Edit tour

Windows Analysis Report
yrBA01LVo2.exe

Overview

General Information

Sample name:	yrBA01LVo2.exe renamed because original name is a hash value
Original sample name:	2a62c57ba98308fe2316508f077186b76e5ad55a1e367e58d19e5a9b08900eec.exe
Analysis ID:	1472027
MD5:	da8dde3005365992711946c4622a3c74
SHA1:	d04042cd11cd11f3b6386a5e2275f14b92048fc6
SHA256:	2a62c57ba98308fe2316508f077186b76e5ad55a1e367e58d19e5a9b08900eec
Tags:	64-112-85-3exe
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Wannacry ransomware

AI detected suspicious sample

Connects to many different private IPs (likely to spread or exploit)

Connects to many different private IPs via SMB (likely to spread or exploit)

Machine Learning detection for dropped file

Machine Learning detection for sample

Contains long sleeps (>= 3 min)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

yrBA01LVo2.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\yrBA01LVo2.exe" MD5: DA8DDE3005365992711946C4622A3C74)

yrBA01LVo2.exe (PID: 5508 cmdline: C:\Users\user\Desktop\yrBA01LVo2.exe -m security MD5: DA8DDE3005365992711946C4622A3C74)

svchost.exe (PID: 6504 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
yrBA01LVo2.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
yrBA01LVo2.exe	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0xe034:$s1: C:\%s\%s 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
yrBA01LVo2.exe	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1999381187.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000000.2018076872.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000002.2671560893.0000000002289000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000002.00000002.2671276992.0000000001D61000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: yrBA01LVo2.exe PID: 7108	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: yrBA01LVo2.exe PID: 5508	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.yrBA01LVo2.exe.227a8c8.8.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
2.2.yrBA01LVo2.exe.1d52084.4.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
2.2.yrBA01LVo2.exe.2289948.6.raw.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.2289948.6.raw.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x222ec:$x3: tasksche.exe 0x222c4:$x8: C:\%s\qeriuwjhrf 0x82b8:$s1: C:\%s\%s 0x222d8:$s1: C:\%s\%s 0x649a4:$s4: msg/m_portuguese.wnry 0x1f60c:$s5: \\192.168.56.20\IPC$ 0xca01:$s6: \\172.16.99.5\IPC$
2.2.yrBA01LVo2.exe.2289948.6.raw.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0xca4c:$s1: __TREEID__PLACEHOLDER__ 0xcae8:$s1: __TREEID__PLACEHOLDER__ 0xd354:$s1: __TREEID__PLACEHOLDER__ 0xe3b9:$s1: __TREEID__PLACEHOLDER__ 0xf420:$s1: __TREEID__PLACEHOLDER__ 0x10488:$s1: __TREEID__PLACEHOLDER__ 0x114f0:$s1: __TREEID__PLACEHOLDER__ 0x12558:$s1: __TREEID__PLACEHOLDER__ 0x135c0:$s1: __TREEID__PLACEHOLDER__ 0x14628:$s1: __TREEID__PLACEHOLDER__ 0x15690:$s1: __TREEID__PLACEHOLDER__ 0x166f8:$s1: __TREEID__PLACEHOLDER__ 0x17760:$s1: __TREEID__PLACEHOLDER__ 0x187c8:$s1: __TREEID__PLACEHOLDER__ 0x19830:$s1: __TREEID__PLACEHOLDER__ 0x1a898:$s1: __TREEID__PLACEHOLDER__ 0x1b900:$s1: __TREEID__PLACEHOLDER__ 0x1bb14:$s1: __TREEID__PLACEHOLDER__ 0x1bb74:$s1: __TREEID__PLACEHOLDER__ 0x1f244:$s1: __TREEID__PLACEHOLDER__ 0x1f2c0:$s1: __TREEID__PLACEHOLDER__
0.0.yrBA01LVo2.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
0.0.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
2.2.yrBA01LVo2.exe.227a8c8.8.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.227a8c8.8.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
2.2.yrBA01LVo2.exe.227a8c8.8.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
2.2.yrBA01LVo2.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
2.2.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
2.0.yrBA01LVo2.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.0.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
2.0.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
0.2.yrBA01LVo2.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.2.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x73a24:$s4: msg/m_portuguese.wnry 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
0.2.yrBA01LVo2.exe.400000.0.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
2.2.yrBA01LVo2.exe.1d52084.4.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.1d52084.4.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x3136c:$x3: tasksche.exe 0x31344:$x8: C:\%s\qeriuwjhrf 0x17338:$s1: C:\%s\%s 0x31358:$s1: C:\%s\%s 0x2e68c:$s5: \\192.168.56.20\IPC$ 0x1ba81:$s6: \\172.16.99.5\IPC$ 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
2.2.yrBA01LVo2.exe.1d52084.4.unpack	WannaCry_Ransomware_Gen	Detects WannaCry Ransomware	Florian Roth (based on rule by US CERT)	0x1bacc:$s1: __TREEID__PLACEHOLDER__ 0x1bb68:$s1: __TREEID__PLACEHOLDER__ 0x1c3d4:$s1: __TREEID__PLACEHOLDER__ 0x1d439:$s1: __TREEID__PLACEHOLDER__ 0x1e4a0:$s1: __TREEID__PLACEHOLDER__ 0x1f508:$s1: __TREEID__PLACEHOLDER__ 0x20570:$s1: __TREEID__PLACEHOLDER__ 0x215d8:$s1: __TREEID__PLACEHOLDER__ 0x22640:$s1: __TREEID__PLACEHOLDER__ 0x236a8:$s1: __TREEID__PLACEHOLDER__ 0x24710:$s1: __TREEID__PLACEHOLDER__ 0x25778:$s1: __TREEID__PLACEHOLDER__ 0x267e0:$s1: __TREEID__PLACEHOLDER__ 0x27848:$s1: __TREEID__PLACEHOLDER__ 0x288b0:$s1: __TREEID__PLACEHOLDER__ 0x29918:$s1: __TREEID__PLACEHOLDER__ 0x2a980:$s1: __TREEID__PLACEHOLDER__ 0x2ab94:$s1: __TREEID__PLACEHOLDER__ 0x2abf4:$s1: __TREEID__PLACEHOLDER__ 0x2e2c4:$s1: __TREEID__PLACEHOLDER__ 0x2e340:$s1: __TREEID__PLACEHOLDER__
2.2.yrBA01LVo2.exe.1d5d0a4.2.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.1d5d0a4.2.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
2.2.yrBA01LVo2.exe.1d61104.3.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.1d61104.3.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
2.2.yrBA01LVo2.exe.2289948.6.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.2289948.6.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x1daec:$x3: tasksche.exe 0x1dac4:$x8: C:\%s\qeriuwjhrf 0x76b8:$s1: C:\%s\%s 0x1dad8:$s1: C:\%s\%s 0x601a4:$s4: msg/m_portuguese.wnry 0x1ae0c:$s5: \\192.168.56.20\IPC$ 0xb601:$s6: \\172.16.99.5\IPC$
2.2.yrBA01LVo2.exe.22858e8.7.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
2.2.yrBA01LVo2.exe.22858e8.7.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0x2634c:$x3: tasksche.exe 0x26324:$x8: C:\%s\qeriuwjhrf 0xc318:$s1: C:\%s\%s 0x26338:$s1: C:\%s\%s 0x68a04:$s4: msg/m_portuguese.wnry 0x2366c:$s5: \\192.168.56.20\IPC$ 0x10a61:$s6: \\172.16.99.5\IPC$
Click to see the 29 entries

Sigma Signatures

System Summary

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 6504, ProcessName: svchost.exe

Snort Signatures

ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) - Source IP: 192.168.2.5 - Destination IP: 1.1.1.1

Timestamp:	07/12/24-08:11:55.324048
SID:	2830018
Source Port:	57367
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yrBA01LVo2.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd736	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f015	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/I.	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd7	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/9-	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3	Avira URL Cloud: Label: malware
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Avira URL Cloud: Label: malware
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f01544	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	Virustotal: Detection: 9%	Perma Link
Source: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	Virustotal: Detection: 12%	Perma Link
Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Virustotal: Detection: 12%	Perma Link
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	Virustotal: Detection: 9%	Perma Link
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3	Virustotal: Detection: 8%	Perma Link
Source: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Windows\tasksche.exe	ReversingLabs: Detection: 86%
Source: C:\Windows\tasksche.exe	Virustotal: Detection: 82%			Perma Link

Multi AV Scanner detection for submitted file

Source: yrBA01LVo2.exe	ReversingLabs: Detection: 100%
Source: yrBA01LVo2.exe	Virustotal: Detection: 93%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\tasksche.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yrBA01LVo2.exe

Joe Sandbox ML: detected

Exploits

Connects to many different private IPs (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Connects to many different private IPs via SMB (likely to spread or exploit)

Source: global traffic	TCP traffic: 192.168.2.39:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.38:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.42:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.41:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.44:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.43:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.46:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.45:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.48:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.47:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.40:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.28:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.27:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.29:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.31:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.30:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.33:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.32:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.35:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.34:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.37:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.36:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.17:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.16:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.19:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.18:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.20:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.22:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.21:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.24:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.23:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.26:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.25:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.97:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.96:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.11:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.99:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.10:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.98:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.13:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.12:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.15:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.14:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.91:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.90:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.93:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.92:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.95:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.94:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.2:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.1:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.8:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.7:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.9:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.4:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.3:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.6:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.5:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.86:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.104:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.85:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.105:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.88:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.102:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.87:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.103:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.108:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.89:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.109:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.106:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.107:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.80:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.82:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.100:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.81:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.101:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.84:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.83:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.75:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.74:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.77:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.113:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.76:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.114:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.79:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.78:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.71:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.111:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.70:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.112:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.73:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.72:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.110:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.64:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.63:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.66:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.65:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.68:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.67:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.69:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.60:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.62:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.61:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.49:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.53:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.52:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.55:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.54:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.57:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.56:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.59:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.58:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.51:445	Jump to behavior
Source: global traffic	TCP traffic: 192.168.2.50:445	Jump to behavior

Source: yrBA01LVo2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:57034 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2830018 ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) 192.168.2.5:57367 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.2.5:56867 -> 1.1.1.1:53

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20240712-1611-56c7-8cb1-aab7e5f01544 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20240712-1611-575d-a069-1da1339fd736 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.4
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.4
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.4
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.4
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.59.96.1
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.97
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.97
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.97
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.1
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.1
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.1
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.97
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.1
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.1
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.1
Source: unknown	TCP traffic detected without corresponding DNS query: 89.248.166.1
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.47
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.47
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.47
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.1
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.1
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.1
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.47
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.1
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.1
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.1
Source: unknown	TCP traffic detected without corresponding DNS query: 50.247.21.1
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.22
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.22
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.22
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.22
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.1
Source: unknown	TCP traffic detected without corresponding DNS query: 203.155.53.1

Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BSddhgcBDph9M7&MD=UAFFSYcE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BSddhgcBDph9M7&MD=UAFFSYcE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20240712-1611-56c7-8cb1-aab7e5f01544 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /?subid1=20240712-1611-575d-a069-1da1339fd736 HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: global traffic	DNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

Source: yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f015
Source: yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd7
Source: yrBA01LVo2.exe	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Source: yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
Source: yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3
Source: yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/9-
Source: yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/I.
Source: yrBA01LVo2.exe, 00000002.00000002.2667450829.000000000019D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 57034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

Source: unknown	HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:57034 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Yara detected Wannacry ransomware

Source: Yara match	File source: yrBA01LVo2.exe, type: SAMPLE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.2289948.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.227a8c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.1d52084.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.1d5d0a4.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.1d61104.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.2289948.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.yrBA01LVo2.exe.22858e8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1999381187.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.2018076872.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2671560893.0000000002289000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2671276992.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yrBA01LVo2.exe PID: 7108, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yrBA01LVo2.exe PID: 5508, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: yrBA01LVo2.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: yrBA01LVo2.exe, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 2.2.yrBA01LVo2.exe.227a8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.1d52084.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 2.2.yrBA01LVo2.exe.2289948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.2289948.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 0.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 2.2.yrBA01LVo2.exe.227a8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.227a8c8.8.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 2.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 2.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 0.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 2.2.yrBA01LVo2.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
Source: 2.2.yrBA01LVo2.exe.1d5d0a4.2.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.1d61104.3.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.2289948.6.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 2.2.yrBA01LVo2.exe.22858e8.7.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

File created: C:\WINDOWS\tasksche.exe

Jump to behavior

Source: yrBA01LVo2.exe

Static PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: tasksche.exe.0.dr

Static PE information: No import functions for PE file found

Source: yrBA01LVo2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: yrBA01LVo2.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: yrBA01LVo2.exe, type: SAMPLE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.2.yrBA01LVo2.exe.227a8c8.8.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.1d52084.4.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.1d61104.3.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.2.yrBA01LVo2.exe.2289948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.2289948.6.raw.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.2.yrBA01LVo2.exe.227a8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.227a8c8.8.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.0.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 0.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.2.yrBA01LVo2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.2.yrBA01LVo2.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.1d52084.4.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
Source: 2.2.yrBA01LVo2.exe.1d5d0a4.2.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.1d61104.3.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.2289948.6.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 2.2.yrBA01LVo2.exe.22858e8.7.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T

Source: tasksche.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: tasksche.exe.0.dr	Static PE information: Section: .rdata ZLIB complexity 1.0007621951219512
Source: tasksche.exe.0.dr	Static PE information: Section: .data ZLIB complexity 1.001953125
Source: tasksche.exe.0.dr	Static PE information: Section: .rsrc ZLIB complexity 1.0007408405172413

Source: classification engine

Classification label: mal100.rans.expl.winEXE@4/1@2/100

Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		0_2_00407C40
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Code function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,		2_2_00407C40

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Code function: 0_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,FindCloseChangeNotification,CreateProcessA,CloseHandle,CloseHandle,

0_2_00407CE0

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Code function: 0_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		0_2_00408090
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Code function: 2_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,		2_2_00408090

Source: yrBA01LVo2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yrBA01LVo2.exe	ReversingLabs: Detection: 100%
Source: yrBA01LVo2.exe	Virustotal: Detection: 93%

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

File read: C:\Users\user\Desktop\yrBA01LVo2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yrBA01LVo2.exe "C:\Users\user\Desktop\yrBA01LVo2.exe"
Source: unknown	Process created: C:\Users\user\Desktop\yrBA01LVo2.exe C:\Users\user\Desktop\yrBA01LVo2.exe -m security
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: yrBA01LVo2.exe

Static file information: File size 2281472 > 1048576

Source: yrBA01LVo2.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1f8000

Source: tasksche.exe.0.dr

Static PE information: section name: .text entropy: 7.626957870221103

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

File created: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Code function: 0_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,

0_2_00407C40

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Dropped PE file which has not been started: C:\Windows\tasksche.exe

Jump to dropped file

Source: C:\Users\user\Desktop\yrBA01LVo2.exe TID: 5672	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe TID: 5672	Thread sleep time: -194000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe TID: 5284	Thread sleep count: 124 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe TID: 5284	Thread sleep count: 46 > 30	Jump to behavior
Source: C:\Users\user\Desktop\yrBA01LVo2.exe TID: 5672	Thread sleep time: -86400000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\yrBA01LVo2.exe

