08770b2cfa47ca0284abc8234425fc657ac4a7c18576e4d0461ed08ab4c9
Instruction Fuzzy Hash: 43B1A135A081D99EDB05CFB984A04EAFFF2AF8E200B4ED1E6C9D4AB713C5705615DB84

Function 004043D1 Relevance: 1.9, APIs: 1, Instructions: 669COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000004,00000008), ref: 004045FD

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 3fbcc6dd2c8130b83686b16ca7a95838e28512f32bb7137642e9b42f172d5f5b
Instruction ID: be8c264385d7e176af4cd986d8d852d6530fc42194437b9fc1d08ba6d3138758
Opcode Fuzzy Hash: 3fbcc6dd2c8130b83686b16ca7a95838e28512f32bb7137642e9b42f172d5f5b
Instruction Fuzzy Hash: 83521DB1900609EFCB14CF69C580AAABBF1FF49315F10852EE95AA7780D338EA55DF44

Function 00404C19 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

WG@, xrefs: 00404C26

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID: WG@
API String ID: 0-1599502709
Opcode ID: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction ID: 9637f4fcf05056c634a246d4ec164b1eccd92df816b65a9601eba7856632ad8a
Opcode Fuzzy Hash: 39bb7c4b20325c44dd8699449145d0d2bc85238f2d0020d1ee85a7bd7e705017
Instruction Fuzzy Hash: 36D1F5B1A002199FDF14CFA9D9805EDBBB1FF88314F25826AD959B7390D734AA41CB84

Function 0040541F Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction ID: 3f72058ef88e406f14a8e4c5cd972b2546dbbe82ce95f55f9558457d0f17cbf0
Opcode Fuzzy Hash: f53bbad7aeff0a1b6693495eaf2e1723a9e1ea82af51c52fb67f7a2539a612fb
Instruction Fuzzy Hash: 8E31A133E285B207C3249EBA5C4006AF6D2AB4A125B4A8775DE88F7355E128EC96C6D4

Function 0040170A Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00401A45: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00401711), ref: 00401A5A
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00401A77
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptImportKey), ref: 00401A84
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDestroyKey), ref: 00401A91
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptEncrypt), ref: 00401A9E
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptDecrypt), ref: 00401AAB
Part of subcall function 00401A45: GetProcAddress.KERNEL32(00000000,CryptGenKey), ref: 00401AB8

LoadLibraryA.KERNEL32(kernel32.dll), ref: 0040172C
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00401749
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00401756
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 00401763
GetProcAddress.KERNEL32(00000000,MoveFileW), ref: 00401770
GetProcAddress.KERNEL32(00000000,MoveFileExW), ref: 0040177D
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040178A
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00401797

Strings

MoveFileW, xrefs: 00401765
DeleteFileW, xrefs: 0040177F
WriteFile, xrefs: 0040174B
CloseHandle, xrefs: 0040178C
kernel32.dll, xrefs: 00401727
MoveFileExW, xrefs: 00401772
ReadFile, xrefs: 00401758
CreateFileW, xrefs: 00401743

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseHandle$CreateFileW$DeleteFileW$MoveFileExW$MoveFileW$ReadFile$WriteFile$kernel32.dll
API String ID: 2238633743-1294736154
Opcode ID: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction ID: c344c10c919c95db3ecd10b94979b50738023765c799e55a58251b06a1d00095
Opcode Fuzzy Hash: 39239a652de09aa7f9a0fc3aed99621d6525255b515761ed1c17c464bdaba5bf
Instruction Fuzzy Hash: D9118E729003059ACB30BF73AE84A577AF8A644751B64483FE501B3EF0D77894499E1E

Function 004021E9 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402457: SetLastError.KERNEL32(0000000D,00402200,?,00000040,?,76379DE0,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402463

SetLastError.KERNEL32(000000C1,?,76379DE0,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402219
GetModuleHandleA.KERNEL32(kernel32.dll,?,76379DE0,00000000,00402185,00402198,004021A3,004021B2,00000000,0040213F,00000000,?,t.wnry), ref: 00402291
GetProcessHeap.KERNEL32(00000008,0000003C), ref: 00402313
HeapAlloc.KERNEL32(00000000), ref: 0040231A
memcpy.MSVCRT(00000000,?,?), ref: 004023A7