Thread delayed: delay time: 86400000

Jump to behavior

Source: yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp, yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000B19000.00000004.00000020.00020000.00000000.sdmp, yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Service Execution	4 Windows Service	4 Windows Service	2 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Software Packing	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yrBA01LVo2.exe	100%	ReversingLabs	Win32.Ransomware.WannaCry
yrBA01LVo2.exe	93%	Virustotal		Browse
yrBA01LVo2.exe	100%	Avira	TR/Ransom.Gen
yrBA01LVo2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\tasksche.exe	100%	Joe Sandbox ML
C:\Windows\tasksche.exe	87%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Windows\tasksche.exe	83%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
77026.bodis.com	0%	Virustotal	Browse
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	9%	Virustotal	Browse
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	13%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	0%	Avira URL Cloud	safe
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd736	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f015	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/I.	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd7	100%	Avira URL Cloud	malware
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	13%	Virustotal		Browse
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/9-	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	9%	Virustotal		Browse
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f01544	100%	Avira URL Cloud	malware
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3	9%	Virustotal		Browse
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	9%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
77026.bodis.com	199.59.243.226	true	false	0%, Virustotal, Browse	unknown
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	103.224.212.215	true	false	9%, Virustotal, Browse	unknown
ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	unknown	unknown	false	13%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd736	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f01544	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f015	yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ	yrBA01LVo2.exe, 00000002.00000002.2667450829.000000000019D000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/	yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000B4A000.00000004.00000020.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	yrBA01LVo2.exe	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/I.	yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd7	yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/9-	yrBA01LVo2.exe, 00000000.00000002.2032154935.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/3	yrBA01LVo2.exe, 00000002.00000002.2669265024.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.148.241.91	unknown	Turkey	208485	EKSENBILISIMTR	false
170.120.108.114	unknown	United States	22347	DORSEY-WHITNEYUS	false
133.184.83.1	unknown	Japan	385	AFCONC-BLOCK1-ASUS	false
217.123.9.234	unknown	Netherlands	33915	TNF-ASNL	false
161.45.66.2	unknown	United States	26335	MTSUUS	false
161.45.66.1	unknown	United States	26335	MTSUUS	false
204.59.96.4	unknown	United States	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
204.59.96.1	unknown	United States	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
204.59.96.2	unknown	United States	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	false
183.227.189.2	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
183.227.189.1	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
192.99.167.126	unknown	Canada	16276	OVHFR	false
192.99.167.1	unknown	Canada	16276	OVHFR	false
146.166.199.1	unknown	United States	14977	STATE-OF-WYOMING-ASNUS	false
96.158.114.43	unknown	United States	7922	COMCAST-7922US	false
45.205.206.1	unknown	Seychelles	26484	IKGUL-26484US	false
11.223.200.1	unknown	United States	3356	LEVEL3US	false
63.194.252.1	unknown	United States	7018	ATT-INTERNET4US	false
89.248.166.2	unknown	Netherlands	202425	INT-NETWORKSC	false
58.98.198.169	unknown	Japan	9595	XEPHIONNTT-MECorporationJP	false
63.194.252.161	unknown	United States	7018	ATT-INTERNET4US	false
89.248.166.1	unknown	Netherlands	202425	INT-NETWORKSC	false
161.45.66.107	unknown	United States	26335	MTSUUS	false
159.4.73.1	unknown	United States	1906	NORTHROP-GRUMMANUS	false
183.227.189.235	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false

Private

IP
192.168.2.148
192.168.2.149
192.168.2.146
192.168.2.147
192.168.2.140
192.168.2.141
192.168.2.144
192.168.2.145
192.168.2.142
192.168.2.143
192.168.2.159
192.168.2.157
192.168.2.158
10.50.70.81
192.168.2.151
192.168.2.152
192.168.2.150
192.168.2.155
192.168.2.156
192.168.2.153
192.168.2.154
192.168.2.126
192.168.2.247
192.168.2.127
192.168.2.248
192.168.2.124
192.168.2.245
192.168.2.125
192.168.2.246
192.168.2.128
192.168.2.249
192.168.2.129
192.168.2.240
192.168.2.122
192.168.2.243
192.168.2.123
192.168.2.244
192.168.2.120
192.168.2.241
192.168.2.121
192.168.2.242
192.168.2.97
192.168.2.137
192.168.2.96
192.168.2.138
192.168.2.99
192.168.2.135
192.168.2.98
192.168.2.136
192.168.2.139
192.168.2.250
192.168.2.130
192.168.2.251
192.168.2.91
192.168.2.90
192.168.2.93
192.168.2.133
192.168.2.254
192.168.2.92
192.168.2.134
192.168.2.95
192.168.2.131
192.168.2.252
192.168.2.94
192.168.2.132
192.168.2.253
10.50.70.1
192.168.2.104
192.168.2.225
192.168.2.105
192.168.2.226
192.168.2.102
192.168.2.223
192.168.2.103
192.168.2.224

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1472027
Start date and time:	2024-07-12 08:11:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yrBA01LVo2.exe renamed because original name is a hash value
Original Sample Name:	2a62c57ba98308fe2316508f077186b76e5ad55a1e367e58d19e5a9b08900eec.exe
Detection:	MAL
Classification:	mal100.rans.expl.winEXE@4/1@2/100
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 192.229.221.95
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:12:31	API Interceptor	112x Sleep call for process: yrBA01LVo2.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77026.bodis.com	http://sectocarewl.online/mona-michelle/	Get hash	malicious	Unknown	Browse	199.59.243.226
	file.exe	Get hash	malicious	CMSBrute	Browse	199.59.243.225
	SlHgSOYcMY.exe	Get hash	malicious	Unknown	Browse	199.59.243.225
	https://upsmychoicedeals.com	Get hash	malicious	Unknown	Browse	199.59.243.225
	http://free.filesearch.club/?q=grade+9+core+french+textbook	Get hash	malicious	Unknown	Browse	199.59.243.225
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	199.59.243.225
	PaDQmSw2ud.dll	Get hash	malicious	Laplas Clipper	Browse	199.59.243.225
	ccQGH1mKws.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	199.59.243.225
	file.exe	Get hash	malicious	LummaC, Glupteba, SmokeLoader, Stealc, Xmrig	Browse	199.59.243.225
	7abf5ad882fd72332b0b7fb530c8c6505852d4f7ea39edfe444218bdcd9c7f0e_dump.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	199.59.243.225
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	lJt3mQqCQl.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	xIwkOnjSIa.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	IU28r0EZFA.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	ViNIRfmQmE.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220
	Ee3RWj3ID9.exe	Get hash	malicious	Wannacry	Browse	103.224.212.220
	YB7v7UFV3j.exe	Get hash	malicious	Wannacry	Browse	103.224.212.220
	B0U3oOhQJu.exe	Get hash	malicious	Wannacry	Browse	103.224.212.220
	1WImqfBvqH.dll	Get hash	malicious	Wannacry	Browse	103.224.212.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DORSEY-WHITNEYUS	https://us02web.zoom.us/webinar/register/WN_7CDol1QPS2eD_bT1ntjWmg	Get hash	malicious	Unknown	Browse	170.114.52.2
	https://us02web.zoom.us/webinar/register/6317193087387/WN_wbycs5lISL2eo8rEP6qUDg#/registration	Get hash	malicious	Unknown	Browse	170.114.45.6
	Doc3.docx	Get hash	malicious	Unknown	Browse	170.114.52.2
	https://us02web.zoom.us/webinar/register/WN_7CDol1QPS2eD_bT1ntjWmg	Get hash	malicious	Unknown	Browse	170.114.45.6
	C7QZHqCV7n.elf	Get hash	malicious	Unknown	Browse	170.118.48.78
	i6bCVSCWc1.elf	Get hash	malicious	Mirai	Browse	170.113.24.254
	https://zoom.us/download	Get hash	malicious	Unknown	Browse	170.114.65.138
	TxXQ106ErI.elf	Get hash	malicious	Mirai	Browse	170.113.127.1
	4ZgjosOSkq.elf	Get hash	malicious	Mirai	Browse	170.118.73.39
	https://us06web.zoom.us/webinar/register/WN_ozauON07SWuCo9QWQ_DMsg	Get hash	malicious	Unknown	Browse	170.114.52.6
TNF-ASNL	X2Yb9u8Ntz.elf	Get hash	malicious	Mirai	Browse	84.27.17.112
	ahN4x3ahps.elf	Get hash	malicious	Mirai	Browse	89.220.176.250
	3jI8pe3luL.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	84.31.74.137
	205.185.124.50-mips-2024-07-03T23_47_54.elf	Get hash	malicious	Mirai, Moobot	Browse	82.72.81.13
	DVh7O0cBNN.elf	Get hash	malicious	Unknown	Browse	94.211.242.89
	ztGOiA742S.elf	Get hash	malicious	Unknown	Browse	84.26.86.38
	vGUfP1M4Q6.elf	Get hash	malicious	Unknown	Browse	94.208.45.195
	eW8ah5TCen.elf	Get hash	malicious	Unknown	Browse	217.121.211.66
	mirai.x86.elf	Get hash	malicious	Mirai	Browse	217.122.27.143
	mfQABKHhh1.elf	Get hash	malicious	Mirai	Browse	195.35.225.234
EKSENBILISIMTR	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	193.57.27.27
	ChromeUpdate.msi	Get hash	malicious	DarkGate, MailPassView	Browse	94.232.245.250
	odB2NhqqLn.exe	Get hash	malicious	Unknown	Browse	94.232.247.248
	jhwTchfZRO.exe	Get hash	malicious	Unknown	Browse	94.232.247.248
	bUWKfj04aU.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine	Browse	94.232.247.248
	Zo5nx6nbWO.elf	Get hash	malicious	Gafgyt	Browse	147.79.142.145
	https://esincecocuk.com/833002.html	Get hash	malicious	HTMLPhisher	Browse	45.143.99.2
	skid.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	194.29.80.216
	file.exe	Get hash	malicious	Amadey, Xmrig	Browse	185.154.192.128
	QbQ0spd3GB.elf	Get hash	malicious	Mirai	Browse	194.29.80.213
AFCONC-BLOCK1-ASUS	gw3yTM2uiZ.elf	Get hash	malicious	Mirai	Browse	132.37.39.147
	5Ghgetzec2.elf	Get hash	malicious	Mirai	Browse	147.74.215.63
	qgtfQPgL23.elf	Get hash	malicious	Unknown	Browse	132.4.144.101
	y7cm9CKSN9.elf	Get hash	malicious	Mirai	Browse	131.36.72.80
	b3lcTjArym.elf	Get hash	malicious	Mirai	Browse	133.176.84.21
	arm7.elf	Get hash	malicious	Mirai	Browse	143.144.150.34
	arm5.elf	Get hash	malicious	Mirai	Browse	132.16.254.93
	arm4.elf	Get hash	malicious	Mirai	Browse	131.28.30.51
	45.128.232.240-mips-2024-07-06T07_07_43.elf	Get hash	malicious	Mirai	Browse	132.51.38.171
	arm5-20240706-0316.elf	Get hash	malicious	Mirai	Browse	129.239.85.104

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://inodive.us/css/ZC5zYXV0aWVyQHNibS5tYw==	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 20.114.59.183
	V-Mail_maryland.gov.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	52.165.165.26 20.114.59.183
	V-Mail_maryland.gov.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	52.165.165.26 20.114.59.183
	https://www.searchvity.com	Get hash	malicious	Unknown	Browse	52.165.165.26 20.114.59.183
	https://www.cognitoforms.com/Bellis2/BELLISAUSTRALIAPTYLTD	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 20.114.59.183
	https://mail.pfl.fyi/v1/messages/01909fdd-253c-74e4-a4d4-2d3080c42178/click?link_id=01909fdd-2577-78fa-9aa1-1363f665f21c&signature=ec89d906ae45cddf78ff2ac5ff90a7b4fb4098de	Get hash	malicious	Unknown	Browse	52.165.165.26 20.114.59.183
	SecuriteInfo.com.not-a-virus.HEUR.RemoteAdmin.Win32.Conne.gen.1416.17840.exe	Get hash	malicious	Unknown	Browse	52.165.165.26 20.114.59.183
	tmp3A62.htm	Get hash	malicious	Unknown	Browse	52.165.165.26 20.114.59.183
	https://zzmc.tatateri.com/lPY0TK6A/#Mandrew.lapkin@innocap.com	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	52.165.165.26 20.114.59.183
	terence.tinnelly-TT SLIP-PDF.shtml	Get hash	malicious	HTMLPhisher	Browse	52.165.165.26 20.114.59.183

Process:	C:\Users\user\Desktop\yrBA01LVo2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2061938
Entropy (8bit):	7.644344821595419
Encrypted:	false
SSDEEP:	49152:kMSPbcBVQej/1INMx+TSqTdX1H76SAARdhn:kPoBhz1aMxcSUD76SAEdh
MD5:	67A9A3C2AFEFCD2471C4405E7C75DA52
SHA1:	74DA4F8247EA27133F8EDCDA3EA68125E8117ACD
SHA-256:	6DD4D141569239F6B8A5D283DEAE75862E75B3243F7AB7A8016DA476C3753506
SHA-512:	C65385BB3A4C3ACF5AEF6C2C32791EBD3BAA784807066396A056129B10A04E8D8A644975405A96A937835BDAD06262B40BEF8550C1075BCDA34736BC8A6737A4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 83%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&K.WG%.WG%.WG%.^?..LG%.^?...G%.^?..BG%.WG$.G%.^?..0G%.^?..VG%.^?..VG%.^?..VG%.RichWG%.................PE..L......U..........................................@..........................`......................................p...3............ ..(9..............................................................@............................................text.............................. ..`.rdata...P.......R..................@..@.data...(...........................@....rsrc...(9... ...:..................@..@........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.536718359358342
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	yrBA01LVo2.exe
File size:	2'281'472 bytes
MD5:	da8dde3005365992711946c4622a3c74
SHA1:	d04042cd11cd11f3b6386a5e2275f14b92048fc6
SHA256:	2a62c57ba98308fe2316508f077186b76e5ad55a1e367e58d19e5a9b08900eec
SHA512:	a06f8a53e5cd7e80429c2d7339f0c7d78a1d384da2fccb23a0cee5c7e9f39dbe3e73bac0ee271b84f3cfa8a545a57bcf592446666b6381397df20beb644a77e7
SSDEEP:	49152:QnaMSPbcBVQej/1INMx+TSqTdX1H76SAARdhn:QaPoBhz1aMxcSUD76SAEdh
TLSH:	E1B5239A716C90F4C2092A7494BB8E12F6B67C3E21FA690BEF4089762C53F56F750743
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U<S..]=..]=..]=.jA1..]=..A3..]=.~B7..]=.~B6..]=.~B9..]=..R`..]=..]<.J]=.'{6..]=..[;..]=.Rich.]=.........................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x409a16
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78ECC [Sat Nov 20 09:03:08 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9ecee117164e0b870a53dd187cdd7174

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040A1A0h
push 00409BA2h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 68h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
xor ebx, ebx
mov dword ptr [ebp-04h], ebx
push 00000002h
call dword ptr [0040A0C0h]
pop ecx
or dword ptr [0070F894h], FFFFFFFFh
or dword ptr [0070F898h], FFFFFFFFh
call dword ptr [0040A0C8h]
mov ecx, dword ptr [0070F88Ch]
mov dword ptr [eax], ecx
call dword ptr [0040A0CCh]
mov ecx, dword ptr [0070F888h]
mov dword ptr [eax], ecx
mov eax, dword ptr [0040A0E4h]
mov eax, dword ptr [eax]
mov dword ptr [0070F890h], eax
call 00007F9CB0CAFEC1h
cmp dword ptr [00431410h], ebx
jne 00007F9CB0CAFDAEh
push 00409B9Eh
call dword ptr [0040A0D4h]
pop ecx
call 00007F9CB0CAFE93h
push 0040B010h
push 0040B00Ch
call 00007F9CB0CAFE7Eh
mov eax, dword ptr [0070F884h]
mov dword ptr [ebp-6Ch], eax
lea eax, dword ptr [ebp-6Ch]
push eax
push dword ptr [0070F880h]
lea eax, dword ptr [ebp-64h]
push eax
lea eax, dword ptr [ebp-70h]
push eax
lea eax, dword ptr [ebp-60h]
push eax
call dword ptr [0040A0DCh]
push 0040B008h
push 0040B000h
call 00007F9CB0CAFE4Bh

Rich Headers

Programming Language:

[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa1e0	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x310000	0x1f7ac8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8bca	0x9000	2553ad9eb2f493e7b1b370f52918de23	False	0.5344509548611112	data	6.1344811887775705	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa000	0x998	0x1000	d8037d744b539326c06e897625751cc9	False	0.29345703125	data	3.503615586181224	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb000	0x30489c	0x27000	d7a08f7da8df3f627ed4820cda4fb8e2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x310000	0x1f8000	0x1f8000	5e002891cdcce84d9f8201f8de5ca41f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
R	0x3100a4	0x1f7672	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States	0.971949577331543
RT_VERSION	0x507718	0x3b0	data	English	United States	0.018008474576271187

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedIncrement, GetCurrentThreadId, GetCurrentThread, ReadFile, GetFileSize, CreateFileA, MoveFileExA, SizeofResource, TerminateThread, LoadResource, FindResourceA, GetProcAddress, GetModuleHandleW, ExitProcess, GetModuleFileNameA, LocalFree, LocalAlloc, CloseHandle, InterlockedDecrement, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GlobalAlloc, GlobalFree, QueryPerformanceFrequency, QueryPerformanceCounter, GetTickCount, LockResource, Sleep, GetStartupInfoA, GetModuleHandleA
ADVAPI32.dll	StartServiceCtrlDispatcherA, RegisterServiceCtrlHandlerA, ChangeServiceConfig2A, SetServiceStatus, OpenSCManagerA, CreateServiceA, CloseServiceHandle, StartServiceA, CryptGenRandom, CryptAcquireContextA, OpenServiceA
WS2_32.dll	closesocket, recv, send, htonl, ntohl, WSAStartup, inet_ntoa, ioctlsocket, select, htons, socket, connect, inet_addr
MSVCP60.dll	??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@XZ
iphlpapi.dll	GetAdaptersInfo, GetPerAdapterInfo
WININET.dll	InternetOpenA, InternetOpenUrlA, InternetCloseHandle
MSVCRT.dll	__set_app_type, _stricmp, __p__fmode, __p__commode, _except_handler3, __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _controlfp, exit, _XcptFilter, _exit, _onexit, __dllonexit, free, ??2@YAPAXI@Z, _ftol, sprintf, _endthreadex, strncpy, rand, _beginthreadex, __CxxFrameHandler, srand, time, __p___argc