Part of subcall function 00402470: memset.MSVCRT ref: 004024D5

SetLastError.KERNEL32(0000045A), ref: 00402430

Strings

kernel32.dll, xrefs: 0040228C
GetNativeSystemInfo, xrefs: 004022A1

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ErrorLast$Heap$AllocHandleModuleProcessmemcpymemset
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 1900561814-192647395
Opcode ID: 3b06903ad61f6388da72c89ae901831d64978f6829295481817f3ae41c17b4c7
Instruction ID: 3b750285519b5b92c664dbe57bf04ddc7e4262fbacbc213f0015b22f99412f1c
Opcode Fuzzy Hash: 3b06903ad61f6388da72c89ae901831d64978f6829295481817f3ae41c17b4c7
Instruction Fuzzy Hash: 0A81AD71A01602AFDB209FA5CE49AAB77E4BF08314F10443EF945E76D1D7B8E851CB98

Function 00403A77 Relevance: 9.1, APIs: 6, Instructions: 123COMMON

Download Yara Rule

APIs

??0exception@@QAE@ABQBD@Z.MSVCRT(0040F570), ref: 00403A91
_CxxThrowException.MSVCRT(?,0040D570), ref: 00403AA0
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B00
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 00403B68
??0exception@@QAE@ABQBD@Z.MSVCRT(0040F574), ref: 00403BC2
_CxxThrowException.MSVCRT(?,0040D570), ref: 00403BD1

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??0exception@@ExceptionThrowmemcpy
String ID:
API String ID: 2382887404-0
Opcode ID: 7d0f093dcb85c1b01e904b58e66d92adf2767ba9b2af66087918d42cfe2af866
Instruction ID: 9805a50700f74263afb1320d00d27f30e93ca80038ec105a2d2f515762341bf2
Opcode Fuzzy Hash: 7d0f093dcb85c1b01e904b58e66d92adf2767ba9b2af66087918d42cfe2af866
Instruction Fuzzy Hash: 8541C870B40206ABDB14DE65DD81D9B77BEEB84309B00443FF815B3281D778AB15C759

Function 004027DF Relevance: 7.6, APIs: 5, Instructions: 121COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(00000000,00000014), ref: 00402812
realloc.MSVCRT ref: 00402854
IsBadReadPtr.KERNEL32(-00000014,00000014), ref: 004028DC

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: Read$realloc
String ID:
API String ID: 1241503663-0
Opcode ID: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction ID: b911edbb3638e6438919fa35cb7379f64586f657f287b8edbc273cd359ebb62a
Opcode Fuzzy Hash: 3ef8fdaf83090ca6dd9f312f51019f46009b35537f3f51f7116a8d4e5983476b
Instruction Fuzzy Hash: 4841AE76A00205EFDB109F55CE49B5ABBF4FF44310F24803AE846B62D1D7B8E900DB59

Function 00405BAE Relevance: 6.1, APIs: 4, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,?,00000140,?,00406C12,?,00000000,00000001), ref: 00405BFE
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA,?), ref: 00405C29
??2@YAPAXI@Z.MSVCRT(00000020,?,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA,?,?,?), ref: 00405C38
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,?,?,00000000,?,00000140,?,00406C12,?,00000000,00000001,?,004074EA), ref: 00405C8A

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: File$Pointer$??2@Create
String ID:
API String ID: 1331958074-0
Opcode ID: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction ID: 771dcc1d5a31089dd4cc2aab62cbbe5a226dda330bf0289da8f54b52fc8588cb
Opcode Fuzzy Hash: ff1e72f22e15843ade9ace39703012fff21b8a1e8b9c48cc3c9963cb15211f94
Instruction Fuzzy Hash: 0831F231008784AFDB318F28888479BBBF4EF15350F18896EF491A7380C375AD85CB69

Function 00406B8E Relevance: 6.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,00000000,00000000,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003), ref: 00406BB5
strlen.MSVCRT ref: 00406BBC
strcat.MSVCRT(00000140,0040F818,?,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000), ref: 00406BD7
SetFilePointer.KERNEL32(?,00000000,00000000,00000001,004074EA,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE), ref: 00406BEE