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/12/24-08:11:55.324048	UDP	2830018	ETPRO TROJAN Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup)	57367	53	192.168.2.5	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 12, 2024 08:11:53.263302088 CEST	49674	443	192.168.2.5	23.1.237.91
Jul 12, 2024 08:11:53.263577938 CEST	49675	443	192.168.2.5	23.1.237.91
Jul 12, 2024 08:11:53.372781038 CEST	49673	443	192.168.2.5	23.1.237.91
Jul 12, 2024 08:11:55.490084887 CEST	49704	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:55.495085955 CEST	80	49704	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:55.495177984 CEST	49704	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:55.495357037 CEST	49704	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:55.500293970 CEST	80	49704	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:56.187971115 CEST	80	49704	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:56.188028097 CEST	80	49704	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:56.188086987 CEST	49704	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:56.188087940 CEST	49704	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:56.193460941 CEST	49704	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:56.198339939 CEST	80	49704	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:56.440412045 CEST	49705	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:56.445314884 CEST	80	49705	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:56.445528984 CEST	49705	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:56.445528984 CEST	49705	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:56.452194929 CEST	80	49705	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:56.907282114 CEST	80	49705	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:56.907345057 CEST	80	49705	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:56.907423019 CEST	49705	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:56.907423019 CEST	49705	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:56.986206055 CEST	49705	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:56.986206055 CEST	49705	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:57.243500948 CEST	49706	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:57.248625994 CEST	80	49706	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:57.248749971 CEST	49706	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:57.248883009 CEST	49706	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:57.253648996 CEST	80	49706	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:57.877907991 CEST	80	49706	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:57.877940893 CEST	80	49706	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:57.878020048 CEST	49706	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:57.881385088 CEST	49706	80	192.168.2.5	103.224.212.215
Jul 12, 2024 08:11:57.883378029 CEST	49707	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:57.886296034 CEST	80	49706	103.224.212.215	192.168.2.5
Jul 12, 2024 08:11:57.888436079 CEST	80	49707	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:57.888520956 CEST	49707	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:57.888644934 CEST	49707	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:57.893409014 CEST	80	49707	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:58.364789009 CEST	80	49707	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:58.364880085 CEST	49707	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:58.364913940 CEST	80	49707	199.59.243.226	192.168.2.5
Jul 12, 2024 08:11:58.364954948 CEST	49707	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:58.371155977 CEST	49707	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:58.371207952 CEST	49707	80	192.168.2.5	199.59.243.226
Jul 12, 2024 08:11:58.401921034 CEST	49708	445	192.168.2.5	204.59.96.4
Jul 12, 2024 08:11:58.407017946 CEST	445	49708	204.59.96.4	192.168.2.5
Jul 12, 2024 08:11:58.407097101 CEST	49708	445	192.168.2.5	204.59.96.4
Jul 12, 2024 08:11:58.407711029 CEST	49708	445	192.168.2.5	204.59.96.4
Jul 12, 2024 08:11:58.407877922 CEST	49709	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:11:58.412619114 CEST	445	49708	204.59.96.4	192.168.2.5
Jul 12, 2024 08:11:58.412946939 CEST	445	49709	204.59.96.1	192.168.2.5
Jul 12, 2024 08:11:58.414190054 CEST	49708	445	192.168.2.5	204.59.96.4
Jul 12, 2024 08:11:58.414206982 CEST	49709	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:11:58.414267063 CEST	49709	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:11:58.417023897 CEST	49710	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:11:58.419600964 CEST	445	49709	204.59.96.1	192.168.2.5
Jul 12, 2024 08:11:58.419645071 CEST	49709	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:11:58.421920061 CEST	445	49710	204.59.96.1	192.168.2.5
Jul 12, 2024 08:11:58.421969891 CEST	49710	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:11:58.422027111 CEST	49710	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:11:58.426852942 CEST	445	49710	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:00.405356884 CEST	49733	445	192.168.2.5	89.248.166.97
Jul 12, 2024 08:12:00.410665035 CEST	445	49733	89.248.166.97	192.168.2.5
Jul 12, 2024 08:12:00.413393021 CEST	49733	445	192.168.2.5	89.248.166.97
Jul 12, 2024 08:12:00.413434982 CEST	49733	445	192.168.2.5	89.248.166.97
Jul 12, 2024 08:12:00.413866997 CEST	49734	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:00.418833017 CEST	445	49734	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:00.418914080 CEST	49734	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:00.418955088 CEST	49734	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:00.419097900 CEST	445	49733	89.248.166.97	192.168.2.5
Jul 12, 2024 08:12:00.419143915 CEST	49733	445	192.168.2.5	89.248.166.97
Jul 12, 2024 08:12:00.420291901 CEST	49735	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:00.427531958 CEST	445	49734	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:00.427576065 CEST	445	49735	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:00.427769899 CEST	49735	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:00.427769899 CEST	49735	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:00.428584099 CEST	445	49734	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:00.428636074 CEST	49734	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:00.432831049 CEST	445	49735	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:02.422385931 CEST	49758	445	192.168.2.5	50.247.21.47
Jul 12, 2024 08:12:02.427690029 CEST	445	49758	50.247.21.47	192.168.2.5
Jul 12, 2024 08:12:02.427802086 CEST	49758	445	192.168.2.5	50.247.21.47
Jul 12, 2024 08:12:02.427803040 CEST	49758	445	192.168.2.5	50.247.21.47
Jul 12, 2024 08:12:02.428133011 CEST	49759	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:02.433077097 CEST	445	49759	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:02.433159113 CEST	49759	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:02.433214903 CEST	49759	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:02.433387995 CEST	445	49758	50.247.21.47	192.168.2.5
Jul 12, 2024 08:12:02.433444023 CEST	49758	445	192.168.2.5	50.247.21.47
Jul 12, 2024 08:12:02.434299946 CEST	49760	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:02.438780069 CEST	445	49759	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:02.438853025 CEST	49759	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:02.439157009 CEST	445	49760	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:02.439212084 CEST	49760	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:02.439245939 CEST	49760	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:02.444072008 CEST	445	49760	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:02.872777939 CEST	49674	443	192.168.2.5	23.1.237.91
Jul 12, 2024 08:12:02.872826099 CEST	49675	443	192.168.2.5	23.1.237.91
Jul 12, 2024 08:12:02.982063055 CEST	49673	443	192.168.2.5	23.1.237.91
Jul 12, 2024 08:12:04.437799931 CEST	49781	445	192.168.2.5	203.155.53.22
Jul 12, 2024 08:12:04.442893028 CEST	445	49781	203.155.53.22	192.168.2.5
Jul 12, 2024 08:12:04.443012953 CEST	49781	445	192.168.2.5	203.155.53.22
Jul 12, 2024 08:12:04.443062067 CEST	49781	445	192.168.2.5	203.155.53.22
Jul 12, 2024 08:12:04.443253994 CEST	49782	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:04.448102951 CEST	445	49782	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:04.448194027 CEST	49782	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:04.448225975 CEST	49782	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:04.448540926 CEST	445	49781	203.155.53.22	192.168.2.5
Jul 12, 2024 08:12:04.448616028 CEST	49781	445	192.168.2.5	203.155.53.22
Jul 12, 2024 08:12:04.449423075 CEST	49783	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:04.453717947 CEST	445	49782	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:04.453769922 CEST	49782	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:04.454293966 CEST	445	49783	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:04.454379082 CEST	49783	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:04.454408884 CEST	49783	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:04.459273100 CEST	445	49783	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:04.661717892 CEST	443	49703	23.1.237.91	192.168.2.5
Jul 12, 2024 08:12:04.661859035 CEST	49703	443	192.168.2.5	23.1.237.91
Jul 12, 2024 08:12:06.457360029 CEST	49804	445	192.168.2.5	160.232.165.7
Jul 12, 2024 08:12:06.463798046 CEST	445	49804	160.232.165.7	192.168.2.5
Jul 12, 2024 08:12:06.463886023 CEST	49804	445	192.168.2.5	160.232.165.7
Jul 12, 2024 08:12:06.463970900 CEST	49804	445	192.168.2.5	160.232.165.7
Jul 12, 2024 08:12:06.464212894 CEST	49805	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:06.469290018 CEST	445	49805	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:06.469376087 CEST	49805	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:06.469448090 CEST	49805	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:06.470849037 CEST	445	49804	160.232.165.7	192.168.2.5
Jul 12, 2024 08:12:06.471911907 CEST	445	49804	160.232.165.7	192.168.2.5
Jul 12, 2024 08:12:06.472059965 CEST	49804	445	192.168.2.5	160.232.165.7
Jul 12, 2024 08:12:06.480350018 CEST	445	49805	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:06.480621099 CEST	445	49805	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:06.480678082 CEST	49805	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:06.507258892 CEST	49806	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:06.512320042 CEST	445	49806	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:06.512388945 CEST	49806	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:06.512437105 CEST	49806	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:06.517277956 CEST	445	49806	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:08.467606068 CEST	49829	445	192.168.2.5	183.227.189.235
Jul 12, 2024 08:12:08.472903967 CEST	445	49829	183.227.189.235	192.168.2.5
Jul 12, 2024 08:12:08.472992897 CEST	49829	445	192.168.2.5	183.227.189.235
Jul 12, 2024 08:12:08.473135948 CEST	49829	445	192.168.2.5	183.227.189.235
Jul 12, 2024 08:12:08.473364115 CEST	49830	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:08.478282928 CEST	445	49830	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:08.478354931 CEST	49830	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:08.478394032 CEST	49830	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:08.478566885 CEST	445	49829	183.227.189.235	192.168.2.5
Jul 12, 2024 08:12:08.478627920 CEST	49829	445	192.168.2.5	183.227.189.235
Jul 12, 2024 08:12:08.479590893 CEST	49831	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:08.484318972 CEST	445	49830	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:08.484390020 CEST	49830	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:08.484571934 CEST	445	49831	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:08.484635115 CEST	49831	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:08.484673977 CEST	49831	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:08.490684986 CEST	445	49831	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:10.482675076 CEST	49853	445	192.168.2.5	96.158.114.43
Jul 12, 2024 08:12:10.489209890 CEST	445	49853	96.158.114.43	192.168.2.5
Jul 12, 2024 08:12:10.489321947 CEST	49853	445	192.168.2.5	96.158.114.43
Jul 12, 2024 08:12:10.489388943 CEST	49853	445	192.168.2.5	96.158.114.43
Jul 12, 2024 08:12:10.489689112 CEST	49854	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:10.494617939 CEST	445	49853	96.158.114.43	192.168.2.5
Jul 12, 2024 08:12:10.494669914 CEST	445	49854	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:10.494685888 CEST	49853	445	192.168.2.5	96.158.114.43
Jul 12, 2024 08:12:10.494745970 CEST	49854	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:10.494795084 CEST	49854	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:10.495095015 CEST	49855	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:10.500228882 CEST	445	49854	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:10.500253916 CEST	445	49855	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:10.500313997 CEST	49854	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:10.500365973 CEST	49855	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:10.500418901 CEST	49855	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:10.505248070 CEST	445	49855	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:12.498363018 CEST	49878	445	192.168.2.5	161.45.66.107
Jul 12, 2024 08:12:12.503329039 CEST	445	49878	161.45.66.107	192.168.2.5
Jul 12, 2024 08:12:12.503412962 CEST	49878	445	192.168.2.5	161.45.66.107
Jul 12, 2024 08:12:12.503556967 CEST	49878	445	192.168.2.5	161.45.66.107
Jul 12, 2024 08:12:12.503570080 CEST	49879	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:12.508423090 CEST	445	49879	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:12.508506060 CEST	49879	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:12.508759975 CEST	49880	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:12.508759975 CEST	49879	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:12.509474039 CEST	445	49878	161.45.66.107	192.168.2.5
Jul 12, 2024 08:12:12.509520054 CEST	49878	445	192.168.2.5	161.45.66.107
Jul 12, 2024 08:12:12.513659954 CEST	445	49880	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:12.513730049 CEST	49880	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:12.513765097 CEST	49880	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:12.513914108 CEST	445	49879	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:12.513957977 CEST	49879	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:12.518513918 CEST	445	49880	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:13.199069023 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:13.199100018 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:13.199167013 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:13.200540066 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:13.200547934 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:13.890430927 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:13.890642881 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:13.894138098 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:13.894149065 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:13.894401073 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:13.935153008 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:14.465157032 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:14.508497000 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:14.513660908 CEST	49905	445	192.168.2.5	149.78.23.8
Jul 12, 2024 08:12:14.518677950 CEST	445	49905	149.78.23.8	192.168.2.5
Jul 12, 2024 08:12:14.518745899 CEST	49905	445	192.168.2.5	149.78.23.8
Jul 12, 2024 08:12:14.518786907 CEST	49905	445	192.168.2.5	149.78.23.8
Jul 12, 2024 08:12:14.518850088 CEST	49906	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:14.523642063 CEST	445	49906	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:14.523699999 CEST	49906	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:14.523725033 CEST	49906	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:14.524051905 CEST	49907	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:14.524518013 CEST	445	49905	149.78.23.8	192.168.2.5
Jul 12, 2024 08:12:14.524580956 CEST	49905	445	192.168.2.5	149.78.23.8
Jul 12, 2024 08:12:14.528898001 CEST	445	49907	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:14.528959990 CEST	49907	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:14.529000044 CEST	49907	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:14.529064894 CEST	445	49906	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:14.529123068 CEST	49906	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:14.533786058 CEST	445	49907	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:15.700793028 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.700812101 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.700834990 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.700882912 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.700958967 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:15.700968981 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.700974941 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.700998068 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:15.701040983 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:15.701083899 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.701174974 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:15.701179028 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.701195955 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:15.701361895 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:16.217016935 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:16.217016935 CEST	49887	443	192.168.2.5	52.165.165.26
Jul 12, 2024 08:12:16.217032909 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:16.217040062 CEST	443	49887	52.165.165.26	192.168.2.5
Jul 12, 2024 08:12:16.529568911 CEST	49933	445	192.168.2.5	192.12.185.53
Jul 12, 2024 08:12:16.534626961 CEST	445	49933	192.12.185.53	192.168.2.5
Jul 12, 2024 08:12:16.534845114 CEST	49933	445	192.168.2.5	192.12.185.53
Jul 12, 2024 08:12:16.534954071 CEST	49933	445	192.168.2.5	192.12.185.53
Jul 12, 2024 08:12:16.535176992 CEST	49934	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:16.540025949 CEST	445	49934	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:16.540096045 CEST	49934	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:16.540169001 CEST	49934	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:16.540262938 CEST	445	49933	192.12.185.53	192.168.2.5
Jul 12, 2024 08:12:16.540524006 CEST	49935	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:16.540847063 CEST	49933	445	192.168.2.5	192.12.185.53
Jul 12, 2024 08:12:16.545433998 CEST	445	49935	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:16.545591116 CEST	49935	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:16.545591116 CEST	49935	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:16.545763016 CEST	445	49934	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:16.545840979 CEST	49934	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:16.550687075 CEST	445	49935	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:17.445148945 CEST	56867	53	192.168.2.5	1.1.1.1
Jul 12, 2024 08:12:17.450381041 CEST	53	56867	1.1.1.1	192.168.2.5
Jul 12, 2024 08:12:17.450474024 CEST	56867	53	192.168.2.5	1.1.1.1
Jul 12, 2024 08:12:17.455471039 CEST	53	56867	1.1.1.1	192.168.2.5
Jul 12, 2024 08:12:17.902652979 CEST	56867	53	192.168.2.5	1.1.1.1
Jul 12, 2024 08:12:17.907849073 CEST	53	56867	1.1.1.1	192.168.2.5
Jul 12, 2024 08:12:17.908348083 CEST	56867	53	192.168.2.5	1.1.1.1
Jul 12, 2024 08:12:18.545186043 CEST	56881	445	192.168.2.5	27.249.74.141
Jul 12, 2024 08:12:18.550277948 CEST	445	56881	27.249.74.141	192.168.2.5
Jul 12, 2024 08:12:18.550374031 CEST	56881	445	192.168.2.5	27.249.74.141
Jul 12, 2024 08:12:18.550414085 CEST	56881	445	192.168.2.5	27.249.74.141
Jul 12, 2024 08:12:18.550519943 CEST	56882	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:18.555247068 CEST	445	56882	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:18.555299044 CEST	56882	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:18.555311918 CEST	56882	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:18.555604935 CEST	56883	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:18.555671930 CEST	445	56881	27.249.74.141	192.168.2.5
Jul 12, 2024 08:12:18.555727959 CEST	56881	445	192.168.2.5	27.249.74.141
Jul 12, 2024 08:12:18.560393095 CEST	445	56883	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:18.560760021 CEST	445	56882	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:18.564342976 CEST	56882	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:18.564393044 CEST	56883	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:18.564393044 CEST	56883	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:18.569477081 CEST	445	56883	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:19.809998989 CEST	445	49710	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:19.810131073 CEST	49710	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:19.810528040 CEST	49710	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:19.810651064 CEST	49710	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:19.815376043 CEST	445	49710	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:19.815385103 CEST	445	49710	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:20.560558081 CEST	56905	445	192.168.2.5	124.175.46.127
Jul 12, 2024 08:12:21.591942072 CEST	445	56905	124.175.46.127	192.168.2.5
Jul 12, 2024 08:12:21.592051983 CEST	56905	445	192.168.2.5	124.175.46.127
Jul 12, 2024 08:12:21.670949936 CEST	56917	445	192.168.2.5	6.119.83.71
Jul 12, 2024 08:12:21.676191092 CEST	445	56917	6.119.83.71	192.168.2.5
Jul 12, 2024 08:12:21.676285982 CEST	56917	445	192.168.2.5	6.119.83.71
Jul 12, 2024 08:12:21.679920912 CEST	56917	445	192.168.2.5	6.119.83.71
Jul 12, 2024 08:12:21.680337906 CEST	56918	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:21.684956074 CEST	445	56917	6.119.83.71	192.168.2.5
Jul 12, 2024 08:12:21.685013056 CEST	56917	445	192.168.2.5	6.119.83.71
Jul 12, 2024 08:12:21.685302973 CEST	445	56918	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:21.685445070 CEST	56918	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:21.685445070 CEST	56918	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:21.685863972 CEST	56919	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:21.691215038 CEST	445	56918	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:21.691257000 CEST	445	56918	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:21.691296101 CEST	445	56919	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:21.691348076 CEST	56919	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:21.691375017 CEST	56919	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:21.691392899 CEST	56918	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:21.696326971 CEST	445	56919	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:21.920176029 CEST	445	49735	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:21.920289040 CEST	49735	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:21.920393944 CEST	49735	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:21.920393944 CEST	49735	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:21.925291061 CEST	445	49735	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:21.925335884 CEST	445	49735	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:22.576272011 CEST	56930	445	192.168.2.5	19.193.250.173
Jul 12, 2024 08:12:22.581239939 CEST	445	56930	19.193.250.173	192.168.2.5
Jul 12, 2024 08:12:22.581353903 CEST	56930	445	192.168.2.5	19.193.250.173
Jul 12, 2024 08:12:22.581417084 CEST	56930	445	192.168.2.5	19.193.250.173
Jul 12, 2024 08:12:22.581659079 CEST	56931	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:22.586551905 CEST	445	56931	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:22.586632967 CEST	56931	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:22.586658955 CEST	445	56930	19.193.250.173	192.168.2.5
Jul 12, 2024 08:12:22.586708069 CEST	56930	445	192.168.2.5	19.193.250.173
Jul 12, 2024 08:12:22.586817980 CEST	56931	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:22.587122917 CEST	56932	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:22.591967106 CEST	445	56932	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:22.592034101 CEST	445	56931	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:22.592041016 CEST	56932	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:22.592051029 CEST	56932	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:22.592077971 CEST	56931	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:22.596987963 CEST	445	56932	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:22.826757908 CEST	56936	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:22.831902027 CEST	445	56936	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:22.831981897 CEST	56936	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:22.832035065 CEST	56936	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:22.836961031 CEST	445	56936	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:23.810003042 CEST	445	49760	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:23.810170889 CEST	49760	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:23.810265064 CEST	49760	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:23.810317993 CEST	49760	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:23.815198898 CEST	445	49760	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:23.815350056 CEST	445	49760	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:24.592015028 CEST	56937	445	192.168.2.5	45.205.206.163
Jul 12, 2024 08:12:24.597527981 CEST	445	56937	45.205.206.163	192.168.2.5
Jul 12, 2024 08:12:24.597668886 CEST	56937	445	192.168.2.5	45.205.206.163
Jul 12, 2024 08:12:24.597733021 CEST	56937	445	192.168.2.5	45.205.206.163
Jul 12, 2024 08:12:24.597927094 CEST	56938	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:24.602888107 CEST	445	56938	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:24.602935076 CEST	445	56937	45.205.206.163	192.168.2.5
Jul 12, 2024 08:12:24.602968931 CEST	56938	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:24.602993011 CEST	56938	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:24.603058100 CEST	445	56937	45.205.206.163	192.168.2.5
Jul 12, 2024 08:12:24.603118896 CEST	56937	445	192.168.2.5	45.205.206.163
Jul 12, 2024 08:12:24.603302002 CEST	56939	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:24.608167887 CEST	445	56939	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:24.608237982 CEST	56939	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:24.608273029 CEST	56939	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:24.608309984 CEST	445	56938	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:24.608371973 CEST	56938	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:24.613209963 CEST	445	56939	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:24.935672998 CEST	56940	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:24.940774918 CEST	445	56940	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:24.940924883 CEST	56940	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:24.940983057 CEST	56940	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:24.945766926 CEST	445	56940	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:25.853007078 CEST	445	49783	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:25.853092909 CEST	49783	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:25.853173018 CEST	49783	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:25.853240967 CEST	49783	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:25.858086109 CEST	445	49783	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:25.858155012 CEST	445	49783	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:26.607845068 CEST	56941	445	192.168.2.5	192.99.167.126
Jul 12, 2024 08:12:26.613033056 CEST	445	56941	192.99.167.126	192.168.2.5
Jul 12, 2024 08:12:26.613156080 CEST	56941	445	192.168.2.5	192.99.167.126
Jul 12, 2024 08:12:26.613265991 CEST	56941	445	192.168.2.5	192.99.167.126
Jul 12, 2024 08:12:26.613576889 CEST	56942	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:26.618424892 CEST	445	56942	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:26.618503094 CEST	445	56941	192.99.167.126	192.168.2.5
Jul 12, 2024 08:12:26.618503094 CEST	56942	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:26.618573904 CEST	56941	445	192.168.2.5	192.99.167.126
Jul 12, 2024 08:12:26.618649006 CEST	56942	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:26.618956089 CEST	56943	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:26.624238968 CEST	445	56943	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:26.624288082 CEST	445	56942	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:26.624311924 CEST	56943	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:26.624336004 CEST	56942	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:26.624392986 CEST	56943	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:26.629148006 CEST	445	56943	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:26.827650070 CEST	56944	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:26.832968950 CEST	445	56944	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:26.833101034 CEST	56944	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:26.833192110 CEST	56944	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:26.838176012 CEST	445	56944	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:27.905760050 CEST	445	49806	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:27.906064034 CEST	49806	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:27.906064034 CEST	49806	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:27.906120062 CEST	49806	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:27.911113024 CEST	445	49806	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:27.911156893 CEST	445	49806	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:28.651108027 CEST	56945	445	192.168.2.5	159.4.73.230
Jul 12, 2024 08:12:28.656229019 CEST	445	56945	159.4.73.230	192.168.2.5
Jul 12, 2024 08:12:28.656325102 CEST	56945	445	192.168.2.5	159.4.73.230
Jul 12, 2024 08:12:28.658348083 CEST	56945	445	192.168.2.5	159.4.73.230
Jul 12, 2024 08:12:28.658550024 CEST	56946	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:28.663399935 CEST	445	56945	159.4.73.230	192.168.2.5
Jul 12, 2024 08:12:28.663480043 CEST	56945	445	192.168.2.5	159.4.73.230
Jul 12, 2024 08:12:28.663508892 CEST	445	56946	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:28.663575888 CEST	56946	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:28.663775921 CEST	56946	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:28.666552067 CEST	56947	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:28.673712015 CEST	445	56947	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:28.673788071 CEST	56947	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:28.675260067 CEST	445	56946	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:28.675313950 CEST	56946	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:28.679538965 CEST	56947	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:28.684470892 CEST	445	56947	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:28.861778975 CEST	56948	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:28.866960049 CEST	445	56948	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:28.867047071 CEST	56948	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:28.867089033 CEST	56948	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:28.872010946 CEST	445	56948	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:29.884303093 CEST	445	49831	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:29.884440899 CEST	49831	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:29.884546041 CEST	49831	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:29.884643078 CEST	49831	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:29.890018940 CEST	445	49831	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:29.890031099 CEST	445	49831	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:30.654367924 CEST	56949	445	192.168.2.5	185.148.241.91
Jul 12, 2024 08:12:30.659343958 CEST	445	56949	185.148.241.91	192.168.2.5
Jul 12, 2024 08:12:30.659414053 CEST	56949	445	192.168.2.5	185.148.241.91
Jul 12, 2024 08:12:30.659590006 CEST	56949	445	192.168.2.5	185.148.241.91
Jul 12, 2024 08:12:30.659789085 CEST	56950	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:30.664540052 CEST	445	56950	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:30.664597034 CEST	56950	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:30.664638996 CEST	56950	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:30.664817095 CEST	445	56949	185.148.241.91	192.168.2.5
Jul 12, 2024 08:12:30.664859056 CEST	56949	445	192.168.2.5	185.148.241.91
Jul 12, 2024 08:12:30.664998055 CEST	56951	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:30.669867039 CEST	445	56950	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:30.669887066 CEST	445	56951	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:30.669914007 CEST	56950	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:30.669955969 CEST	56951	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:30.670028925 CEST	56951	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:30.675108910 CEST	445	56951	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:30.924211979 CEST	56952	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:30.929718971 CEST	445	56952	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:30.929896116 CEST	56952	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:30.930006981 CEST	56952	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:30.935189009 CEST	445	56952	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:31.884322882 CEST	445	49855	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:31.884428978 CEST	49855	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:31.884463072 CEST	49855	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:31.884499073 CEST	49855	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:31.889491081 CEST	445	49855	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:31.889534950 CEST	445	49855	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:32.434648037 CEST	445	56951	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:32.434976101 CEST	56951	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:32.435209990 CEST	56951	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:32.435210943 CEST	56951	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:32.442356110 CEST	445	56951	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:32.442383051 CEST	445	56951	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:32.670120001 CEST	56953	445	192.168.2.5	105.57.122.136
Jul 12, 2024 08:12:32.675517082 CEST	445	56953	105.57.122.136	192.168.2.5
Jul 12, 2024 08:12:32.675635099 CEST	56953	445	192.168.2.5	105.57.122.136
Jul 12, 2024 08:12:32.678026915 CEST	56953	445	192.168.2.5	105.57.122.136
Jul 12, 2024 08:12:32.678205967 CEST	56954	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:32.683181047 CEST	445	56953	105.57.122.136	192.168.2.5
Jul 12, 2024 08:12:32.683229923 CEST	445	56954	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:32.683269978 CEST	56953	445	192.168.2.5	105.57.122.136
Jul 12, 2024 08:12:32.683340073 CEST	56954	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:32.683387995 CEST	56954	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:32.683815002 CEST	56955	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:32.688649893 CEST	445	56954	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:32.688671112 CEST	445	56955	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:32.688704967 CEST	56954	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:32.688874960 CEST	56955	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:32.688875914 CEST	56955	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:32.693892002 CEST	445	56955	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:32.888696909 CEST	56956	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:32.893755913 CEST	445	56956	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:32.893857956 CEST	56956	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:32.893897057 CEST	56956	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:32.898785114 CEST	445	56956	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:33.903837919 CEST	445	49880	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:33.904103994 CEST	49880	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:33.904104948 CEST	49880	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:33.904104948 CEST	49880	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:33.909394979 CEST	445	49880	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:33.909440041 CEST	445	49880	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:34.545335054 CEST	56957	445	192.168.2.5	217.123.9.234
Jul 12, 2024 08:12:34.550539970 CEST	445	56957	217.123.9.234	192.168.2.5
Jul 12, 2024 08:12:34.550642967 CEST	56957	445	192.168.2.5	217.123.9.234
Jul 12, 2024 08:12:34.550731897 CEST	56957	445	192.168.2.5	217.123.9.234
Jul 12, 2024 08:12:34.550930023 CEST	56958	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:34.555891037 CEST	445	56958	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:34.555965900 CEST	56958	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:34.556005955 CEST	56958	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:34.556153059 CEST	445	56957	217.123.9.234	192.168.2.5
Jul 12, 2024 08:12:34.556322098 CEST	56957	445	192.168.2.5	217.123.9.234
Jul 12, 2024 08:12:34.556360960 CEST	56959	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:34.561829090 CEST	445	56958	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:34.561873913 CEST	445	56959	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:34.561898947 CEST	56958	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:34.561927080 CEST	56959	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:34.561959028 CEST	56959	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:34.566832066 CEST	445	56959	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:34.888612986 CEST	56960	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:34.894140005 CEST	445	56960	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:34.894273996 CEST	56960	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:34.894315958 CEST	56960	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:34.899709940 CEST	445	56960	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:35.436013937 CEST	56961	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:35.442847013 CEST	445	56961	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:35.443111897 CEST	56961	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:35.443111897 CEST	56961	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:35.450242996 CEST	445	56961	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:35.916590929 CEST	445	49907	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:35.916753054 CEST	49907	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:35.916862965 CEST	49907	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:35.916862965 CEST	49907	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:35.921909094 CEST	445	49907	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:35.921952963 CEST	445	49907	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:36.295643091 CEST	56962	445	192.168.2.5	10.50.70.81
Jul 12, 2024 08:12:36.300717115 CEST	445	56962	10.50.70.81	192.168.2.5
Jul 12, 2024 08:12:36.300966024 CEST	56962	445	192.168.2.5	10.50.70.81
Jul 12, 2024 08:12:36.300966978 CEST	56962	445	192.168.2.5	10.50.70.81
Jul 12, 2024 08:12:36.301067114 CEST	56963	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:36.305902004 CEST	445	56963	10.50.70.1	192.168.2.5
Jul 12, 2024 08:12:36.305994987 CEST	56963	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:36.306087971 CEST	56963	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:36.306453943 CEST	56964	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:36.306566954 CEST	445	56962	10.50.70.81	192.168.2.5
Jul 12, 2024 08:12:36.306644917 CEST	56962	445	192.168.2.5	10.50.70.81
Jul 12, 2024 08:12:36.311449051 CEST	445	56963	10.50.70.1	192.168.2.5
Jul 12, 2024 08:12:36.311465979 CEST	445	56964	10.50.70.1	192.168.2.5
Jul 12, 2024 08:12:36.311544895 CEST	56963	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:36.311582088 CEST	56964	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:36.311639071 CEST	56964	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:36.316797972 CEST	445	56964	10.50.70.1	192.168.2.5
Jul 12, 2024 08:12:36.919892073 CEST	56965	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:36.925002098 CEST	445	56965	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:36.925110102 CEST	56965	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:36.925158024 CEST	56965	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:36.930073977 CEST	445	56965	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:37.221133947 CEST	445	56961	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:37.221414089 CEST	56961	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:37.221518040 CEST	56961	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:37.221518040 CEST	56961	445	192.168.2.5	185.148.241.1
Jul 12, 2024 08:12:37.226700068 CEST	445	56961	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:37.226746082 CEST	445	56961	185.148.241.1	192.168.2.5
Jul 12, 2024 08:12:37.295105934 CEST	56966	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:37.300059080 CEST	445	56966	185.148.241.2	192.168.2.5
Jul 12, 2024 08:12:37.300196886 CEST	56966	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:37.303798914 CEST	56966	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:37.304225922 CEST	56967	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:37.308716059 CEST	445	56966	185.148.241.2	192.168.2.5
Jul 12, 2024 08:12:37.308794975 CEST	56966	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:37.308989048 CEST	445	56967	185.148.241.2	192.168.2.5
Jul 12, 2024 08:12:37.309050083 CEST	56967	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:37.309211016 CEST	56967	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:37.314047098 CEST	445	56967	185.148.241.2	192.168.2.5
Jul 12, 2024 08:12:37.936079979 CEST	56968	445	192.168.2.5	63.194.252.161
Jul 12, 2024 08:12:37.937338114 CEST	445	49935	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:37.937800884 CEST	49935	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:37.937918901 CEST	49935	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:37.937918901 CEST	49935	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:37.941600084 CEST	445	56968	63.194.252.161	192.168.2.5
Jul 12, 2024 08:12:37.941911936 CEST	56968	445	192.168.2.5	63.194.252.161
Jul 12, 2024 08:12:37.941911936 CEST	56968	445	192.168.2.5	63.194.252.161
Jul 12, 2024 08:12:37.942152023 CEST	56969	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:37.942861080 CEST	445	49935	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:37.942953110 CEST	445	49935	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:37.946980000 CEST	445	56969	63.194.252.1	192.168.2.5
Jul 12, 2024 08:12:37.947047949 CEST	56969	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:37.947069883 CEST	56969	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:37.947365999 CEST	445	56968	63.194.252.161	192.168.2.5
Jul 12, 2024 08:12:37.947429895 CEST	56970	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:37.947508097 CEST	56968	445	192.168.2.5	63.194.252.161
Jul 12, 2024 08:12:37.952229977 CEST	445	56970	63.194.252.1	192.168.2.5
Jul 12, 2024 08:12:37.952323914 CEST	56970	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:37.952323914 CEST	56970	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:37.952358007 CEST	445	56969	63.194.252.1	192.168.2.5
Jul 12, 2024 08:12:37.952419996 CEST	56969	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:37.957257032 CEST	445	56970	63.194.252.1	192.168.2.5
Jul 12, 2024 08:12:38.919666052 CEST	56971	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:38.924731016 CEST	445	56971	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:38.924793005 CEST	56971	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:38.924818039 CEST	56971	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:12:38.929687977 CEST	445	56971	149.78.23.1	192.168.2.5
Jul 12, 2024 08:12:39.467099905 CEST	56972	445	192.168.2.5	133.184.83.24
Jul 12, 2024 08:12:39.472099066 CEST	445	56972	133.184.83.24	192.168.2.5
Jul 12, 2024 08:12:39.472193956 CEST	56972	445	192.168.2.5	133.184.83.24
Jul 12, 2024 08:12:39.472233057 CEST	56972	445	192.168.2.5	133.184.83.24
Jul 12, 2024 08:12:39.472413063 CEST	56973	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:12:39.477159977 CEST	445	56973	133.184.83.1	192.168.2.5
Jul 12, 2024 08:12:39.477209091 CEST	56973	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:12:39.477233887 CEST	56973	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:12:39.477397919 CEST	445	56972	133.184.83.24	192.168.2.5
Jul 12, 2024 08:12:39.477452040 CEST	56972	445	192.168.2.5	133.184.83.24
Jul 12, 2024 08:12:39.477514982 CEST	56974	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:12:39.482420921 CEST	445	56974	133.184.83.1	192.168.2.5
Jul 12, 2024 08:12:39.482434034 CEST	445	56973	133.184.83.1	192.168.2.5
Jul 12, 2024 08:12:39.482491016 CEST	56974	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:12:39.482516050 CEST	56973	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:12:39.482516050 CEST	56974	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:12:39.487341881 CEST	445	56974	133.184.83.1	192.168.2.5
Jul 12, 2024 08:12:39.931308031 CEST	445	56883	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:39.931468964 CEST	56883	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:39.947572947 CEST	56883	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:39.947648048 CEST	56883	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:39.952420950 CEST	445	56883	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:39.952435017 CEST	445	56883	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:40.889363050 CEST	56975	445	192.168.2.5	149.178.165.169
Jul 12, 2024 08:12:40.894532919 CEST	445	56975	149.178.165.169	192.168.2.5
Jul 12, 2024 08:12:40.894635916 CEST	56975	445	192.168.2.5	149.178.165.169
Jul 12, 2024 08:12:40.894635916 CEST	56975	445	192.168.2.5	149.178.165.169
Jul 12, 2024 08:12:40.894781113 CEST	56976	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:12:40.900300980 CEST	445	56976	149.178.165.1	192.168.2.5
Jul 12, 2024 08:12:40.900353909 CEST	445	56975	149.178.165.169	192.168.2.5
Jul 12, 2024 08:12:40.900367022 CEST	56976	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:12:40.900382042 CEST	56976	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:12:40.900417089 CEST	56975	445	192.168.2.5	149.178.165.169
Jul 12, 2024 08:12:40.900635958 CEST	56977	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:12:40.905456066 CEST	445	56977	149.178.165.1	192.168.2.5
Jul 12, 2024 08:12:40.905514002 CEST	56977	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:12:40.905553102 CEST	56977	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:12:40.905602932 CEST	445	56976	149.178.165.1	192.168.2.5
Jul 12, 2024 08:12:40.905642033 CEST	56976	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:12:40.910470009 CEST	445	56977	149.178.165.1	192.168.2.5
Jul 12, 2024 08:12:40.951086044 CEST	56978	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:40.956316948 CEST	445	56978	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:40.956444025 CEST	56978	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:40.956521988 CEST	56978	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:12:40.961441040 CEST	445	56978	192.12.185.1	192.168.2.5
Jul 12, 2024 08:12:42.217015028 CEST	56979	445	192.168.2.5	199.9.102.164
Jul 12, 2024 08:12:42.224246025 CEST	445	56979	199.9.102.164	192.168.2.5
Jul 12, 2024 08:12:42.224380970 CEST	56979	445	192.168.2.5	199.9.102.164
Jul 12, 2024 08:12:42.224473953 CEST	56979	445	192.168.2.5	199.9.102.164
Jul 12, 2024 08:12:42.224526882 CEST	56980	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:12:42.231756926 CEST	445	56980	199.9.102.1	192.168.2.5
Jul 12, 2024 08:12:42.231878996 CEST	56980	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:12:42.232211113 CEST	56980	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:12:42.232213020 CEST	56981	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:12:42.232263088 CEST	445	56979	199.9.102.164	192.168.2.5
Jul 12, 2024 08:12:42.232315063 CEST	56979	445	192.168.2.5	199.9.102.164
Jul 12, 2024 08:12:42.239398003 CEST	445	56981	199.9.102.1	192.168.2.5
Jul 12, 2024 08:12:42.239494085 CEST	56981	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:12:42.239531040 CEST	56981	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:12:42.239866972 CEST	445	56980	199.9.102.1	192.168.2.5
Jul 12, 2024 08:12:42.240019083 CEST	56980	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:12:42.246562004 CEST	445	56981	199.9.102.1	192.168.2.5
Jul 12, 2024 08:12:42.951248884 CEST	56982	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:43.072417974 CEST	445	56982	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:43.072524071 CEST	56982	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:43.072582006 CEST	56982	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:12:43.079873085 CEST	445	56982	27.249.74.1	192.168.2.5
Jul 12, 2024 08:12:43.094089985 CEST	445	56919	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:43.094191074 CEST	56919	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:43.094227076 CEST	56919	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:43.094252110 CEST	56919	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:43.099121094 CEST	445	56919	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:43.099152088 CEST	445	56919	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:43.451443911 CEST	56983	445	192.168.2.5	170.120.108.114
Jul 12, 2024 08:12:43.459383965 CEST	445	56983	170.120.108.114	192.168.2.5
Jul 12, 2024 08:12:43.459588051 CEST	56983	445	192.168.2.5	170.120.108.114
Jul 12, 2024 08:12:43.459588051 CEST	56983	445	192.168.2.5	170.120.108.114
Jul 12, 2024 08:12:43.459588051 CEST	56984	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:12:43.467294931 CEST	445	56984	170.120.108.1	192.168.2.5
Jul 12, 2024 08:12:43.467396021 CEST	56984	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:12:43.467396021 CEST	56984	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:12:43.467684031 CEST	56985	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:12:43.467897892 CEST	445	56983	170.120.108.114	192.168.2.5
Jul 12, 2024 08:12:43.468065023 CEST	56983	445	192.168.2.5	170.120.108.114
Jul 12, 2024 08:12:43.472564936 CEST	445	56985	170.120.108.1	192.168.2.5
Jul 12, 2024 08:12:43.472640991 CEST	56985	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:12:43.472682953 CEST	56985	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:12:43.473047972 CEST	445	56984	170.120.108.1	192.168.2.5
Jul 12, 2024 08:12:43.473218918 CEST	56984	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:12:43.478622913 CEST	445	56985	170.120.108.1	192.168.2.5
Jul 12, 2024 08:12:43.963052034 CEST	445	56932	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:43.963221073 CEST	56932	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:43.963221073 CEST	56932	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:43.963221073 CEST	56932	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:43.968225002 CEST	445	56932	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:43.968255997 CEST	445	56932	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:44.216911077 CEST	445	56936	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:44.216993093 CEST	56936	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:44.217053890 CEST	56936	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:44.217113018 CEST	56936	445	192.168.2.5	204.59.96.1
Jul 12, 2024 08:12:44.222979069 CEST	445	56936	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:44.223011017 CEST	445	56936	204.59.96.1	192.168.2.5
Jul 12, 2024 08:12:44.279170990 CEST	56986	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:12:44.284622908 CEST	445	56986	204.59.96.2	192.168.2.5
Jul 12, 2024 08:12:44.284703970 CEST	56986	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:12:44.284740925 CEST	56986	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:12:44.285069942 CEST	56987	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:12:44.290076017 CEST	445	56987	204.59.96.2	192.168.2.5
Jul 12, 2024 08:12:44.290139914 CEST	56987	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:12:44.290163994 CEST	56987	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:12:44.290180922 CEST	445	56986	204.59.96.2	192.168.2.5
Jul 12, 2024 08:12:44.290241003 CEST	56986	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:12:44.295118093 CEST	445	56987	204.59.96.2	192.168.2.5
Jul 12, 2024 08:12:44.607652903 CEST	56988	445	192.168.2.5	11.223.200.38
Jul 12, 2024 08:12:44.612917900 CEST	445	56988	11.223.200.38	192.168.2.5
Jul 12, 2024 08:12:44.613137960 CEST	56988	445	192.168.2.5	11.223.200.38
Jul 12, 2024 08:12:44.613138914 CEST	56988	445	192.168.2.5	11.223.200.38
Jul 12, 2024 08:12:44.613229990 CEST	56989	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:12:44.618489027 CEST	445	56989	11.223.200.1	192.168.2.5
Jul 12, 2024 08:12:44.618560076 CEST	56989	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:12:44.618659019 CEST	56989	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:12:44.618767977 CEST	445	56988	11.223.200.38	192.168.2.5
Jul 12, 2024 08:12:44.619050026 CEST	56990	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:12:44.619124889 CEST	445	56988	11.223.200.38	192.168.2.5
Jul 12, 2024 08:12:44.619312048 CEST	56988	445	192.168.2.5	11.223.200.38
Jul 12, 2024 08:12:44.623894930 CEST	445	56990	11.223.200.1	192.168.2.5
Jul 12, 2024 08:12:44.623972893 CEST	56990	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:12:44.624021053 CEST	56990	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:12:44.624598026 CEST	445	56989	11.223.200.1	192.168.2.5
Jul 12, 2024 08:12:44.624655962 CEST	56989	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:12:44.629057884 CEST	445	56990	11.223.200.1	192.168.2.5
Jul 12, 2024 08:12:45.685698032 CEST	56991	445	192.168.2.5	144.131.63.187
Jul 12, 2024 08:12:45.690639019 CEST	445	56991	144.131.63.187	192.168.2.5
Jul 12, 2024 08:12:45.690762997 CEST	56991	445	192.168.2.5	144.131.63.187
Jul 12, 2024 08:12:45.690793991 CEST	56991	445	192.168.2.5	144.131.63.187
Jul 12, 2024 08:12:45.691034079 CEST	56992	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:12:45.697877884 CEST	445	56991	144.131.63.187	192.168.2.5
Jul 12, 2024 08:12:45.697948933 CEST	56991	445	192.168.2.5	144.131.63.187
Jul 12, 2024 08:12:45.697984934 CEST	445	56992	144.131.63.1	192.168.2.5
Jul 12, 2024 08:12:45.698057890 CEST	56992	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:12:45.698077917 CEST	56992	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:12:45.698398113 CEST	56993	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:12:45.703224897 CEST	445	56993	144.131.63.1	192.168.2.5
Jul 12, 2024 08:12:45.703318119 CEST	56993	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:12:45.703345060 CEST	56993	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:12:45.704139948 CEST	445	56992	144.131.63.1	192.168.2.5
Jul 12, 2024 08:12:45.704200983 CEST	56992	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:12:45.708194971 CEST	445	56993	144.131.63.1	192.168.2.5
Jul 12, 2024 08:12:45.995764017 CEST	445	56939	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:45.996073008 CEST	56939	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:45.996073008 CEST	56939	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:45.996124029 CEST	56939	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:46.000921011 CEST	445	56939	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:46.000960112 CEST	445	56939	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:46.107276917 CEST	56994	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:46.112457037 CEST	445	56994	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:46.112565994 CEST	56994	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:46.112577915 CEST	56994	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:12:46.117423058 CEST	445	56994	6.119.83.1	192.168.2.5
Jul 12, 2024 08:12:46.341962099 CEST	445	56940	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:46.342200994 CEST	56940	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:46.342200994 CEST	56940	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:46.342200994 CEST	56940	445	192.168.2.5	89.248.166.1
Jul 12, 2024 08:12:46.350481033 CEST	445	56940	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:46.350513935 CEST	445	56940	89.248.166.1	192.168.2.5
Jul 12, 2024 08:12:46.404443026 CEST	56995	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:12:46.409815073 CEST	445	56995	89.248.166.2	192.168.2.5
Jul 12, 2024 08:12:46.409924030 CEST	56995	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:12:46.409961939 CEST	56995	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:12:46.415513039 CEST	56996	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:12:46.415541887 CEST	445	56995	89.248.166.2	192.168.2.5
Jul 12, 2024 08:12:46.415611982 CEST	56995	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:12:46.420722961 CEST	445	56996	89.248.166.2	192.168.2.5
Jul 12, 2024 08:12:46.420816898 CEST	56996	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:12:46.422894001 CEST	56996	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:12:46.430551052 CEST	445	56996	89.248.166.2	192.168.2.5
Jul 12, 2024 08:12:46.735378027 CEST	56997	445	192.168.2.5	58.98.198.169
Jul 12, 2024 08:12:46.740391016 CEST	445	56997	58.98.198.169	192.168.2.5
Jul 12, 2024 08:12:46.740462065 CEST	56997	445	192.168.2.5	58.98.198.169
Jul 12, 2024 08:12:46.740523100 CEST	56997	445	192.168.2.5	58.98.198.169
Jul 12, 2024 08:12:46.740654945 CEST	56998	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:12:46.745584011 CEST	445	56998	58.98.198.1	192.168.2.5
Jul 12, 2024 08:12:46.745660067 CEST	56998	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:12:46.745711088 CEST	56998	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:12:46.745884895 CEST	445	56997	58.98.198.169	192.168.2.5
Jul 12, 2024 08:12:46.745965958 CEST	56997	445	192.168.2.5	58.98.198.169
Jul 12, 2024 08:12:46.748497009 CEST	56999	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:12:46.751259089 CEST	445	56998	58.98.198.1	192.168.2.5
Jul 12, 2024 08:12:46.751316071 CEST	56998	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:12:46.753773928 CEST	445	56999	58.98.198.1	192.168.2.5
Jul 12, 2024 08:12:46.753833055 CEST	56999	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:12:46.756424904 CEST	56999	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:12:46.761316061 CEST	445	56999	58.98.198.1	192.168.2.5
Jul 12, 2024 08:12:46.966850042 CEST	57000	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:46.972456932 CEST	445	57000	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:46.972554922 CEST	57000	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:46.972596884 CEST	57000	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:12:46.977642059 CEST	445	57000	19.193.250.1	192.168.2.5
Jul 12, 2024 08:12:47.670133114 CEST	57001	445	192.168.2.5	146.166.199.132
Jul 12, 2024 08:12:47.675446987 CEST	445	57001	146.166.199.132	192.168.2.5
Jul 12, 2024 08:12:47.675594091 CEST	57001	445	192.168.2.5	146.166.199.132
Jul 12, 2024 08:12:47.675712109 CEST	57001	445	192.168.2.5	146.166.199.132
Jul 12, 2024 08:12:47.676033020 CEST	57002	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:12:47.680969000 CEST	445	57002	146.166.199.1	192.168.2.5
Jul 12, 2024 08:12:47.681080103 CEST	57002	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:12:47.681231022 CEST	57002	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:12:47.681291103 CEST	445	57001	146.166.199.132	192.168.2.5
Jul 12, 2024 08:12:47.681380987 CEST	57001	445	192.168.2.5	146.166.199.132
Jul 12, 2024 08:12:47.681865931 CEST	57003	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:12:47.686496973 CEST	445	57002	146.166.199.1	192.168.2.5
Jul 12, 2024 08:12:47.686563969 CEST	57002	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:12:47.686794996 CEST	445	57003	146.166.199.1	192.168.2.5
Jul 12, 2024 08:12:47.686868906 CEST	57003	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:12:47.686913013 CEST	57003	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:12:47.691709042 CEST	445	57003	146.166.199.1	192.168.2.5
Jul 12, 2024 08:12:48.009408951 CEST	445	56943	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:48.009493113 CEST	56943	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:48.009526968 CEST	56943	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:48.009565115 CEST	56943	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:48.014422894 CEST	445	56943	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:48.014451027 CEST	445	56943	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:48.213159084 CEST	445	56944	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:48.213643074 CEST	56944	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:48.213643074 CEST	56944	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:48.216464996 CEST	56944	445	192.168.2.5	50.247.21.1
Jul 12, 2024 08:12:48.218820095 CEST	445	56944	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:48.221395969 CEST	445	56944	50.247.21.1	192.168.2.5
Jul 12, 2024 08:12:48.279345989 CEST	57004	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:12:48.286062956 CEST	445	57004	50.247.21.2	192.168.2.5
Jul 12, 2024 08:12:48.286153078 CEST	57004	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:12:48.286175013 CEST	57004	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:12:48.286580086 CEST	57005	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:12:48.292932987 CEST	445	57005	50.247.21.2	192.168.2.5
Jul 12, 2024 08:12:48.293042898 CEST	57005	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:12:48.293042898 CEST	57005	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:12:48.293715954 CEST	445	57004	50.247.21.2	192.168.2.5
Jul 12, 2024 08:12:48.293771029 CEST	57004	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:12:48.298187971 CEST	445	57005	50.247.21.2	192.168.2.5
Jul 12, 2024 08:12:48.545840979 CEST	57006	445	192.168.2.5	35.216.199.11
Jul 12, 2024 08:12:48.552103043 CEST	445	57006	35.216.199.11	192.168.2.5
Jul 12, 2024 08:12:48.552201986 CEST	57006	445	192.168.2.5	35.216.199.11
Jul 12, 2024 08:12:48.552294970 CEST	57006	445	192.168.2.5	35.216.199.11
Jul 12, 2024 08:12:48.552495956 CEST	57007	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:12:48.559967041 CEST	445	57007	35.216.199.1	192.168.2.5
Jul 12, 2024 08:12:48.560056925 CEST	57007	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:12:48.560100079 CEST	57007	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:12:48.560925961 CEST	445	57006	35.216.199.11	192.168.2.5
Jul 12, 2024 08:12:48.560983896 CEST	57006	445	192.168.2.5	35.216.199.11
Jul 12, 2024 08:12:48.561321974 CEST	57008	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:12:48.565601110 CEST	445	57007	35.216.199.1	192.168.2.5
Jul 12, 2024 08:12:48.565659046 CEST	57007	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:12:48.566127062 CEST	445	57008	35.216.199.1	192.168.2.5
Jul 12, 2024 08:12:48.566179037 CEST	57008	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:12:48.566237926 CEST	57008	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:12:48.571033955 CEST	445	57008	35.216.199.1	192.168.2.5
Jul 12, 2024 08:12:48.998016119 CEST	57009	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:49.003446102 CEST	445	57009	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:49.003659964 CEST	57009	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:49.003659964 CEST	57009	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:12:49.008795023 CEST	445	57009	45.205.206.1	192.168.2.5
Jul 12, 2024 08:12:49.456815004 CEST	57010	445	192.168.2.5	149.72.206.63
Jul 12, 2024 08:12:49.462018013 CEST	445	57010	149.72.206.63	192.168.2.5
Jul 12, 2024 08:12:49.462107897 CEST	57010	445	192.168.2.5	149.72.206.63
Jul 12, 2024 08:12:49.462393999 CEST	57010	445	192.168.2.5	149.72.206.63
Jul 12, 2024 08:12:49.462523937 CEST	57011	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:12:49.467391968 CEST	445	57011	149.72.206.1	192.168.2.5
Jul 12, 2024 08:12:49.467463017 CEST	57011	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:12:49.467705011 CEST	445	57010	149.72.206.63	192.168.2.5
Jul 12, 2024 08:12:49.467888117 CEST	57010	445	192.168.2.5	149.72.206.63
Jul 12, 2024 08:12:49.468633890 CEST	57011	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:12:49.473769903 CEST	445	57011	149.72.206.1	192.168.2.5
Jul 12, 2024 08:12:49.473838091 CEST	57011	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:12:49.474204063 CEST	57012	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:12:49.479326963 CEST	445	57012	149.72.206.1	192.168.2.5
Jul 12, 2024 08:12:49.479422092 CEST	57012	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:12:49.479453087 CEST	57012	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:12:49.484410048 CEST	445	57012	149.72.206.1	192.168.2.5
Jul 12, 2024 08:12:50.057267904 CEST	445	56947	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:50.057352066 CEST	56947	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:50.057434082 CEST	56947	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:50.057495117 CEST	56947	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:50.062405109 CEST	445	56947	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:50.062532902 CEST	445	56947	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:50.212939978 CEST	445	56948	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:50.213156939 CEST	56948	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:50.213215113 CEST	56948	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:50.213448048 CEST	56948	445	192.168.2.5	203.155.53.1
Jul 12, 2024 08:12:50.218096972 CEST	445	56948	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:50.218236923 CEST	445	56948	203.155.53.1	192.168.2.5
Jul 12, 2024 08:12:50.232559919 CEST	57013	445	192.168.2.5	147.150.35.105
Jul 12, 2024 08:12:50.239790916 CEST	445	57013	147.150.35.105	192.168.2.5
Jul 12, 2024 08:12:50.240008116 CEST	57013	445	192.168.2.5	147.150.35.105
Jul 12, 2024 08:12:50.240101099 CEST	57013	445	192.168.2.5	147.150.35.105
Jul 12, 2024 08:12:50.240101099 CEST	57014	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:12:50.245263100 CEST	445	57014	147.150.35.1	192.168.2.5
Jul 12, 2024 08:12:50.245341063 CEST	57014	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:12:50.245651960 CEST	445	57013	147.150.35.105	192.168.2.5
Jul 12, 2024 08:12:50.245682955 CEST	57014	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:12:50.245753050 CEST	57013	445	192.168.2.5	147.150.35.105
Jul 12, 2024 08:12:50.245846033 CEST	57015	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:12:50.250838995 CEST	445	57014	147.150.35.1	192.168.2.5
Jul 12, 2024 08:12:50.250869989 CEST	445	57015	147.150.35.1	192.168.2.5
Jul 12, 2024 08:12:50.250895977 CEST	57014	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:12:50.250967026 CEST	57015	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:12:50.251008034 CEST	57015	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:12:50.255798101 CEST	445	57015	147.150.35.1	192.168.2.5
Jul 12, 2024 08:12:50.279217005 CEST	57016	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:12:50.284321070 CEST	445	57016	203.155.53.2	192.168.2.5
Jul 12, 2024 08:12:50.284403086 CEST	57016	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:12:50.284425974 CEST	57016	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:12:50.284698009 CEST	57017	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:12:50.289478064 CEST	445	57017	203.155.53.2	192.168.2.5
Jul 12, 2024 08:12:50.289554119 CEST	57017	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:12:50.289589882 CEST	57017	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:12:50.289637089 CEST	445	57016	203.155.53.2	192.168.2.5
Jul 12, 2024 08:12:50.289689064 CEST	57016	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:12:50.294454098 CEST	445	57017	203.155.53.2	192.168.2.5
Jul 12, 2024 08:12:51.013573885 CEST	57019	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:51.018517971 CEST	445	57019	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:51.018632889 CEST	57019	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:51.018652916 CEST	57019	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:12:51.023421049 CEST	445	57019	192.99.167.1	192.168.2.5
Jul 12, 2024 08:12:52.308984995 CEST	445	56952	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:52.309124947 CEST	56952	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:52.309225082 CEST	56952	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:52.309350014 CEST	56952	445	192.168.2.5	160.232.165.1
Jul 12, 2024 08:12:52.314063072 CEST	445	56952	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:52.314713001 CEST	445	56952	160.232.165.1	192.168.2.5
Jul 12, 2024 08:12:52.373004913 CEST	57023	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:12:52.377991915 CEST	445	57023	160.232.165.2	192.168.2.5
Jul 12, 2024 08:12:52.378088951 CEST	57023	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:12:52.378125906 CEST	57023	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:12:52.378488064 CEST	57024	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:12:52.383285046 CEST	445	57024	160.232.165.2	192.168.2.5
Jul 12, 2024 08:12:52.383356094 CEST	57024	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:12:52.383378983 CEST	57024	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:12:52.383559942 CEST	445	57023	160.232.165.2	192.168.2.5
Jul 12, 2024 08:12:52.383618116 CEST	57023	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:12:52.388173103 CEST	445	57024	160.232.165.2	192.168.2.5
Jul 12, 2024 08:12:53.060349941 CEST	57027	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:53.065464973 CEST	445	57027	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:53.065541029 CEST	57027	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:53.065565109 CEST	57027	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:12:53.070410013 CEST	445	57027	159.4.73.1	192.168.2.5
Jul 12, 2024 08:12:54.060694933 CEST	445	56955	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:54.060928106 CEST	56955	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:54.060928106 CEST	56955	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:54.060928106 CEST	56955	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:54.066257000 CEST	445	56955	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:54.066287041 CEST	445	56955	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:54.087879896 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:54.087970972 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:54.088061094 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:54.088437080 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:54.088475943 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:54.264512062 CEST	445	56956	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:54.264616966 CEST	56956	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:54.264708996 CEST	56956	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:54.264708996 CEST	56956	445	192.168.2.5	183.227.189.1
Jul 12, 2024 08:12:54.269710064 CEST	445	56956	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:54.269742012 CEST	445	56956	183.227.189.1	192.168.2.5
Jul 12, 2024 08:12:54.326502085 CEST	57036	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:12:54.332546949 CEST	445	57036	183.227.189.2	192.168.2.5
Jul 12, 2024 08:12:54.332773924 CEST	57036	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:12:54.332775116 CEST	57036	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:12:54.333121061 CEST	57037	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:12:54.338073969 CEST	445	57037	183.227.189.2	192.168.2.5
Jul 12, 2024 08:12:54.338129044 CEST	445	57036	183.227.189.2	192.168.2.5
Jul 12, 2024 08:12:54.338191986 CEST	57036	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:12:54.338284016 CEST	57037	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:12:54.338284969 CEST	57037	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:12:54.343189001 CEST	445	57037	183.227.189.2	192.168.2.5
Jul 12, 2024 08:12:54.859426022 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:54.859507084 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:54.862957954 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:54.862987995 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:54.863203049 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:54.870131969 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:54.916496992 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.191601038 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.191621065 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.191766024 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.191788912 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.191838980 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.191865921 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.191889048 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.192091942 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.192152977 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.192167997 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.192229986 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.192378044 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.192420006 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.192425013 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.192466021 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.195431948 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.195467949 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.195492983 CEST	57034	443	192.168.2.5	20.114.59.183
Jul 12, 2024 08:12:55.195508003 CEST	443	57034	20.114.59.183	192.168.2.5
Jul 12, 2024 08:12:55.935517073 CEST	445	56959	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:55.935592890 CEST	56959	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:55.935625076 CEST	56959	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:55.935658932 CEST	56959	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:55.940634966 CEST	445	56959	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:55.940665007 CEST	445	56959	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:56.312473059 CEST	445	56960	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:56.312695980 CEST	56960	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:56.312737942 CEST	56960	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:56.312828064 CEST	56960	445	192.168.2.5	96.158.114.1
Jul 12, 2024 08:12:56.317689896 CEST	445	56960	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:56.317742109 CEST	445	56960	96.158.114.1	192.168.2.5
Jul 12, 2024 08:12:56.373147964 CEST	57058	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:12:56.378221989 CEST	445	57058	96.158.114.2	192.168.2.5
Jul 12, 2024 08:12:56.380397081 CEST	57058	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:12:56.380439997 CEST	57058	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:12:56.380716085 CEST	57059	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:12:56.385642052 CEST	445	57059	96.158.114.2	192.168.2.5
Jul 12, 2024 08:12:56.386698961 CEST	445	57058	96.158.114.2	192.168.2.5
Jul 12, 2024 08:12:56.386769056 CEST	57058	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:12:56.386812925 CEST	57059	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:12:56.386812925 CEST	57059	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:12:56.391746998 CEST	445	57059	96.158.114.2	192.168.2.5
Jul 12, 2024 08:12:57.076703072 CEST	57068	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:57.081801891 CEST	445	57068	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:57.081886053 CEST	57068	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:57.081924915 CEST	57068	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:12:57.086752892 CEST	445	57068	105.57.122.1	192.168.2.5
Jul 12, 2024 08:12:57.685745955 CEST	445	56964	10.50.70.1	192.168.2.5
Jul 12, 2024 08:12:57.685878992 CEST	56964	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:57.685878992 CEST	56964	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:57.685878992 CEST	56964	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:12:57.691468000 CEST	445	56964	10.50.70.1	192.168.2.5
Jul 12, 2024 08:12:57.691497087 CEST	445	56964	10.50.70.1	192.168.2.5
Jul 12, 2024 08:12:58.276303053 CEST	445	56965	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:58.276415110 CEST	56965	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:58.276415110 CEST	56965	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:58.276520967 CEST	56965	445	192.168.2.5	161.45.66.1
Jul 12, 2024 08:12:58.281702995 CEST	445	56965	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:58.281744003 CEST	445	56965	161.45.66.1	192.168.2.5
Jul 12, 2024 08:12:58.341864109 CEST	57091	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:12:58.347246885 CEST	445	57091	161.45.66.2	192.168.2.5
Jul 12, 2024 08:12:58.347543001 CEST	57091	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:12:58.347543001 CEST	57091	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:12:58.347768068 CEST	57092	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:12:58.352533102 CEST	445	57092	161.45.66.2	192.168.2.5
Jul 12, 2024 08:12:58.352703094 CEST	57092	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:12:58.352866888 CEST	57092	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:12:58.352907896 CEST	445	57091	161.45.66.2	192.168.2.5
Jul 12, 2024 08:12:58.352962971 CEST	57091	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:12:58.357712030 CEST	445	57092	161.45.66.2	192.168.2.5
Jul 12, 2024 08:12:58.682365894 CEST	445	56967	185.148.241.2	192.168.2.5
Jul 12, 2024 08:12:58.682634115 CEST	56967	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:58.682634115 CEST	56967	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:58.682634115 CEST	56967	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:12:58.687603951 CEST	445	56967	185.148.241.2	192.168.2.5
Jul 12, 2024 08:12:58.687623024 CEST	445	56967	185.148.241.2	192.168.2.5
Jul 12, 2024 08:12:58.951052904 CEST	57106	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:58.957874060 CEST	445	57106	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:58.958038092 CEST	57106	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:58.958039045 CEST	57106	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:12:58.966067076 CEST	445	57106	217.123.9.1	192.168.2.5
Jul 12, 2024 08:12:59.326822996 CEST	445	56970	63.194.252.1	192.168.2.5
Jul 12, 2024 08:12:59.327039957 CEST	56970	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:59.327114105 CEST	56970	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:59.327115059 CEST	56970	445	192.168.2.5	63.194.252.1
Jul 12, 2024 08:12:59.332108021 CEST	445	56970	63.194.252.1	192.168.2.5
Jul 12, 2024 08:12:59.332133055 CEST	445	56970	63.194.252.1	192.168.2.5
Jul 12, 2024 08:13:00.313910961 CEST	445	56971	149.78.23.1	192.168.2.5
Jul 12, 2024 08:13:00.314007044 CEST	56971	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:13:00.314048052 CEST	56971	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:13:00.314057112 CEST	56971	445	192.168.2.5	149.78.23.1
Jul 12, 2024 08:13:00.320456982 CEST	445	56971	149.78.23.1	192.168.2.5
Jul 12, 2024 08:13:00.320601940 CEST	445	56971	149.78.23.1	192.168.2.5
Jul 12, 2024 08:13:00.373334885 CEST	57150	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:00.379766941 CEST	445	57150	149.78.23.2	192.168.2.5
Jul 12, 2024 08:13:00.380099058 CEST	57150	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:00.380192995 CEST	57150	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:00.381180048 CEST	57151	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:00.387145042 CEST	445	57150	149.78.23.2	192.168.2.5
Jul 12, 2024 08:13:00.387341022 CEST	57150	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:00.387610912 CEST	445	57151	149.78.23.2	192.168.2.5
Jul 12, 2024 08:13:00.387676001 CEST	57151	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:00.387722015 CEST	57151	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:00.394103050 CEST	445	57151	149.78.23.2	192.168.2.5
Jul 12, 2024 08:13:00.701055050 CEST	57168	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:13:00.706348896 CEST	445	57168	10.50.70.1	192.168.2.5
Jul 12, 2024 08:13:00.706432104 CEST	57168	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:13:00.706454992 CEST	57168	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:13:00.712734938 CEST	445	57168	10.50.70.1	192.168.2.5
Jul 12, 2024 08:13:00.869236946 CEST	445	56974	133.184.83.1	192.168.2.5
Jul 12, 2024 08:13:00.869364977 CEST	56974	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:13:00.869429111 CEST	56974	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:13:00.869503021 CEST	56974	445	192.168.2.5	133.184.83.1
Jul 12, 2024 08:13:00.874347925 CEST	445	56974	133.184.83.1	192.168.2.5
Jul 12, 2024 08:13:00.874389887 CEST	445	56974	133.184.83.1	192.168.2.5
Jul 12, 2024 08:13:01.685404062 CEST	57248	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:13:01.690470934 CEST	445	57248	185.148.241.2	192.168.2.5
Jul 12, 2024 08:13:01.690555096 CEST	57248	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:13:01.690601110 CEST	57248	445	192.168.2.5	185.148.241.2
Jul 12, 2024 08:13:01.695462942 CEST	445	57248	185.148.241.2	192.168.2.5
Jul 12, 2024 08:13:02.276329041 CEST	445	56977	149.178.165.1	192.168.2.5
Jul 12, 2024 08:13:02.276424885 CEST	56977	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:13:02.337930918 CEST	445	56978	192.12.185.1	192.168.2.5
Jul 12, 2024 08:13:02.338001013 CEST	56978	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:13:02.973941088 CEST	56982	445	192.168.2.5	27.249.74.1
Jul 12, 2024 08:13:02.974189997 CEST	56978	445	192.168.2.5	192.12.185.1
Jul 12, 2024 08:13:02.974204063 CEST	56996	445	192.168.2.5	89.248.166.2
Jul 12, 2024 08:13:02.974215031 CEST	57092	445	192.168.2.5	161.45.66.2
Jul 12, 2024 08:13:02.974251986 CEST	57005	445	192.168.2.5	50.247.21.2
Jul 12, 2024 08:13:02.974271059 CEST	57024	445	192.168.2.5	160.232.165.2
Jul 12, 2024 08:13:02.974477053 CEST	56977	445	192.168.2.5	149.178.165.1
Jul 12, 2024 08:13:02.974498034 CEST	56981	445	192.168.2.5	199.9.102.1
Jul 12, 2024 08:13:02.974518061 CEST	56985	445	192.168.2.5	170.120.108.1
Jul 12, 2024 08:13:02.974535942 CEST	56987	445	192.168.2.5	204.59.96.2
Jul 12, 2024 08:13:02.974556923 CEST	56990	445	192.168.2.5	11.223.200.1
Jul 12, 2024 08:13:02.974580050 CEST	56993	445	192.168.2.5	144.131.63.1
Jul 12, 2024 08:13:02.974601030 CEST	56994	445	192.168.2.5	6.119.83.1
Jul 12, 2024 08:13:02.974623919 CEST	56999	445	192.168.2.5	58.98.198.1
Jul 12, 2024 08:13:02.974641085 CEST	57000	445	192.168.2.5	19.193.250.1
Jul 12, 2024 08:13:02.974730015 CEST	57003	445	192.168.2.5	146.166.199.1
Jul 12, 2024 08:13:02.974746943 CEST	57008	445	192.168.2.5	35.216.199.1
Jul 12, 2024 08:13:02.974801064 CEST	57009	445	192.168.2.5	45.205.206.1
Jul 12, 2024 08:13:02.974843979 CEST	57015	445	192.168.2.5	147.150.35.1
Jul 12, 2024 08:13:02.974843979 CEST	57017	445	192.168.2.5	203.155.53.2
Jul 12, 2024 08:13:02.974864006 CEST	57019	445	192.168.2.5	192.99.167.1
Jul 12, 2024 08:13:02.974889040 CEST	57037	445	192.168.2.5	183.227.189.2
Jul 12, 2024 08:13:02.974917889 CEST	57027	445	192.168.2.5	159.4.73.1
Jul 12, 2024 08:13:02.974942923 CEST	57012	445	192.168.2.5	149.72.206.1
Jul 12, 2024 08:13:02.974942923 CEST	57068	445	192.168.2.5	105.57.122.1
Jul 12, 2024 08:13:02.974977016 CEST	57059	445	192.168.2.5	96.158.114.2
Jul 12, 2024 08:13:02.975028992 CEST	57106	445	192.168.2.5	217.123.9.1
Jul 12, 2024 08:13:02.975107908 CEST	57168	445	192.168.2.5	10.50.70.1
Jul 12, 2024 08:13:02.975174904 CEST	57151	445	192.168.2.5	149.78.23.2
Jul 12, 2024 08:13:02.975816011 CEST	57248	445	192.168.2.5	185.148.241.2