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryFilePointerstrcatstrlen
String ID:
API String ID: 1952800545-0
Opcode ID: f23f8598dec8bbb4ac10b6a236faff338d1a89892e54ee5ab5b1cbc5c19062ee
Instruction ID: 093f70e5e45cef0a0e83344fd40667ee43cd8b667dee5f3d4d1a5a93074d9648
Opcode Fuzzy Hash: f23f8598dec8bbb4ac10b6a236faff338d1a89892e54ee5ab5b1cbc5c19062ee
Instruction Fuzzy Hash: 06112372004218AAFB305B28DD01BAB3368EB21720F21013FF592B91D0E778A9A2975D

Function 004074A4 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004074A9
??2@YAPAXI@Z.MSVCRT(00000244,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 004074B5
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 004074FF

Part of subcall function 00407527: strlen.MSVCRT ref: 0040754F
Part of subcall function 00407527: ??2@YAPAXI@Z.MSVCRT(00000001,00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 00407556
Part of subcall function 00407527: strcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,00000000,004074D0,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE), ref: 00407563

??2@YAPAXI@Z.MSVCRT(00000008,?,?,?,00000000,?,004075C0,00000000,00000000,00000003,00000000,00401DFE,00000000,00000000), ref: 0040750B

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??2@$??3@H_prologstrcpystrlen
String ID:
API String ID: 1367312548-0
Opcode ID: 4998767945fd9b422902d134ec740bac80b04181f3304c7354ac1dac574c8157
Instruction ID: 24e2e141a7415e54cfde60e06bc6f84240982ef19f6b767edb42695c1fbc6ce5
Opcode Fuzzy Hash: 4998767945fd9b422902d134ec740bac80b04181f3304c7354ac1dac574c8157
Instruction Fuzzy Hash: C101D431D09111BBDB166F659C02B9E3EA0AF04764F10853FF806B76D1DB78AD00C69E

Function 00405C9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,$l@,00406118,$l@,?,00000000), ref: 00405CB6
??3@YAXPAX@Z.MSVCRT(00000000,$l@,00406118,$l@,?,00000000), ref: 00405CBD

Strings

$l@, xrefs: 00405C9F

Memory Dump Source

Source File: 00000008.00000002.3095952976.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3095917175.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096047581.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096096208.000000000040E000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096126879.000000000040F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3096264179.0000000000410000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_tasksche.jbxd

Yara matches

Similarity

API ID: ??3@CloseHandle
String ID: $l@
API String ID: 3816424416-2140230165
Opcode ID: f47a0d8120d18fd3d7dcf50ee501bfb2ca6f5426bcc0e1f86b14009817ab8223
Instruction ID: 673c02d0cae411eac5e44946f87937de45fd09569792d44698d585129e0307c2
Opcode Fuzzy Hash: f47a0d8120d18fd3d7dcf50ee501bfb2ca6f5426bcc0e1f86b14009817ab8223
Instruction Fuzzy Hash: 47D05E3280DE211BE7226A28B90469B2B949F01330F054A6EE4A1A25E2D7789C8596CC

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report txWVWM8Kx4.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\dsvqhifq359\b.wnry

C:\ProgramData\dsvqhifq359\c.wnry

C:\ProgramData\dsvqhifq359\msg\m_bulgarian.wnry

C:\ProgramData\dsvqhifq359\msg\m_chinese (simplified).wnry

C:\ProgramData\dsvqhifq359\msg\m_chinese (traditional).wnry

C:\ProgramData\dsvqhifq359\msg\m_croatian.wnry

C:\ProgramData\dsvqhifq359\msg\m_czech.wnry

C:\ProgramData\dsvqhifq359\msg\m_danish.wnry

C:\ProgramData\dsvqhifq359\msg\m_dutch.wnry

C:\ProgramData\dsvqhifq359\msg\m_english.wnry

C:\ProgramData\dsvqhifq359\msg\m_filipino.wnry

Windows Analysis Report
txWVWM8Kx4.dll