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 12, 2024 08:11:55.324048042 CEST	57367	53	192.168.2.5	1.1.1.1
Jul 12, 2024 08:11:55.484185934 CEST	53	57367	1.1.1.1	192.168.2.5
Jul 12, 2024 08:11:56.195116043 CEST	53163	53	192.168.2.5	1.1.1.1
Jul 12, 2024 08:11:56.438673973 CEST	53	53163	1.1.1.1	192.168.2.5
Jul 12, 2024 08:12:17.444612980 CEST	53	54512	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 12, 2024 08:11:55.324048042 CEST	192.168.2.5	1.1.1.1	0x5fd5	Standard query (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false
Jul 12, 2024 08:11:56.195116043 CEST	192.168.2.5	1.1.1.1	0x5b74	Standard query (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 12, 2024 08:11:55.484185934 CEST	1.1.1.1	192.168.2.5	0x5fd5	No error (0)	www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com		103.224.212.215	A (IP address)	IN (0x0001)	false
Jul 12, 2024 08:11:56.438673973 CEST	1.1.1.1	192.168.2.5	0x5b74	No error (0)	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com	77026.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 12, 2024 08:11:56.438673973 CEST	1.1.1.1	192.168.2.5	0x5b74	No error (0)	77026.bodis.com		199.59.243.226	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slscr.update.microsoft.com

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	103.224.212.215	80	7108	C:\Users\user\Desktop\yrBA01LVo2.exe

Timestamp	Bytes transferred	Direction	Data
Jul 12, 2024 08:11:55.495357037 CEST	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jul 12, 2024 08:11:56.187971115 CEST	365	IN	HTTP/1.1 302 Found date: Fri, 12 Jul 2024 06:11:56 GMT server: Apache set-cookie: __tad=1720764716.7475799; expires=Mon, 10-Jul-2034 06:11:56 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-56c7-8cb1-aab7e5f01544 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	199.59.243.226	80	7108	C:\Users\user\Desktop\yrBA01LVo2.exe

Timestamp	Bytes transferred	Direction	Data
Jul 12, 2024 08:11:56.445528984 CEST	169	OUT	GET /?subid1=20240712-1611-56c7-8cb1-aab7e5f01544 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jul 12, 2024 08:11:56.907282114 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 12 Jul 2024 06:11:56 GMT content-type: text/html; charset=utf-8 content-length: 1258 x-request-id: 09f54ebc-1607-4928-9eb7-1c89c752f946 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_z3+3zo1dq695acmDmqsE0o2iFkM98d09qDAxF/OSnAPh6sxb1VLjLzjWSQfAludyh2t8iiFDrNDMHrWx24jEmQ== set-cookie: parking_session=09f54ebc-1607-4928-9eb7-1c89c752f946; expires=Fri, 12 Jul 2024 06:26:56 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 7a 33 2b 33 7a 6f 31 64 71 36 39 35 61 63 6d 44 6d 71 73 45 30 6f 32 69 46 6b 4d 39 38 64 30 39 71 44 41 78 46 2f 4f 53 6e 41 50 68 36 73 78 62 31 56 4c 6a 4c 7a 6a 57 53 51 66 41 6c 75 64 79 68 32 74 38 69 69 46 44 72 4e 44 4d 48 72 57 78 32 34 6a 45 6d 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_z3+3zo1dq695acmDmqsE0o2iFkM98d09qDAxF/OSnAPh6sxb1VLjLzjWSQfAludyh2t8iiFDrNDMHrWx24jEmQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jul 12, 2024 08:11:56.907345057 CEST	692	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDlmNTRlYmMtMTYwNy00OTI4LTllYjctMWM4OWM3NTJmOTQ2IiwicGFnZV90aW1lIjoxNzIwNzY0NzE2LCJwYWdlX3VybCI6I

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	103.224.212.215	80	5508	C:\Users\user\Desktop\yrBA01LVo2.exe

Timestamp	Bytes transferred	Direction	Data
Jul 12, 2024 08:11:57.248883009 CEST	100	OUT	GET / HTTP/1.1 Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Cache-Control: no-cache
Jul 12, 2024 08:11:57.877907991 CEST	365	IN	HTTP/1.1 302 Found date: Fri, 12 Jul 2024 06:11:57 GMT server: Apache set-cookie: __tad=1720764717.5636787; expires=Mon, 10-Jul-2034 06:11:57 GMT; Max-Age=315360000 location: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20240712-1611-575d-a069-1da1339fd736 content-length: 2 content-type: text/html; charset=UTF-8 connection: close Data Raw: 0a 0a Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	199.59.243.226	80	5508	C:\Users\user\Desktop\yrBA01LVo2.exe

Timestamp	Bytes transferred	Direction	Data
Jul 12, 2024 08:11:57.888644934 CEST	169	OUT	GET /?subid1=20240712-1611-575d-a069-1da1339fd736 HTTP/1.1 Cache-Control: no-cache Host: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com Connection: Keep-Alive
Jul 12, 2024 08:11:58.364789009 CEST	1236	IN	HTTP/1.1 200 OK date: Fri, 12 Jul 2024 06:11:57 GMT content-type: text/html; charset=utf-8 content-length: 1258 x-request-id: d1b97704-9761-44e4-bc49-86973340f7fe cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hWWVP+MHY7HLVI1wJ9uZM2dMlsfThHvdHhfQnXTLeKU9azTJoTqL+59yum9Vaujye167LXD91hTbQf5aSyYJOw== set-cookie: parking_session=d1b97704-9761-44e4-bc49-86973340f7fe; expires=Fri, 12 Jul 2024 06:26:58 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 68 57 57 56 50 2b 4d 48 59 37 48 4c 56 49 31 77 4a 39 75 5a 4d 32 64 4d 6c 73 66 54 68 48 76 64 48 68 66 51 6e 58 54 4c 65 4b 55 39 61 7a 54 4a 6f 54 71 4c 2b 35 39 79 75 6d 39 56 61 75 6a 79 65 31 36 37 4c 58 44 39 31 68 54 62 51 66 35 61 53 79 59 4a 4f 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_hWWVP+MHY7HLVI1wJ9uZM2dMlsfThHvdHhfQnXTLeKU9azTJoTqL+59yum9Vaujye167LXD91hTbQf5aSyYJOw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="pr
Jul 12, 2024 08:11:58.364913940 CEST	692	IN	Data Raw: 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 74 61 72 67 65 Data Ascii: econnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDFiOTc3MDQtOTc2MS00NGU0LWJjNDktODY5NzMzNDBmN2ZlIiwicGFnZV90aW1lIjoxNzIwNzY0NzE4LCJwYWdlX3VybCI6I

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49887	52.165.165.26	443

Timestamp	Bytes transferred	Direction	Data
2024-07-12 06:12:14 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BSddhgcBDph9M7&MD=UAFFSYcE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-12 06:12:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 1e0e9a66-cd26-4c98-a74a-6218b2d0fbb6 MS-RequestId: c5308cd8-22a8-4968-acf4-9cf16913e7b3 MS-CV: Vt2xmLiGiUayxKPV.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 12 Jul 2024 06:12:14 GMT Connection: close Content-Length: 24490
2024-07-12 06:12:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-07-12 06:12:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	57034	20.114.59.183	443

Timestamp	Bytes transferred	Direction	Data
2024-07-12 06:12:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=1BSddhgcBDph9M7&MD=UAFFSYcE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-07-12 06:12:55 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "vic+p1MiJJ+/WMnK08jaWnCBGDfvkGRzPk9f8ZadQHg=_1440" MS-CorrelationId: 4ec80965-e154-4f93-bd86-5423f9c36c08 MS-RequestId: dcd43a2c-1d92-4fa7-8fc5-cb7d2fca52cd MS-CV: Re1QMJloNEGIpQZd.0 X-Microsoft-SLSClientCache: 1440 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Fri, 12 Jul 2024 06:12:54 GMT Connection: close Content-Length: 30005
2024-07-12 06:12:55 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 8d 2b 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 5b 49 00 00 14 00 00 00 00 00 10 00 8d 2b 00 00 a8 49 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 72 4d 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 fe f6 51 be 21 2b 72 4d 43 4b ed 7c 05 58 54 eb da f6 14 43 49 37 0a 02 d2 b9 86 0e 41 52 a4 1b 24 a5 bb 43 24 44 18 94 90 92 52 41 3a 05 09 95 ee 54 b0 00 91 2e e9 12 10 04 11 c9 6f 10 b7 a2 67 9f bd cf 3e ff b7 ff b3 bf 73 ed e1 9a 99 f5 c6 7a d7 bb de f5 3e cf fd 3c f7 dc 17 4a 1a 52 e7 41 a8 97 1e 14 f4 e5 25 7d f4 05 82 82 c1 20 30 08 06 ba c3 05 02 11 7f a9 c1 ff d2 87 5c 1e f4 ed 65 8e 7a 1f f6 0a 40 03 1d 7b f9 83 2c 1c 2f db b8 3a 39 3a 58 38 ba 73 5e Data Ascii: MSCF+D[I+IdrMenvironment.cabQ!+rMCK\|XTCI7AR$C$DRA:T.og>sz><JRA%} 0\ez@{,/:9:X8s^
2024-07-12 06:12:55 UTC	14181	IN	Data Raw: 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 26 30 24 06 03 55 04 03 13 1d 4d 69 63 72 6f 73 6f 66 74 20 54 69 6d 65 2d 53 74 61 6d 70 20 50 43 41 20 32 30 31 30 30 1e 17 0d 32 33 31 30 31 32 31 39 30 37 32 35 5a 17 0d 32 35 30 31 31 30 31 39 30 37 32 35 5a 30 81 d2 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 2d 30 2b 06 03 55 04 0b 13 24 4d 69 63 72 6f Data Ascii: UUS10UWashington10URedmond10UMicrosoft Corporation1&0$UMicrosoft Time-Stamp PCA 20100231012190725Z250110190725Z010UUS10UWashington10URedmond10UMicrosoft Corporation1-0+U$Micro

Target ID:	0
Start time:	02:11:54
Start date:	12/07/2024
Path:	C:\Users\user\Desktop\yrBA01LVo2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yrBA01LVo2.exe"
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	DA8DDE3005365992711946C4622A3C74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000000.1999381187.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:11:56
Start date:	12/07/2024
Path:	C:\Users\user\Desktop\yrBA01LVo2.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\yrBA01LVo2.exe -m security
Imagebase:	0x400000
File size:	2'281'472 bytes
MD5 hash:	DA8DDE3005365992711946C4622A3C74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000002.00000000.2018076872.000000000040F000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000002.00000002.2671560893.0000000002289000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000002.00000002.2671276992.0000000001D61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:12:41
Start date:	12/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	71.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	63.2%
Total number of Nodes:	38
Total number of Limit Nodes:	9

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F390EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000004,00000000), ref: 00407E43
WriteFile.KERNELBASE(00000000,?,00000000,?,00000000), ref: 00407E61
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00407E68
CreateProcessA.KERNELBASE ref: 00407EE8
CloseHandle.KERNEL32(00000000), ref: 00407EF7
CloseHandle.KERNEL32(08000000), ref: 00407F02

Strings

D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
WriteFile, xrefs: 00407D1C
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D
/i, xrefs: 00407E8D
CloseHandle, xrefs: 00407D29
C:\%s\qeriuwjhrf, xrefs: 00407E12
CreateProcessA, xrefs: 00407D07
CreateFileA, xrefs: 00407D0F
tasksche.exe, xrefs: 00407DEA

Memory Dump Source

Source File: 00000000.00000002.2031797583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031770948.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031824180.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031903602.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: AddressProcResource$CloseFileHandle$CreateFindsprintf$ChangeLoadLockModuleMoveNotificationProcessSizeofWrite
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 1541710770-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.KERNELBASE ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000000.00000002.2031797583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031770948.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031824180.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031903602.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000000.00000002.2031797583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031770948.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031824180.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031903602.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F390EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000000.00000002.2031797583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031770948.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031824180.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031903602.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F390EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000000.00000002.2031797583.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2031770948.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031824180.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031849170.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031903602.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2031973988.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Analysis Process: yrBA01LVo2.exePID: 5508, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	34.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	36
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
__p___argc.MSVCRT ref: 004080A5
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,00000000,?,004081B2), ref: 004080C3
OpenServiceA.ADVAPI32(00000000,mssecsvc2.1,000F01FF,6F390EF0,00000000,?,004081B2), ref: 004080DC
CloseServiceHandle.ADVAPI32(00000000,?,?,?,004081B2), ref: 004080FA
CloseServiceHandle.ADVAPI32(00000000,?,004081B2), ref: 004080FD
StartServiceCtrlDispatcherA.ADVAPI32(?,?,?), ref: 00408126

Strings

mssecsvc2.1, xrefs: 004080D6, 00408105

Memory Dump Source

Source File: 00000002.00000002.2667490385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2667478265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667508008.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667637821.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667647828.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$CtrlDispatcherFileManagerModuleNameStart__p___argc
String ID: mssecsvc2.1
API String ID: 4274534310-2839763450
Opcode ID: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction ID: 0eddf8d8cc97b5ba853ece0b0f9ce4fe0dc31dc3004373c78c05f92e851b2f94
Opcode Fuzzy Hash: 14f2d0f9cf239aa653f070f930b60ae04978eb0b591616557438e437b3700a6a
Instruction Fuzzy Hash: 4A014775640315BBE3117F149E4AF6F3AA4EF80B19F404429F544762D2DFB888188AAF

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0040817B
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,84000000,00000000), ref: 00408194
InternetCloseHandle.WININET(00000000), ref: 004081A7
InternetCloseHandle.WININET(00000000), ref: 004081AB

Part of subcall function 00408090: GetModuleFileNameA.KERNEL32(00000000,0070F760,00000104,?,004081B2), ref: 0040809F
Part of subcall function 00408090: __p___argc.MSVCRT ref: 004080A5

Strings

http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com, xrefs: 0040814A

Memory Dump Source

Source File: 00000002.00000002.2667490385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2667478265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667508008.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667637821.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667647828.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileModuleName__p___argc
String ID: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
API String ID: 774561529-2614457033
Opcode ID: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction ID: 3b8a91e0baa4f3639afdb349cfc438007093f0a6557163af6b5eb03d237fc32a
Opcode Fuzzy Hash: 0bbc0dabe610ff42f1f9ad6e85cc21407dd9b1b68127969cd029bea3a518856a
Instruction Fuzzy Hash: B3018671548310AEE310DF748D01B6B7BE9EF85710F01082EF984F72C0EAB59804876B

Non-executed Functions

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

sprintf.MSVCRT ref: 00407C56
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407C68
CreateServiceA.ADVAPI32(00000000,mssecsvc2.1,Microsoft Security Center (2.1) Service,000F01FF,00000010,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000,6F390EF0,00000000), ref: 00407C9B
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00407CB2
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CB9
CloseServiceHandle.ADVAPI32(00000000), ref: 00407CBC

Strings

%s -m security, xrefs: 00407C50
mssecsvc2.1, xrefs: 00407C95
Microsoft Security Center (2.1) Service, xrefs: 00407C90

Memory Dump Source

Source File: 00000002.00000002.2667490385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2667478265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667508008.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667637821.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667647828.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$CreateManagerOpenStartsprintf
String ID: %s -m security$Microsoft Security Center (2.1) Service$mssecsvc2.1
API String ID: 3340711343-2450984573
Opcode ID: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction ID: 2288e5cc66680fabefb91112cf05624c6df81315eb9d87428618c258e2ee617f
Opcode Fuzzy Hash: c3592d809756ac94f014d34e1e4fa0c14de5620095203194e3f9233ad68c92ee
Instruction Fuzzy Hash: AD01D1717C43043BF2305B149D8BFEB3658AB84F01F500025FB44B92D0DAF9A81491AF

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,00000000,6F390EF0,?,00000000), ref: 00407CEF
GetProcAddress.KERNEL32(00000000,CreateProcessA), ref: 00407D0D
GetProcAddress.KERNEL32(00000000,CreateFileA), ref: 00407D1A
GetProcAddress.KERNEL32(00000000,WriteFile), ref: 00407D27
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00407D34
FindResourceA.KERNEL32(00000000,00000727,0043137C), ref: 00407D74
LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407D86
LockResource.KERNEL32(00000000,?,00000000), ref: 00407D95
SizeofResource.KERNEL32(00000000,00000000,?,00000000), ref: 00407DA9
sprintf.MSVCRT ref: 00407E01
sprintf.MSVCRT ref: 00407E18
MoveFileExA.KERNEL32(?,?,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00407E2C

Strings

/i, xrefs: 00407E8D
D, xrefs: 00407ED3
kernel32.dll, xrefs: 00407CEA
C:\%s\qeriuwjhrf, xrefs: 00407E12
tasksche.exe, xrefs: 00407DEA
CloseHandle, xrefs: 00407D29
WriteFile, xrefs: 00407D1C
CreateFileA, xrefs: 00407D0F
CreateProcessA, xrefs: 00407D07
C:\%s\%s, xrefs: 00407DFB
WINDOWS, xrefs: 00407DF2, 00407E0D

Memory Dump Source

Source File: 00000002.00000002.2667490385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2667478265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667508008.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667637821.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667647828.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: AddressProcResource$sprintf$FileFindHandleLoadLockModuleMoveSizeof
String ID: /i$C:\%s\%s$C:\%s\qeriuwjhrf$CloseHandle$CreateFileA$CreateProcessA$D$WINDOWS$WriteFile$kernel32.dll$tasksche.exe
API String ID: 4072214828-1507730452
Opcode ID: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction ID: 13a48b3e7e70fc1f7524b3ea2ca00aec236584d0bbebcf852995d03268f4a9c8
Opcode Fuzzy Hash: fb819ea0bbfac7cba45177718834bfaea6ecb5a57a4692884010a03d6946efb9
Instruction Fuzzy Hash: B15197715043496FE7109F74DC84AAB7B98EB88354F14493EF651A32E0DA7898088BAA

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__set_app_type.MSVCRT ref: 00409A43
__p__fmode.MSVCRT ref: 00409A58
__p__commode.MSVCRT ref: 00409A66
__setusermatherr.MSVCRT ref: 00409A92
_initterm.MSVCRT ref: 00409AA8
__getmainargs.MSVCRT ref: 00409ACB
_initterm.MSVCRT ref: 00409ADB
GetStartupInfoA.KERNEL32(?), ref: 00409B1A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00409B3E
exit.MSVCRT ref: 00409B4E
_XcptFilter.MSVCRT ref: 00409B60

Memory Dump Source

Source File: 00000002.00000002.2667490385.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2667478265.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667508008.000000000040A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667574480.000000000040F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667627520.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667637821.000000000042F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667647828.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.000000000083B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.2667717871.00000000008A0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_yrBA01LVo2.jbxd

Yara matches

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__getmainargs__p__commode__p__fmode__set_app_type__setusermatherrexit
String ID:
API String ID: 801014965-0
Opcode ID: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction ID: f220c78e044b43db95b39954543cb8470338bddc8e57b6bf74c51ec52977e19a
Opcode Fuzzy Hash: e3007c8091b935f0f6e9b16d849c1c27a397ab206965397834d54df9927598b6
Instruction Fuzzy Hash: AF415E71800348EFDB24DFA4ED45AAA7BB8FB09720F20413BE451A72D2D7786841CB59

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yrBA01LVo2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\tasksche.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
yrBA01LVo2.exe

Function 00407CE0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 175
libraryloaderfileCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408090 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49
serviceCOMMON

Function 00408140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45
networkCOMMON

Function 00407C40 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 54
serviceCOMMON

Function 00407CE0 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 175
libraryloaderCOMMON

Function 00409A16 Relevance: 16.6, APIs: 11, Instructions: 111
COMMON